GDPR P Course v1 1
Uploaded by
Christopher TaylorGDPR P Course v1 1
Uploaded by
Christopher TaylorTM
EU GDPR
Practitioner Course
IT Governance
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Welcome
• Housekeeping
– Timings and breaks
– Fire/evacuation
– Mobile phones and other devices
– Security
GDPR Practitioner v1.1
© IT Governance Ltd 2016 2
Introductions
Name
Organisation
– What your organisation does
– What your part of the
organisation does
Role
Knowledge/experience
– DPA/GDPR
– Information security
Objectives
GDPR Practitioner v1.1
© IT Governance Ltd 2016 3
GDPR Practitioner v1.1
© IT Governance Ltd 2016 1
TM
Getting the most out of this course
GDPR Practitioner v1.1
© IT Governance Ltd 2016 4
End of each session: check and confirm
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 5
EU GDPR Practitioner Course
• Course objectives:
– Enable delegates to fulfil the role of data protection
officer (DPO) under the GDPR;
– Cover the regulation in depth, including
implementation requirements;
– Cover necessary policies and processes,
– Cover important elements of effective data security
management.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 6
GDPR Practitioner v1.1
© IT Governance Ltd 2016 2
TM
Case Study Introduction
Baratheon PLC
GDPR Practitioner v1.1
© IT Governance Ltd 2016 7
Baratheon PLC
• Rapidly growing internet marketing and optimisation
specialists
• Started seven years ago as street research
• Developed new proprietary technologies and built market
share based around them
• Expanded into US, Europe and APAC
• Now looking to push into the Chinese market
GDPR Practitioner v1.1
© IT Governance Ltd 2016 8
Baratheon PLC
• Four sites:
– Main office near Regent’s Park in London, UK
o Majority of development, account management and sales
o All corporate support services
– Localised offices in:
o New York, US
o Paris, France
o Melbourne, Australia
o Variety of staff and hardware/software in each office, specific to the local market
GDPR Practitioner v1.1
© IT Governance Ltd 2016 9
GDPR Practitioner v1.1
© IT Governance Ltd 2016 3
TM
The One Big Push
• One major client, Calamity Jane, wants to push into the
Chinese market and Baratheon would like to help them do so.
• Baratheon is interested in acquiring a Chinese firm in the
same sector.
• It also needs to ensure it is successful with its next round of
funding.
• One of the key issues that needs to be addressed is how can
Baratheon move into the market while ensuring that all client
data will remain secure.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 10
GDPR Practitioner Exam
• Certified GDPR Practitioner
• GASQ-accredited
• Four-day course
• Pass course exam
– 40 questions
– Multiple choice
– 90 minutes
GDPR Practitioner v1.1
© IT Governance Ltd 2016 11
IT Governance GDPR Training Pathway
IBITGQ: International Board
for IT Governance
Qualifications www.ibitgq.org
• Creates syllabus
GASQ – Certification Body
• ISO/IEC 17024 accredited
• Accredits trainers
• Examination body
• Successful candidate
register:
http://en.gasq.org/registration/
successful-candidate-
register.html
GDPR Practitioner v1.1
© IT Governance Ltd 2016 12
GDPR Practitioner v1.1
© IT Governance Ltd 2016 4
TM
IT Governance Ltd: GRC One-Stop-Shop
IT Governance trainers are also practicing consultants
GDPR Practitioner v1.1
© IT Governance Ltd 2016 13
Course timetable
• Day 1: 09.30 – 17.00
• Day 2: 09.15 – 17.00
• Day 3: 09.15 – 17.00
• Day 4: 09.15 – approx 17.00
• There are morning and afternoon breaks at appropriate
times, as well as a 45 minute lunch break
GDPR Practitioner v1.1
© IT Governance Ltd 2016 14
Day 1
1. What is personal data?
2. The role of the Data Protection Officer (DPO)
3. Accountability, the Privacy Compliance Framework and PIMS (Personal
Information Management System)
4. Lessons from common data security failures
5. Understand each of the 6 Data Privacy Principles and how, in practical
terms, to apply them - and to demonstrate compliance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 15
GDPR Practitioner v1.1
© IT Governance Ltd 2016 5
TM
Day 2
6. Security of personal data
7. Organizational risk management framework
8. Legal requirements for a DPIA (Data Privacy Impact Assessment)
9. How to conduct a DPIA
10.Why and how to conduct a data mapping exercise
GDPR Practitioner v1.1
© IT Governance Ltd 2016 16
Day 3
11. The Rights of Data Subjects
12.Data subjects: giving and withdrawing consent
13.Handling Data Subject Access Requests
14.Roles of, and relationships between, controllers and processors
15.Personal data, international organizations, non-EEA states and the EU-
US Privacy Shield
GDPR Practitioner v1.1
© IT Governance Ltd 2016 17
Agenda - Day 4
16. Incident response and data breach reporting
17. Enforcement, regulatory and compensatory issues
18. Transition to, and demonstrating compliance with, the GDPR
Approx 2.30 pm Exam (90 minutes)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 18
GDPR Practitioner v1.1
© IT Governance Ltd 2016 6
TM
Day 1
1. What is personal data?
2. The role of the Data Protection Officer (DPO)
3. Accountability, the Privacy Compliance Framework and PIMS (Personal
Information Management System)
4. Lessons from common data security failures
5. Understand each of the 6 Data Privacy Principles and how, in practical
terms, to apply them - and to demonstrate compliance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 19
Session 1: Role of the DPO
At the end of this session delegates
will be able to:
LG 2: Understand the role of the Data Protection Officer
GDPR Practitioner v1.1
© IT Governance Ltd 2016 20
Data protection officer - requirements
Article 37: Designation of the data protection officer
• Controllers and processors must designate a DPO in three
situations:
– Where the processing is carried out by a public body;
– Where the core activities require regular and systematic monitoring of
data subjects on a large scale;
– Where core activities of controller or processor involve large-scale
processing of sensitive personal data, or personal data relating to
criminal convictions/offences.
• ‘Core’?
• ‘Large scale’?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 21
GDPR Practitioner v1.1
© IT Governance Ltd 2016 7
TM
Data protection officer – requirements (cont.)
Article 37: Designation of the data protection officer
– Group undertakings can appoint a single DPO
– Where controller or processor is a public authority a single DPO may be
appointed for several such authorities depending on structure and size
– DPO can represent categories of controllers and processors
– DPO designated on the basis of professional qualities and knowledge of
data protection law, but not necessarily legally qualified
– May fulfill the role as part of a service contract
– Controller or processor must publish DPO details and notify supervisory
authority
– NB: All DPO appointments subject to same rules – mandatory and
voluntary
GDPR Practitioner v1.1
© IT Governance Ltd 2016 22
Data protection officer – requirements
(cont.)
Article 38: Position of the data
protection officer
C-Suite/
Legal/Compliance
– Controller and processor must ensure
proper and timely involvement of the DPO
– Controller and processor must provide
support through necessary resources
DPO
– DPO has a large degree of independence
– Protected role within the organisation
– Direct access to highest management
– Data subject has clear access to DPO
Privacy Analyst Privacy Analyst
– Bound by confidentiality in accordance
with EU law
– No conflict of interest arising from
additional tasks or duties
GDPR Practitioner v1.1
© IT Governance Ltd 2016 23
Data protection officer – requirements
(cont.)
Article 39: Tasks of the data protection officer:
– to inform and advise of obligations;
– to monitor compliance;
– to provide advice with regard to data protection impact assessments;
– to monitor performance
– to cooperate with the supervisory authority;
– to liaise with the supervisory authority;
– to have due regard to risk associated with processing operations.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 24
GDPR Practitioner v1.1
© IT Governance Ltd 2016 8
TM
Do we need a data protection officer?
• Are we required to appoint a DPO?
• If not, should we appoint a DPO?
Roles & Responsibilities?
Privacy: who has oversight of our legal and regulatory obligations?
Privacy: who is responsible for ensuring we meet our legal obligations?
Who is responsible for ensuring we meet any contractual privacy and
confidentiality obligations?
Who is responsible for contracts with data processors?
Who is responsible for identifying and managing privacy risks?
Who is responsible for identifying and managing information security risks?
Which single appointment can do most to keep us out of trouble in relation to
privacy?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 25
Job summary: data protection officer
• DPO is a strategic role that develops, coordinates and
manages an organisation’s privacy strategy;
• Ensure that operations and business practices adhere to
applicable privacy laws;
• Ensures privacy considerations and processes are
incorporated into business practices.
• Q: Should there be a specific board member with
accountability for the privacy strategy?
• Q: What relationship should the DPO have with professional
legal advisers?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 26
Data protection officers
• Where does the role sit within the organisation?
– The DPO should sit within a Risk, Compliance or Governance function
– The role is about ensuring compliance
– You can’t have compliance under the direction of a delivery or functional
team
– Independent of the business with direct access to the Board
– An effective DPO will ensure that privacy is regularly on the board
agenda
– DPO has to be able to work with key functional and line managers
o HR, IT, ISMS, QMS, BCMS
o Line of business managers
GDPR Practitioner v1.1
© IT Governance Ltd 2016 27
GDPR Practitioner v1.1
© IT Governance Ltd 2016 9
TM
Role of the DPO?
• Ensure the organization achieves – and maintains –
compliance with the GDPR
• OR
• Keep the organization out of GDPR trouble
GDPR Practitioner v1.1
© IT Governance Ltd 2016 28
Legal status of GDPR?
• While it’s law, it doesn’t come into force until May 2018
• Recital 10: ‘this Regulation does not exclude Member State law that
sets out the circumstances for specific processing situations, including
determining more precisely the conditions under which the processing
of personal data is lawful.’
• There is a number of areas awaiting member state decisions – eg age
of consent for a child
• There is a number of phrases which are somewhat inexact:
– ‘taking into account of the state of the art’
– ‘appropriate technical and organizational measures’
• There is an existing body of law, developed around the DPA, which
won’t automatically completely disappear the moment the DPD is
replaced by the GDPR
• There is obviously not yet any case law around GDPR
• This suggests that early compliance efforts may be inexact, and
flexibility, keeping abreast of developments and willingness to
continually improve will be critical.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 29
Achieve compliance?
• Many detailed areas of the GDPR are still subject to development
– WP 29 2017 Action Plan
o In its 2017 Action Plan, the WP29 has committed to finalize its work on
topics undertaken in 2016 including guidelines on certification and
processing likely to result in a high risk and Data Protection Impact
Assessments (DPIA), administrative fines, the setting up the European Data
Protection Board (EDPB) structure
o In the 2017 Action Plan the WP29 has also engaged to start its work with the
production of guidelines on the topics of consent and profiling and
continue in the second semester of 2017 with the production of guidelines on
the issue of transparency. At the same time, the WP29 will work on the
update of already existing opinions and referentials on data transfers to
third countries and data breach notifications.
– In December 2016, WP 29 adopted guidelines on
o The right to data portability,
o Data protection officers (DPOs)
o The lead supervisory authority.
– What of CCTV, Employee monitoring and online identifiers?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 30
GDPR Practitioner v1.1
© IT Governance Ltd 2016 10
TM
Your compliance journey
• GDPR compliance is a major change programme
• It needs:
– Top management attention
– Dedicated planning and implementation resource
– Financial support
– Significant culture change
• Many organizations are coming to grips with the need to
address cyber security
• Many more have Brexit issues to address
• The time period to ‘GDPR means GDPR’ is shortening every
day
• Can you be fully compliant by 25 May 2018? Should you?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 31
Compliance environment: May 2018
• The most likely state of play:
– Inconsistent implementation of GDPR across EU, within countries and
within sectors – some countries ahead, some behind
– Substantial numbers of organizations will not have completed
compliance migrations – many won’t even have started
– A number of aggrieved, newly enfranchised data subjects will be
interesting in testing the extent of their new rights
– Cyber breaches will continue to happen – and continue to increase in
number and severity
– Supervisory authorities will have incomplete enforcement capabilities
and there will be inconsistency in response across the EU
GDPR Practitioner v1.1
© IT Governance Ltd 2016 32
Option 2: Keep the organization out of
trouble!
• Two threat sources:
– Aggrieved data subjects
o Rights to make complaints, seek compensation
– Personal data breaches
o All personal data breaches have to be reported to Supervisory Authority, unless…
• Prioritise:
– Governance
– Identifying what data you have – and on what grounds?
– Eliminating data archives you don’t need/shouldn’t have
– deploying compliant data subject documentation – Privacy notices,
subject access request processes
– Incident response and data breach reporting processes
– Cyber security: make breaches much less likely
GDPR Practitioner v1.1
© IT Governance Ltd 2016 33
GDPR Practitioner v1.1
© IT Governance Ltd 2016 11
TM
Data protection officers
The realities of the role of the data protection officer
– Legal knowledge of data protection regulations is necessary but not enough
– Must be able to articulate privacy by design and by default to delivery
functions
– Must also have information security knowledge and skills
o An understanding of how to deliver C, I and A within a management framework
o A good understanding of risk management and risk assessments
– Able to coordinate and advise on data breaches and notification
– Able to make a cyber security incident response process work.
– Able to carry out and interpret internal audits against compliance
requirements
– Familiarity with codes of conduct for industry sector
– A good understanding of compliance standards and data marks
– Lead co-operation with supervisory authority
– Communication skills
GDPR Practitioner v1.1
© IT Governance Ltd 2016 34
Data protection officers
The first 100 days:
1. Which resources are available to the DPO and where are they?
2. What is the reporting structure to ensure independence?
3. How do you get privacy onto the board agenda?
4. What are the key privacy issues in the organisation?
5. Who are the stakeholders of the organisation?
6. What is the applicable legislation for the organisation?
7. What are the appropriate information security standards?
8. What are the appropriate risk frameworks & methodologies?
9. What are the sectoral codes of conduct and how can they be
implemented?
10.Which certifications should the organisation adopt?
11.Who is required to be trained across the organisation and how?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 35
Exercise
You are a Baratheon’s newly appointed data
protection officer.
How do you answer the first 4 questions:
1. Which resources are available to the DPO and where are they?
2. What is the reporting structure to ensure independence?
3. How do you get privacy onto the board agenda?
4. What are the key privacy issues in the organisation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 36
GDPR Practitioner v1.1
© IT Governance Ltd 2016 12
TM
Session 1: Role of the DPO
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 37
Session 2: What is personal data?
At the end of this session delegates will
be able to:
Learning Goal 0: Understand:
• The range and characteristics of personal data that
is within scope of the GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 38
What is personal data?
• Article 4: 'personal data' means any information relating to an
identified or identifiable natural person ('data subject'); an
identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 39
GDPR Practitioner v1.1
© IT Governance Ltd 2016 13
TM
Exercise
The tall, elderly man with a dachshund who lives
at number 15 and drives a Porsche Cayenne.
Data about the salary for a job.
Discussion: is Bank statements or itemised telephone bills
it personal data? A photograph of a crowd taken by a journalist
and the same photo but taken by police officer
House values published on the internet
A medical history, a criminal record, or a record
of a particular individual’s performance at work.
Minutes of a meeting
GDPR Practitioner v1.1
© IT Governance Ltd 2016 40
Genetic and biometric data
• Recital 34: Genetic data should be defined as personal data
relating to the inherited or acquired genetic characteristics of
a natural person which result from the analysis of a biological
sample from the natural person in question, in particular
chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid
(RNA) analysis, or from the analysis of another element
enabling equivalent information to be obtained.
• Article 4: 'biometric data' means personal data resulting from
specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural
person, which allow or confirm the unique identification of that
natural person, such as facial images or dactyloscopic data;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 41
Identifiers
• Recital 30: ‘Natural persons may be associated with online
identifiers provided by their devices, applications, tools and
protocols, such as internet protocol addresses, cookie
identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular
when combined with unique identifiers and other information
received by the servers, may be used to create profiles of the
natural persons and identify them.’
– IP Addresses – both static and dynamic
GDPR Practitioner v1.1
© IT Governance Ltd 2016 42
GDPR Practitioner v1.1
© IT Governance Ltd 2016 14
TM
Anonymisation
• Recital 26: “The principles of data protection should …. not
apply to anonymous information, namely information which
does not relate to an identified or identifiable natural person or
to personal data rendered anonymous in such a manner that
the data subject is not or no longer identifiable. This
Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research
purposes.”
GDPR Practitioner v1.1
© IT Governance Ltd 2016 43
Session 2: What is personal data?
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 44
Session 3: Accountability, Privacy
Compliance Framework and PIMS
At the end of this session delegates will
be able to:
Learning Goal 1: Understand:
• what a Privacy Compliance Framework is,
• how it helps meet GDPR compliance requirements,
and
• the role that a PIMS can play.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 45
GDPR Practitioner v1.1
© IT Governance Ltd 2016 15
TM
The principle of Accountability
• Article 5: Principles relating to processing of personal data
• “The controller shall be responsible for, and be able to
demonstrate compliance with, paragraph 1 ('accountability'). “
1 • Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
Accountability
2
3 • Adequate, relevant and limited to what is necessary
4 • Accurate and, where necessary, kept up to date
5 • Retained only for as long as necessary
6 • Processed in an appropriate manner to maintain security
GDPR Practitioner v1.1
© IT Governance Ltd 2016 46
ICO on accountability
• “The new legislation creates an onus on companies to understand
the risks that they create for others, and to mitigate those risks. It’s
about moving away from seeing the law as a box ticking exercise,
and instead to work on a framework that can be used to build a
culture of privacy that pervades an entire organisation.”
• “The GDPR mandates organisations to put into place
comprehensive but proportionate governance measures.”
• “It means a change to the culture of an organisation. That isn’t an
easy thing to do, and it’s certainly true that accountability cannot be
bolted on: it needs to be a part of the company’s overall systems
approach to how it manages and processes personal data.”
• Speech to ICAEW 17 January 2017
GDPR Practitioner v1.1
© IT Governance Ltd 2016 47
Comprehensive but proportionate
governance measures?
• What is the difference between Governance and
Management?
– “Corporate governance consists of the set of processes, customs,
policies, laws and institutions affecting the way people direct, administer
or control a corporation.” (Wikipedia)
– Governance is particularly important where owners and managers are
different persons.
– Management “is the act of getting people together to accomplish
desired goals and objectives using available resources efficiently and
effectively.” (Wikipedia)
– Agency theory of management
• Governance ≠ Management
GDPR Practitioner v1.1
© IT Governance Ltd 2016 48
GDPR Practitioner v1.1
© IT Governance Ltd 2016 16
TM
Principles of Good Governance
• Independence
• Openness and transparency
• Accountability
• Integrity
• Clarity of purpose
• Effectiveness
• An organization’s internal control system is the skeleton that
supports its governance framework
GDPR Practitioner v1.1
© IT Governance Ltd 2016 49
Internal control?
• COSO (Committee of Sponsoring Organizations of the
Treadway Commission's Internal Control - Integrated
Framework)
– Recommendations to management on how to evaluate, report, and improve
control systems
– Comprehensive definition of internal control
• COSO report defines internal control as:
– A process,
– Effected by an entity's board of directors, management, and other personnel,
– Designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations
GDPR Practitioner v1.1
© IT Governance Ltd 2016 50
Internal Control Components
• Components: The internal control system consists of five
interrelated components:
– (1) control environment (general controls),
– (2) risk assessment,
– (3) control activities (specific controls),
– (4) information and communication, and
– (5) monitoring
GDPR Practitioner v1.1
© IT Governance Ltd 2016 51
GDPR Practitioner v1.1
© IT Governance Ltd 2016 17
TM
Internal Control System
• COSO emphasizes that the internal control system is a tool
of, but not a substitute for, management
– Controls should be built into, rather than built onto, operating activities;
– The report defines internal control as a process, and
– Recommends evaluating the effectiveness of internal control as of a
point in time
GDPR Practitioner v1.1
© IT Governance Ltd 2016 52
What governance measures for GDPR?
– Board accountability
– Risk assessment and risk management strategy
– Risks to rights of data subjects on corporate risk register
– Defined roles and responsibilities with clear reporting lines
o DPO
o Line and functional leadership
– Corporate policy, supported by:
o Documented processes, procedures and practices
– Monitoring, auditing, reviewing and reporting on privacy compliance
– Disciplinary policy
GDPR Practitioner v1.1
© IT Governance Ltd 2016 53
Documented processes: the PIMS
Training and
Notification Data protection
awareness
procedures policy
programme
Information Document and
Audit and Public trust Information
management record control
compliance policy charter security policy
policy policy
Data collection
Compliance Data quality Data subject Risk management
procedures
standards fair/lawful/adequate procedures access procedures strategy
Data processor Data retention and
Data use Complaints Security policies
standards and archive
procedures procedures and procedures
agreements procedures
System/data-
Internal audit Data disposal Privacy notices
specific
procedures procedures procedures
procedures
Due diligence and Third-party Enforcement
third parties audit exchange notices
procedures agreements procedures
GDPR Practitioner v1.1
© IT Governance Ltd 2016
GDPR Practitioner v1.1
© IT Governance Ltd 2016 18
TM
PIMS – demonstrating compliance
• Recital 78: “In order to be able to demonstrate compliance
with this Regulation, the controller should adopt internal
policies and implement measures which meet in particular
the principles of data protection by design and data protection
by default.”
• Article 24: ‘Where proportionate in relation to processing
activities, measures shall include the implementation of
appropriate data protection policies by the controller.’
• Article 39: It is a task of the DPO to ‘monitor compliance with
this Regulation, with other Union or Member State data
protection provisions and with the policies of the controller
or processor in relation to the protection of personal data.’
GDPR Practitioner v1.1
© IT Governance Ltd 2016
What is a policy?
• Policies are documents that define the objectives of an organisation.
• A policy is a statement of intent.
• Procedures outline what people must do in order to deliver the policy
objectives.
• Guidelines provide advice on how to comply with policies and
procedures.
• Policies are generally adopted by the Board of or senior governance
body within an organisation.
• NB: A ‘privacy policy’ published on a website reflects the overall
corporate data protection policy. It should meet the requirements for
Privacy Notices.
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Data protection policies
• Policies must:
– Be capable of implementation and enforceable
– Be concise and easy to understand
– Balance protection with productivity
• Policies should:
– State reasons why policy is needed
– Describe what is covered by the policies
– Define contacts and responsibilities
– Include (at least one) objective
– Discuss how violations will be handled
GDPR Practitioner v1.1
© IT Governance Ltd 2016 57
GDPR Practitioner v1.1
© IT Governance Ltd 2016 19
TM
Data protection policy document
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Data protection policy - contents
– Organisation Name is committed to complying with data protection legislation and good practice including:
• processing personal information only where this is strictly necessary for legitimate organisational
purposes;
• collecting only the minimum personal information required for these purposes and not processing
excessive personal information;
• providing clear information to individuals about how their personal information will be used and by whom;
• only processing relevant and adequate personal information;
• processing personal information fairly and lawfully;
• maintaining an inventory of the categories of personal information processed by Organisation Name;
• keeping personal information accurate and, where necessary, up to date;
• retaining personal information only for as long as is necessary for legal or regulatory reasons or, for
legitimate organisational purposes;
• respecting individuals’ rights in relation to their personal information, including their right of subject
access;
• keeping all personal information secure;
• only transferring personal information outside the EU in circumstances where it can be adequately
protected;
• the application of the various exemptions allowable by data protection legislation;
• developing and implementing a PIMS to enable the policy to be implemented;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 59
ICO: part of the overall systems
approach?
• Data Protection by Design and by Default
• “Taking into account the nature, scope, context and purposes of processing as well as the
risks of varying likelihood and severity for the rights and freedoms of natural persons, the
controller shall implement appropriate technical and organisational measures to ensure
and to be able to demonstrate that processing is performed in accordance with this
Regulation.” (Article 24-1)
• “Taking into account the state of the art, the cost of implementation and the nature, scope,
context and purposes of processing as well as the risks of varying likelihood and severity
for rights and freedoms of natural persons posed by the processing, the controller shall,
both at the time of the determination of the means for processing and at the time of the
processing itself, implement appropriate technical and organisational measures…designed
to implement data-protection principles in an effective manner and to integrate the
necessary safeguards into the processing in order to meet the requirements of this
Regulation and protect the rights of data subjects.” (Article 25-1)
• “The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose
of the processing are processed. That obligation applies to the amount of personal data
collected, the extent of their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are not made
accessible without the individual's intervention to an indefinite number of natural persons “
(Article 25-2) GDPR Practitioner v1.1
© IT Governance Ltd 2016 60
GDPR Practitioner v1.1
© IT Governance Ltd 2016 20
TM
What is a privacy compliance
framework?
A privacy compliance
framework links:
• The governance
framework
• The PIMS
• The privacy
principles
So the organization
can ensure it delivers
privacy by design and
by default
GDPR Practitioner v1.1
© IT Governance Ltd 2016 61
Privacy compliance framework
Determine the scope:
• Personal data, other assets associated with information and
information processing facilities managed by the organisation.
• Services and support provided to clients.
• Information and personal data provided by clients.
• All staff and contractors under the control of organisation.
• Suppliers and third parties – particularly data processors.
Consider:
• material and territorial scope;
• Interfaces and handoffs with other organizations;
• Information lifecycle of personal data.
NOT Boundary of control
GDPR Practitioner v1.1
© IT Governance Ltd 2016 62
Privacy compliance framework
Determine the objectives :
• Keeping personal data secure (C, I and A)
• Protecting the rights of data subjects
• Compliance with relevant legislation and regulations
• Compliance with customer contracts (SLAs etc).
• Reflect them in the Data Security policy
.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 63
GDPR Practitioner v1.1
© IT Governance Ltd 2016 21
TM
Privacy compliance framework
• Who should own the Privacy Compliance Framework?
• What are the typical issues encountered in establishing such
a framework?
• Pre-requisites for overcoming these issues?
– Top management support and buy-in
– Walk the walk, tone from the top
– Resources and investment committed to the project
– Privacy objectives included in JDs and performance objectives
– Competence, training and awareness
– Communication strategy
GDPR Practitioner v1.1
© IT Governance Ltd 2016 64
Key processes in the privacy compliance
framework
• Compliance (has multiple procedures and work instructions)
– Identifying and implementing necessary privacy activities and controls PIMS
o Privacy notices, legal basis for processing, consent
o Individuals’ rights – erasure, portability, objection etc
• Risk assessment ISMS
– Identifying, assessing and evaluating risks to the privacy of data subjects
– Data protection impact assessments
• Risk treatment
– Selecting, applying and monitoring controls to reduce risks to privacy
• Incident response and data breach reporting
– You will be breached
ISMS
• Contract management
– If you contract with data processors or third parties in relation to personal data
• Data subject access requests
– You will have them; manage them effectively
• Staff awareness and internal communications
GDPR Practitioner v1.1
© IT Governance Ltd 2016 65
Sixth Principle
• Processed in a manner that ensures appropriate security of
the personal data, including protection against unauthorised
or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or
organisational measures.
• Article 32 covers security requirements more extensively and
needs to be considered alongside the sixth principle.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 66
GDPR Practitioner v1.1
© IT Governance Ltd 2016 22
TM
Interpretation – Sixth Principle
• The measures must:
– Ensure a level of security appropriate to the nature of the data and the harm
that might result from a breach of security
– Take account of state of technological developments and costs in doing so
• The data controller must take reasonable steps to ensure the
reliability of any employees who have access to the personal data
• Organisations need to:
– Design and organise security to fit the nature of the personal data held and
the harm that may result from a security breach
– Be clear about who in the organisation is responsible for ensuring
information security
– Make sure there is the right physical and technical security, backed up by
robust policies and procedures and reliable, well-trained staff and
– Be ready to respond to any breach of security swiftly and effectively
GDPR Practitioner v1.1
© IT Governance Ltd 2016 67
‘Appropriate measures’:
Independent standards for PIMS, ISMS
• Privacy - Specification for a personal information management
system
BS • Aligned with GDPR:
• Privacy Policy
10012:2017 • Privacy by Design
• Privacy Impact Assessment
• Currently no certification against this standard
• 27001:2013 Information Security Management System
ISO/IEC • Internationally recognised good-practice information security
framework
27001:2013 • Accredited certification provides assurance to interested parties.
Management systems can be integrated into a single management
system with multiple certifications
GDPR Practitioner v1.1
© IT Governance Ltd 2016 68
Exercise
In designing Baratheon’s privacy compliance
framework,
1. What do you see as being the scope?
2. Apart from the employee personal data, identify two other forms of
personal data it appears to be processing.
3. What structure should you create for accountability?
4. Which inadequate process would you propose to tackle first?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 69
GDPR Practitioner v1.1
© IT Governance Ltd 2016 23
TM
Session 3: Accountability, Privacy
Compliance Framework and PIMS
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 70
Session 4: Lessons from Common Data
Security Failures
At the end of this session delegates
will be able to:
LG 3: Identify common data security failures, their
consequences and the lessons to be learned
GDPR Practitioner v1.1
© IT Governance Ltd 2016 71
Cyber crime: widespread
Source: BusinessWeek/Symantec
GDPR Practitioner v1.1
© IT Governance Ltd 2016 72
GDPR Practitioner v1.1
© IT Governance Ltd 2016 24
TM
General state of cyber security
• Global State of Information Security Survey 2015
– ‘Most organizations realise that cybersecurity has become a persistent,
all-encompassing business risk’
• ISBS 2015
– 90% of large organizations suffered a data breach
– Median number of breaches: 14
– Average cost of the worst breach: £1.46m - £3.14m
– 50% of worst breaches were through human error
– 69% attacked by an unauthorized outsider
– 59% expect more security incidents next year than last
GDPR Practitioner v1.1
© IT Governance Ltd 2016 73
Data Breaches in the UK
• January to March 2016 - 448 new cases
• Data Breaches by Sector
– Health (184)
– Local Government (43)
– Education (36)
– General Business (36)
– Finance, Insurance & Credit (25)
– Legal (25)
– Charitable & Voluntary (23)
– Justice (18)
– Land or Property Services (17)
– Other (41)
Source: UK Information Commissioner’s Office
GDPR Practitioner v1.1
© IT Governance Ltd 2016 74
Data Breaches in the UK
• January to March 2016
• Data Breaches by type
– Loss or theft of paperwork (74)
– Data posted of faxed to wrong recipient (74)
– Data sent by e-mail to wrong recipient (42)
– Webpage hacking (39)
– Failure to redact data (28)
– Insecure disposal of data (24)
– Loss or theft of unencrypted device (20)
– Information uploaded to web page (10)
– Verbal disclosure (7)
– Insecure disposal of hardware (2)
– Other principle 7 failure (128)
Source: UK Information Commissioner’s Office
GDPR Practitioner v1.1
© IT Governance Ltd 2016 75
GDPR Practitioner v1.1
© IT Governance Ltd 2016 25
TM
ICO enforcement action and DPA
principles
3- Proportionality,
Count of enforcement 1
5 - Data
action against Principles Retention, 4
1 - Fairness &
Lawfulness, 2
6 - Rights of
individuals, 1
7 - Data Security,
58
GDPR Practitioner v1.1
© IT Governance Ltd 2016 Source: ICO
ICO enforcement action – reasons
Accidental theft or
loss of data,
8% Cyber attack,
Excessive data 5%
held, Unsolicited Inappropriate
1% marketing, disposal of data,
Unlawful processing
of data, 12% 2%
2%
Inappropriate
handling of data,
5%
Unencrypted
storage device lost/
stolen,
13%
Lack of training,
Public disclosure of 19%
sensitive data,
5%
Processing not in Misdirected
line with rights, communications, Lack of
1% 10% sufficient
policy,
16%
Lack of sufficient
contract,
1%
GDPR Practitioner v1.1
© IT Governance Ltd 2016 Source: ICO 77
ICO enforcement action: monetary
penalties
Unlawful retention & Inappropriate
inappropriate disposal,
disposal, £100,000.00
£100,000.00
Unsolicited
Lack of training/ marketing,
policy, £610,000.00
£270,000.00
Public data breach,
£310,000.00
Hack / cyber attack,
£450,000.00
Misdirected
communications,
£315,000.00
Unencrypted data
lost or theft,
£385,000.00
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Source: ICO
GDPR Practitioner v1.1
© IT Governance Ltd 2016 26
TM
A closer look – lessons from common
data security breaches
The Money Shop
fined
£180,000
failing to prevent two data breach
incidents.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 79
Lessons from common data security
breaches
Incident one
A Money Shop store in Northern Ireland had a server stolen
during an overnight burglary. The server was left overnight on a
workstation near a locked fire escape, which the thief used to
gain entry.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 80
Lessons from common data security
breaches
Incident two
During transportation between Money Shop headquarters and a
store, a server was lost. The Money Shop had an encryption
programme, but the data on this particular server had not been
fully encrypted at the time of the loss.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 81
GDPR Practitioner v1.1
© IT Governance Ltd 2016 27
TM
Lessons from common data security
breaches
Security wasn’t effective
Security in place but it not effective.
Consider layered security -
- locked door is a good start
- second layer of security such as a locked room or safe, or a
form of anchoring device.
Encryption policy and software in place is great but….
- Ensure adherence to policies!
GDPR Practitioner v1.1
© IT Governance Ltd 2016 82
Lessons from common data security
breaches
In the course of its investigation, the ICO determined that:
(1) The Money Shop routinely transported servers with
unencrypted data on a weekly basis between its 521 stores and
its headquarters,
(2) The Money Shop did not delete customers’ information when
that information was no longer required, and
(3) in many stores, there was no secure area to store servers
containing personal information overnight.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 83
Lessons from common data security
breaches
Phishing scam hits payroll company, exposing all clients'
W-2 data to criminals
http://www.dailydot.com/layer8/alpha-payroll-services-phishing-
scam-w2-clients/
W-2 statements include an employee’s full name, postal
address, Social Security number, wage and salary information,
how much an employer deducted in taxes, and other employer
information.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 84
GDPR Practitioner v1.1
© IT Governance Ltd 2016 28
TM
Exercise
Supervisory authority data breach exercise
Handouts
GDPR Practitioner v1.1
© IT Governance Ltd 2016 85
Massive data breaches
• www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
GDPR Practitioner v1.1
© IT Governance Ltd 2016 86
Sony (2011)
• Beginning in April, Sony suffered multiple data breaches involving its PlayStation Network
(PSN), Qriocity, Sony Online Entertainment, and other sites.
• On Sunday, new revelations surfaced that Sony apparently also suffered another data
breach earlier this month, after hackers cracked Sony BMG's website in Greece. That
would make it the seventh data breach suffered by Sony since April 2011.
• In this breach, which occurred on May 5, attackers obtained information about more than
8,000 website users, according to The Hackers News, which received a copy of the
website's SQL database from "b4d_vipera," the hacker who took responsibility for the
breach.
• The attacker also leaked a sample of the purloined database--containing 450 records--to
Pastebin. It contains usernames, passwords for the Sony website, and email addresses.
Security experts recommend that anyone with a Sony BMG account in Greece immediately
change their Sony password, and any other uses of the same password online.
• The attacker said he exploited the Greek Sony website using a SQL injection attack against
the site, which was running Internet Information Server (IIS) 6.0 on Windows 2003. SQL
injection attacks, which exploit website databases that haven't been patched against
known vulnerabilities, are much favored by attackers, in part for their simplicity.
• "It's not something that requires a particularly skillful attacker, but simply the diligence to
comb through Sony website after website until a security flaw is found,"
• Clean up cost $171 million
Information Week
GDPR Practitioner v1.1
© IT Governance Ltd 2016 87
GDPR Practitioner v1.1
© IT Governance Ltd 2016 29
TM
Sony (2014)
• On November 25, a new chapter was added to the chronicles of data theft
activity. A group calling itself GOP or The Guardians Of Peace, hacked their way
into Sony Pictures, leaving the Sony network crippled for days, valuable insider
information including previously unreleased films posted to the Internet, and
vague allegations it all may have been done by North Korea in retribution for the
imminent release of an upcoming movie titled “The Interview”.
• While politically motivated attacks and theft of intellectual property is nothing
new, this incident certainly stands out for several reasons. First, via a Pastebin
link, the group released a package and links to torrent files hosted on four sites
consisting of 26 parts, broken out into 25 1GB files, and one 894 MB rar file. The
files were also uploaded to the file sharing giants MEGA and Rapidgator, but
removed by site managers shortly after. The researchers at RBS were able to
access the files and analyze the content prior to the information going off-line,
as well as reach out to GOP.
• The results of the analysis provide unprecedented insight into the inner workings
of Sony Pictures and leaked the personal information of approximately 4,000
past and present employees. As if the sensitive employee information wasn’t
troubling enough, the leak also revealed curious practices at Sony, such as
money orders used to purchase movie tickets that were apparently re-sold back
to Sony staff.
www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/
GDPR Practitioner v1.1
© IT Governance Ltd 2016 88
TARGET: Timeline to Resignation
• 27/11/13 – 15/12/13: Target subject to a hack as malware is introduced to 1,800 bricks &
mortar stores
– Probably via a compromised HVAC supplier
• 18/12/13 – investigative reporter breaks the story
• 19/12/13 – Target admits the breach: 40 million records compromised
• 27/12/13 – Target reveals that encrypted PINS were accessed
• 10/1/14 – Target reveals that PII of another 70 million customers was accessed
• Financial impact: revenue down 5%, profits down 50%
• “Target officials have acknowledged that warning signs of computer hacking had been
missed in the weeks before the breach was made public.” The Guardian
• Feb 2014: CFO apologises to Congress: “We have already begun taking a number of steps
to further enhance data security, putting the right people, processes and systems in place.”
• March 2014: CIO resigns
• May 2014: CEO resigns
The data breach at Target that affected 70 million US consumers has cost the retail giant $162 million in 2013 and 2014,
and could end up totaling $1 billion or more in damages before all is said and done.
During its fourth-quarter earnings call, the big-box behemoth said that it booked $4 million related to the breach in Q4,
and $191 million in gross expenses for 2014. It also spent $61 million gross for 2013.
While the gross expenses were in part offset by insurance receivables ($46 million for 2014 and $44 million for 2013),
the losses look to only mount, as lawsuits begin to be filed. Plaintiffs were given the go-ahead for class-action litigation
by a judge in January. (Infosecurity Magazine)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 89
Talk Talk
• TalkTalk lost a third of its value in the wake of the hack, which analysts have
suggested could leave it wide open to a takeover by other quad-play providers.
The company originally came out of Carphone Warehouse in 2003 before being
demerged in 2010 to become one of the biggest LLU telecoms providers in the
UK.
• The high-profile cyber attack, which began on 21 October, appears to have
been the result of a heist masked by a distributed denial-of-service attack
(DDoS).
• Some 28,000 credit and debit card details were stolen, 15,656 bank account
numbers and sort codes were accessed, and around 15,000 dates of birth were
also pinched.
• This adds to the 1.2 million email addresses, names and phone numbers that
were also taken. The credit and debit card details were partially obscured and
are of no use for financial transactions, but the 15,656 bank account details
could be used in cyber theft.
www.theinquirer.net/inquirer/news/2431728/talktalk-ddos-hack-leaves-four-million-customers-at-
risk
• Fourth breach in 12 months
• Reportedly not PCI DSS-compliant
GDPR Practitioner v1.1
© IT Governance Ltd 2016 90
GDPR Practitioner v1.1
© IT Governance Ltd 2016 30
TM
Reality: cyber disconnect
• Most organizations are ‘confident’ in their cyber defences
• 70% of organizations say:
– Cyber security completely embedded in their processes
– Cyber security a board-level concern, with top executive focus
• However:
– Organizations face 100+ targeted attacks per year
– 1/3 are successful – that’s 2 or 3 per month!
– Most breaches are discovered by outsiders!
(Accenture: Facing the Cybersecurity Conundrum 2016)
GDPR Practitioner v1.1
5
© IT Governance Ltd 2016 91
Key lessons
• You can have the most compliant documentation (PIMS) in
the world – and still, without an effective ISMS, be massively
breached – occasioning reputation damage, data subject
actions and significant administrative penalties.
• Genuine top management engagement is essential
• DPOs must be able to pro-actively engage with cyber security
teams
• A business risk-based ISMS, customised to incorporate data
privacy impact assessments and data protection by design
and by default is an essential component of the Privacy
Compliance Framework.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 92
Exercise
In considering Baratheon’s privacy protection
measures,
1. Identify one specific area where you might guess personal data of
Baratheon staff is inadequately protected;
2. Identify one change in reporting arrangements you might recommend
in order to get a better management focus on information security.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 93
GDPR Practitioner v1.1
© IT Governance Ltd 2016 31
TM
Session 4: Lessons from Common Data
Security Failures
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 94
Session 5: The Six Data Privacy
Principles
At the end of this session delegates
will be able to:
LG 4: Understand each of the 6 Data Privacy Principles
and how, in practical terms, to apply them – and to
demonstrate compliance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 95
The six privacy principles
• Processed lawfully, fairly and in a transparent manner
1
• Collected for specified, explicit and legitimate purposes
2
Accountability
• Adequate, relevant and limited to what is necessary
3
• Accurate and, where necessary, kept up to date
4
• Retained only for as long as necessary
5
• Processed in an appropriate manner to maintain security
6
GDPR Practitioner v1.1
© IT Governance Ltd 2016 96
GDPR Practitioner v1.1
© IT Governance Ltd 2016 32
TM
First Principle
Recitals 38, 40-50, 59; Articles 6-10
• Personal data shall be processed fairly and lawfully and, in
particular, shall not be processed unless:
– (a) at least one of the conditions in ARTICLE 6 is met; and
– (b) in the case of sensitive personal data, at least one of the conditions
in Schedule 9 is also met
(’processed fairly and lawfully’)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 97
First Principle
Recitals 38, 40-50, 59; Articles 6-10
• In practice, this principle means that you must:
– Have legitimate grounds for collecting and using the personal data
– Not use the data in ways that have unjustified adverse effects on the
individuals concerned
– Be transparent about how you intend to use the data, and give
individuals appropriate privacy notices when collecting their personal
data
– Handle people’s personal data only in ways they would reasonably
expect and
– Make sure you do not do anything unlawful with the data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 98
Interpretation – First Principle
Recitals 38, 40-50, 59; Articles 6-10
• Processed ‘fairly’ includes consideration of how data were
obtained – Articles 13 and 14
– Data controller identified
– Data subject must be given information about how information will be
processed
– Must be no deception as to purpose
– Any further information to make sure the processing is fair:
o e.g. any intended disclosure to third parties
• Lawful - Must meet an Article 6 condition relevant for
processing personal data
• Lawful - Must also meet one Article 9 condition if ‘sensitive’
personal data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 99
GDPR Practitioner v1.1
© IT Governance Ltd 2016 33
TM
Article 6: Lawfulness of processing
• Processing will only be lawful if one of the following conditions
are met:
– Data subject gives consent for one or more specific purposes;
o More on consent in section 12
– Processing is necessary to meet contractual obligations entered into by
the data subject;
– Processing is necessary to comply with legal obligations of the
controller;
– Processing is necessary to protect the vital interests of the data subject;
– Processing is necessary for tasks in the public interest or exercise of
authority vested in the controller;
– Purposes of the legitimate interests pursued by the controller.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 100
Article 9: Processing of special
categories of personal data
• Exceptions:
– The data subject has given explicit consent;
– It is necessary to fulfill the obligations of controller and data subject;
– It is necessary to protect the vital interests of the data subject;
– Processing is carried out by a foundation or not-for-profit organisation;
– The personal data has been made public by the data subject;
– Establishment, exercise or defence of legal claims;
– Reasons of public interest in the area of public health;
– Archiving purposes in the public interest;
– A Member State has varied the definition of a special category.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 101
Section 2: Information and access to
personal data
Article 13.1: Information to be provided where personal
data collected from the data subject
• When obtaining personal data, the controller shall provide the
data subject with all of the following information:
– the identity and contact details of the controller and their representative;
– the contact details of the data protection officer;
– the purposes of the processing of as well as the legal basis for the
processing;
– the legitimate interests pursued by the controller or by a third party;
– the recipients or categories of recipients of the personal data, if any;
– the fact that the controller intends to transfer personal data to a third
country and the existence of adequacy conditions.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 102
GDPR Practitioner v1.1
© IT Governance Ltd 2016 34
TM
Section 2: Information and access to
personal data
Article 13.2: When obtaining personal data the controller
shall provide the data subject with the following further
information to ensure fair and transparent processing:
– the period of time that the data will be stored;
– the right to rectification, erasure, restriction, objection;
– the right to data portability;
– the right to withdraw consent at any time;
– the right to lodge a complaint with a supervisory authority;
– the consequences of the data subject failure to provide data;
– the existence of automated decision-making, including profiling, as well
as the anticipated consequences for the data subject.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 103
Section 2: Information and access to
personal data
Article 14: Information to be provided where the personal
data have not been obtained from the data subject
• Where personal data has not been obtained directly from the
data subject:
– the identity and contact details of the controller and their representative;
– the contact details of the data protection officer, where applicable;
– the purposes as well as the legal basis of the processing;
– the categories of personal data concerned;
– the recipients of the personal data, where applicable;
– the fact that the controller intends to transfer personal data to a third
country and the existence of adequacy conditions.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 104
Exercise
• Determine key points in a Privacy Notice for Baratheon
clients purchasing software through its e-commerce
gateway
GDPR Practitioner v1.1
© IT Governance Ltd 2016 105
GDPR Practitioner v1.1
© IT Governance Ltd 2016 35
TM
Second Principle
• Collected for specified, explicit and legitimate purposes and
not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in
the public interest, scientific or historical research purposes or
statistical purposes shall not be considered to be incompatible
with the initial purposes;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 106
Second Principle
• In practice, the second data protection principle means that
you must:
– Be clear (‘explicit’) from the outset about why you are collecting
personal data and what you intend to do with it
o Phrases like ‘and associated purposes’ or ‘to meet business requirements’ fail the
explicitness test
– Comply with the Article 13 requirements – including the duty to give
privacy notices to individuals when collecting their personal data
– Ensure that if you wish to use or disclose the personal data for any
purpose that is additional to or different from the originally specified
purpose, the new use is compatible with the original specified purpose.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 107
Interpretation – Second Principle
• Purposes may be specified
– In a notice given in accordance with Article 13 requirements
• In deciding whether a disclosures can be made consideration
must be given to
– The purposes for which it will be used after disclosure
– Whether the data subject is aware of the disclosure and what original
purposes were specified
GDPR Practitioner v1.1
© IT Governance Ltd 2016 108
GDPR Practitioner v1.1
© IT Governance Ltd 2016 36
TM
Second Principle - Example
• Example
A GP discloses his patient list to his wife, who runs a travel
agency, so that she can offer special holiday deals to patients
needing recuperation. Disclosing the information for this
purpose would be incompatible with the purposes for which it
was obtained
GDPR Practitioner v1.1
© IT Governance Ltd 2016 109
Third Principle
• Personal data must be adequate, relevant and limited to what
is necessary in relation to the purposes for which they are
processed (‘data minimisation’)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 110
Interpretation – Third Principle
• Data must be the minimum necessary for fulfilling the purpose
for which you are processing them:
– “Why do I need that data?”
– “How am I going to use it?”
• Do not collect information you do not need
– Just in case
• Data must be adequate for the purpose:
– Must be fit for the job in hand
GDPR Practitioner v1.1
© IT Governance Ltd 2016 111
GDPR Practitioner v1.1
© IT Governance Ltd 2016 37
TM
Third Principle – Example
• Example
Baratheon’s recruitment agency places workers in a variety of
jobs.
It sends applicants a general questionnaire, which includes
specific questions about health conditions that are only
relevant to particular manual occupations.
• It is be irrelevant and excessive to obtain such information
from an individual who was applying for an office job at
Baratheon.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 112
Fourth Principle
• Personal data must be accurate and, where necessary, kept
up to date; every reasonable step must be taken to ensure
that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified
without delay; (‘accuracy’)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 113
Interpretation – Fourth Principle
• To comply with these provisions you should:
– Take reasonable steps to ensure the accuracy of any personal data
you obtain
– Ensure that the source of any personal data is clear
– Carefully consider any challenges to the accuracy of information and
– Consider whether it is necessary to update the information
• There are regular examples of marketing companies, social
services, local authorities, etc using outdated contact
information.
• What steps should you take to keep up-to-date information of
past employees?
• How do you ensure that customer information on your CRM
system or webshop is still accurate?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 114
GDPR Practitioner v1.1
© IT Governance Ltd 2016 38
TM
Fourth Principle – Example
• Example
An individual is dismissed for alleged misconduct.
• An Employment Tribunal finds that the dismissal was unfair
and the individual is reinstated.
• The individual demands that the employer deletes all
references to misconduct.
• However, the record of the dismissal is accurate. The
Tribunal’s decision was that the employee should not have
been dismissed on those grounds. The employer should
ensure its records reflect this.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 115
Fifth Principle
• Personal data should be kept in a form which permits
identification of data subjects for no longer than is necessary
for the purposes for which the personal data are processed
(storage limitation);
• personal data may be stored for longer periods insofar as the
personal data will be processed solely for archiving purposes
in the public interest, scientific or historical research purposes
or statistical purposes subject to implementation of the
appropriate technical and organisational measures required
by the GDPR in order to safeguard the rights and freedoms of
individuals
GDPR Practitioner v1.1
© IT Governance Ltd 2016 116
Interpretation – Fifth Principle
• In practice, it means that you will need to:
– Review the length of time you may lawfully keep personal data
– Consider the legitimacy of purpose or purposes for which you hold the
information in deciding whether (and for how long) to retain it
– Securely delete information that you are not holding lawfully or
legitimately
– Update, archive or securely delete information if it goes out-of-date
• How much out-of-date information do you currently hold in
your organizations?
• What types of information is it?
• What are you going to do about it? (Before May 2018)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 117
GDPR Practitioner v1.1
© IT Governance Ltd 2016 39
TM
Fifth Principle – Example
• Example
Images from a CCTV system installed to prevent fraud at an
ATM machine may need to be retained for several weeks,
since a suspicious transaction may not come to light until the
victim gets their bank statement
In contrast, images from a CCTV system in a pub may only
need to be retained for a short period because incidents will
come to light very quickly. However, if a crime is reported to
the police, the images will need to be retained until the police
have time to collect them
NB: CCTV images are personal data, and the controller must
have a lawful reason for collecting the data, (probably)
appoint a DPO and (probably) carry out a DPIA.
There is a CCTV Code of Practice – see the ICO.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 118
Exercise
• Review two contrasting website privacy policy (privacy
notice statements) and identify how each meets the
requirements of the first five principles of the GDPR.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 119
Sixth Principle
• Personal data should be processed in a manner that ensures
appropriate security of the personal data, including protection
against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate
technical or organisational measures (‘technical and
organisational measures’)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 120
GDPR Practitioner v1.1
© IT Governance Ltd 2016 40
TM
Interpretation – Sixth Principle
• The measures must:
– Ensure a level of security appropriate to the nature of the data and the
harm that might result from a breach of security
– Take account of state of technological developments and costs in doing
so
• The data controller must take reasonable steps to ensure the
reliability of any employees who have access to the personal
data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 121
Interpretation – Sixth Principle
• Organisations need to:
– Design and organise security to fit the nature of the personal data held
hold and the harm that may result from a security breach
– Be clear about who in the organisation is responsible for ensuring
information security
– Make sure there is the right physical and technical security, backed up
by robust policies and procedures and reliable, well-trained staff and
– Be ready to respond to any security incident swiftly and effectively
GDPR Practitioner v1.1
© IT Governance Ltd 2016 122
Pseudonymisation
• Definition: ‘the processing of personal data in such a manner that
the personal data can no longer be attributed to a specific data
subject without the use of additional information, provided that such
additional information is kept separately and is subject to technical
and organisational measures to ensure that the personal data are
not attributed to an identified or identifiable natural person.’ (Article
4)
• Recital 26: ‘Personal data which have undergone
pseudonymisation, which could be attributed to a natural person by
the use of additional information should be considered to be
information on an identifiable natural person.’
• Recital 26: To determine whether a natural person is identifiable,
account should be taken of all the means reasonably likely to be
used …. account should be taken of all objective factors, such as
the costs of and the amount of time required for identification, taking
into consideration the available technology at the time of the
processing and technological developments.’
GDPR Practitioner v1.1
© IT Governance Ltd 2016 123
GDPR Practitioner v1.1
© IT Governance Ltd 2016 41
TM
Encryption
• Article 33: Do not have to report breaches that do not result in
risk to rights and freedoms…..
• Article 34: Do not have to report breaches to data subjects if
the data was encrypted
• ICO on encryption: “The Information Commissioner has
formed the view that in future, where such losses occur and
where encryption software has not been used to protect the
data, regulatory action may be pursued.”
• Databases and email
• Current encryption standards: FIPS 140-2, FIPS 197
• Hashing is not encryption – the underlying data can be rebuilt
• https://ico.org.uk/for-organisations/guide-to-data-
protection/encryption/implementing-encryption/
GDPR Practitioner v1.1
© IT Governance Ltd 2016 124
Exercise
• Recommend some controls Baratheon should mandate
to protect personal data in the following scenarios:
– Outsourcing its global payroll data to a third party payroll
processor
– Using a third party to create custom-built CRM-type application
software components for its main web technology solution
GDPR Practitioner v1.1
© IT Governance Ltd 2016 125
Session 5: The Six Data Privacy
Principles
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 126
GDPR Practitioner v1.1
© IT Governance Ltd 2016 42
TM
Day 1: The Course?
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 127
EU GDPR
Practitioner Course
DAY 2
IT Governance
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Day 2
6. Security of personal data
7. Organizational risk management framework
8. Legal requirements for a DPIA (Data Privacy Impact Assessment)
9. How to conduct a DPIA
10.Why and how to conduct a data mapping exercise
GDPR Practitioner v1.1
© IT Governance Ltd 2016 129
GDPR Practitioner v1.1
© IT Governance Ltd 2016 43
TM
Session 6: Security of personal data
At the end of this session delegates
will be able to:
LG 4: Understand each of the 6 Data Privacy Principles
and how, in practical terms, to apply them – and to
demonstrate compliance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 130
Article 32: Security of processing
• ‘Taking into account the state of the art, the costs of implementation
and the nature, scope, context and purposes of processing as well
as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the controller and the processor shall
implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk.’
• Measures as appropriate, including:
– The pseudonymisation and encryption of personal data;
– the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services (security, continuity)
– the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident (continuity)
– a process for regularly testing, assessing and evaluating the effectiveness
of technical and organisational measures for ensuring the security of the
processing (audit, penetration testing)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 131
Standards and codes of conduct
• Article 32: Adherence to an approved code of conduct as
referred to in Article 40 or an approved certification
mechanism as referred to in Article 42 may be used as an
element by which to demonstrate compliance with the
requirements set out in paragraph 1 of this Article.
• Key areas:
– Information/cyber security management systems (eg ISO/IEC 27001)
– Business continuity management systems (eg ISO 22301)
– Personal information management systems (eg BS 10012)
• Certifications do not remove or reduce accountability for data
protection – but will demonstrate non-negligence in
approaching the Section 32 requirement.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 132
GDPR Practitioner v1.1
© IT Governance Ltd 2016 44
TM
Cyber Resilience Maturity Model
Established Cyber Governance
5 framework (PAS 555)
4 CCMv3, NIST CSF
3 Incident response, business continuity
integration
2 Include SCRM
1
Embedded ISO 27001 ISMS, SOC 2
0 ISO 27001 accreditation
-1 Ten Steps to Cyber Security
-2 PIMS, PCI DSS, 20 Critical Controls, IG Toolkit
-3 Cyber Essentials Plus certification
-4 Cyber Essentials certification
The Basics
-5
GDPR Practitioner v1.1
© IT Governance Ltd 2016 133
Cyber Essentials
-4
GDPR Practitioner v1.1
© IT Governance Ltd 2016 134
Basic Cyber Hygiene
• Aimed at reducing Cyber Kill Chain effectiveness
• Accredited certification – point-in-time security statement
• Affordable for SMEs
• Requirement for UK government contracts
• Cyber insurance benefits
-4
GDPR Practitioner v1.1
© IT Governance Ltd 2016 135
GDPR Practitioner v1.1
© IT Governance Ltd 2016 45
TM
Five technical controls
1. Boundary Firewalls & Internet Gateways
– A.13.1 Network Security Management
2. Secure Configuration
– A.12.1 Operational Procedures & Responsibilities
3. Access Control
– A.9.2 User Access Management
4. Malware Protection
– A.12.2 Protection from Malware
5. Patch Management
– A.12.6 Technical Vulnerability Management
-4
GDPR Practitioner v1.1
© IT Governance Ltd 2016 136
PCI DSS v3.3 (i of ii)
• Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
(23 sub-requirements)
2. Do not use vendor-supplied defaults for system passwords and other
security parameters (12 subs)
• Protect Cardholder Data
3. Protect stored cardholder data (22 subs)
4. Encrypt transmission of cardholder data across open, public networks
(4 subs)
• Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus
(6 subs)
6. Develop & maintain secure systems and applications (28 subs) -2
GDPR Practitioner v1.1
© IT Governance Ltd 2016 137
PCI DSS v3.3 (ii of ii)
• Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
(10 subs)
8. Identify and authenticate access to system components (23 subs)
9. Restrict physical access to cardholder data (27 subs)
• Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder
data (32 subs)
11. Regularly test security systems and processes (16 subs)
• Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
(39 subs)
-2
GDPR Practitioner v1.1
© IT Governance Ltd 2016 138
GDPR Practitioner v1.1
© IT Governance Ltd 2016 46
TM
Segmented Network
GDPR Practitioner v1.1
© IT Governance Ltd 2016 139
The 10 Steps to Cyber Security
Home and User
Incident
Mobile Education &
Management
Working Awareness
Information Risk Management Regime
Managing Removable
User Media Monitoring
Privileges Controls
Secure Malware Network
Configuration Protection Security
-1
GDPR Practitioner v1.1
© IT Governance Ltd 2016 140
ISO 27001 relations
ISO 27001:2013 ISO 27002:2013
Introduction 0 1 Introduction
Application to to Scope and Norm ref.
Terms and definitions 3 ISO 27000:2014 4 Terms and definitions
Structure and Risk Ass.
5
4 6 Security …
to 7 • Control objectives
10 8
• Controls
9
10
11 Control
Security … Annex A: A.5 12
• Control objectives to 13 Implementation
• Controls Annex A: A.18 14 Guidance
15
Bibliography Annex B 16 Other info
17
GDPR Practitioner v1.1 18
© IT Governance Ltd 2016 141
GDPR Practitioner v1.1
© IT Governance Ltd 2016 47
TM
Annex A: 14 Control Categories
114 CONTROLS
5 Information security policies
6 Organisation of info. security 7 Human resources security
8 Asset Management 9 Access Control 10 Cryptography
11 Physical & environmental sec 12 Operations security
13 Comms security 14 System acq, dev & mnt. 15 Supplier relationships
16 Info. security incident management 17 Info. sec aspects of BC Mngt
18 Compliance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 142
What is Business Continuity?
Level of Delivery of Products or Services
Business Continuity
Disruptive Incident
Normal level
Recover back
to normal
Minimum
acceptable
level Recover prioritised activities
(with temporary arrangements)
Manage immediate
consequences of
disruptive incident
Time
GDPR Practitioner v1.1
© IT Governance Ltd 2016 143
BCM and ISO 22301
• Business Continuity Management Systems deliver:
• Appropriate level of resilience
o Ensure ability to recover systems or personal data after a physical or technical
disruption
o Systematic approach to analysis of risk and impact of disruption
o Cost-effective resilience
• Resilient work practices that support business goals
• Sustain key products and services through disruption
• Demonstrate commitment to access continuity
• Escalation of cyber incident response (eg DDoS attacks)
should lead to BCP evocation
GDPR Practitioner v1.1
© IT Governance Ltd 2016 144
GDPR Practitioner v1.1
© IT Governance Ltd 2016 48
TM
Penetration testing
• External security testing of Internet-facing IP addresses and
URLs
• Internal testing of devices and network infrastructure
• Use accredited ethical hackers
• Vulnerability scanning
• Level 1 testing
• Level 2 testing
• Level 3 testing
– CHECK
– CBEST
GDPR Practitioner v1.1
© IT Governance Ltd 2016 145
Session 6: Security of personal data
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 146
Day 2: The DPIA
At the end of the day, delegates will
be able to:
LG 5: Understand the requirements for, as well as when
to conduct, a DPIA
LG 6: Understand how a DPIA links to an organization’s
Risk Management framework
LG 7: Understand how to conduct a Data Mapping
exercise
LG8: Understand how to conduct a DPIA
GDPR Practitioner v1.1
© IT Governance Ltd 2016 147
GDPR Practitioner v1.1
© IT Governance Ltd 2016 49
TM
Session 7: Organizational risk
management framework
At the end of this session delegates
will be able to:
LG 6: Understand how a DPIA links to an organization’s
Risk Management framework
GDPR Practitioner v1.1
© IT Governance Ltd 2016 148
GDPR and Risk
• Article 32: ‘The controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk’.
• ‘In assessing the appropriate level of security account shall be taken in
particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to personal data transmitted, stored or otherwise processed.’
• ‘Taking into account the nature, scope, context and purposes of processing as
well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with this Regulation’”
(Article 24-1)
DPO plays key bridging role between corporate risk
management, broader cyber security risk management and
managing risks to personal data.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 149
Organizations already manage risk
What is Risk?
• The effect of uncertainty on objectives (ISO31000 et al)
• A combination of the likelihood of an incident occurring and
the impact, if it does occur, on the organization.
• A probability or threat of damage, injury, liability, loss, or any
other negative occurrence that is caused by external or
internal vulnerabilities, and that may be avoided through pre-
emptive action (businessdictionary.com)
• Risk can be or
GDPR Practitioner v1.1
© IT Governance Ltd 2016 150
GDPR Practitioner v1.1
© IT Governance Ltd 2016 50
TM
Standards and Codes
• ISO 31000: Risk Management – Principles & Guidelines
– AS/NZS 4360:2004 now replaced by ISO31000
• ISO31010: Risk Management - Risk Assessment Techniques
• IRM/ALARM/AIRMIC: A Risk Management Standard
• COSO (Treadway Commission): ERM integrated framework
• Discipline specific, e.g. ISO 27005
GDPR Practitioner v1.1
© IT Governance Ltd 2016 151
ISO31000
Principles of the ISO31000 standard
• Risk management:
– Creates value
– Is an integral part of organisational processes
– Is part of decision making
– Explicitly addresses uncertainty
– Is systematic, structured and timely
– Is based on the best available information and is tailored
– Takes human and cultural factors into account
– Is transparent and inclusive
– Is dynamic, iterative and responsive to change
– Facilitates continual improvement and enhancement
GDPR Practitioner v1.1
© IT Governance Ltd 2016 152
ISO/IEC 27005 and ISO 31000
Context Establishment
Risk Assessment
Risk Identification
Risk Communication and
Risk Monitoring
Risk Analysis
and Review
Consultation
Risk Evaluation
Risk Decision Point 1 N
Assessment Satisfactory?
Y
Risk Treatment
Risk Decision Point 2 N
Treatment Satisfactory?
Y
Risk Acceptance
GDPR Practitioner v1.1
© IT Governance Ltd 2016 153
GDPR Practitioner v1.1
© IT Governance Ltd 2016 51
TM
Risk Management Process
• Select a risk management framework (or combination)
• Determine level of acceptable (tolerable) risk
• Identify assets and who is responsible for them
• Identify value of each asset (What if?)
• Carry out risk analysis
– Identify threats to each asset
– Identify vulnerabilities the threats could exploit
– Estimate likelihood of threat exploiting vulnerability and resulting in problem
• Determine risk to individual assets by using estimated impact(s) (ie loss of
asset value) and likelihood
• Make risk decision
• Create risk treatment plan
• Implement risk treatment plan
• Maintain Risk Register
• Review risk assessment – how often?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 154
Risk management applied to privacy
• Preservation of CONFIDENTIALITY, INTEGRITY AND
AVAILABILITY of information and the assets and processes that
support and enable its acquisition, storage, use, protection and
disposal
• Wide variety of assets
– Personal data
– Information
– ICT
– Infrastrucure
• Prevent compromise (loss, disclosure, corruption, etc)
• Counter-measures include
– Physical
– HR
– Technical
– Process
GDPR Practitioner v1.1
© IT Governance Ltd 2016 155
Threat landscape - overview
Threat actors Attack vectors Threat types Threat
targets
Non-target
specific IP
Malware
Card data
Employees
People Web attacks PII
Terrorists
Denial of
service Money
Hacktivists
Organized
Process Social
engineering
crime
Exploit kits
Reputation
Natural
disasters
Ransomware
Nation states Technology Commercial
Info
Etc
Competitors
GDPR Practitioner v1.1
© IT Governance Ltd 2016 156
GDPR Practitioner v1.1
© IT Governance Ltd 2016 52
TM
Information Security Risks
• Hacking • Hard copy
• Virus infection • Industrial accident
• Intruders • Loss of major customer
• ‘Back door’ • Key staff joining competitor
• Power failure • Aeroplane crash
• Phishing • Portable media
• Spam • ‘Smartphones’
• Malware
• Fire
GDPR Practitioner v1.1
© IT Governance Ltd 2016 157
Risk Management
Assets Threats Vulnerabilities
Impacts Likelihood Analysis
Risks Risk Management
Treatment
Countermeasures/Controls
Identification and implementation
GDPR Practitioner v1.1
© IT Governance Ltd 2016 158
Risk Assessment/Management
Likelihood
Negative Impact
GDPR Practitioner v1.1
© IT Governance Ltd 2016 159
GDPR Practitioner v1.1
© IT Governance Ltd 2016 53
TM
The DPIA and the RM framework
• A DPIA assess the likelihood and impact (ie the risk) of a
compromise to the Confidentiality, Integrity and/or Availability
(‘information security’) of personal data (‘asset’)
• A DPIA should therefore be a subset of an organization’s risk
management framework
– Draw on existing expertise and understanding
– Integrate conclusions into existing risk treatment plans
– Demonstrate data protection by design and by default
– DPIA should already be part of risk management as normal
GDPR Practitioner v1.1
© IT Governance Ltd 2016 160
Session 7: Organizational risk
management framework
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 161
Session 8: Legal requirements for a
DPIA
At the end of this session delegates
will be able to:
LG 5: Understand the requirements for, as well as when
to conduct, a DPIA
GDPR Practitioner v1.1
© IT Governance Ltd 2016 162
GDPR Practitioner v1.1
© IT Governance Ltd 2016 54
TM
Legal requirements for a
DPIA (Data Protection Impact Assessment)
Article 35: Data protection impact assessment
• A DPIA is required:
– where a process is using new technologies, and taking into account the
nature, scope, context and purposes of the processing, there is a high
risk to the rights and freedoms of natural persons
– DPIA is particularly required where:
o Taking into account automated processing including profiling there are legal
effects concerning natural persons;
o The processing is on a large scale of special categories of data or personal
data related to criminal convictions;
o A systematic monitoring of publicly accessible area on a large scale.
– The controller shall seek the advice of the DPO
– Supervisory authority required to publish a list of operations that must
be subject to a DPIA
GDPR Practitioner v1.1
© IT Governance Ltd 2016 163
Legal requirements for a
DPIA (Data Protection Impact Assessment)
• The DPIA will set out as a minimum:
– a systematic description of the processing and purposes;
– legitimate interests (where applicable) pursued by the controller;
– an assessment of the necessity and proportionality of the processing;
– an assessment of the risks to the rights and freedoms of the data
subjects;
– the measures envisaged to address the risks, including
– all safeguards & security measures to protect data and to demonstrate
compliance.
– Compliance with approved codes of conduct should be taken into
account;
– Where appropriate, consult the data subjects.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 164
Prior consultation
Article 36: Prior consultation
• Controller shall consult the supervisory authority prior to
processing where the DPIA indicates a “high risk to the rights
and freedoms of the data subjects”:
– Supervisory authority shall provide written advice to the controller
– Request for controller to provide further information
– Information on purposes and means
– Information on measures and safeguards
– The contact details of the DPO
– A copy of the data protection impact assessment
– Any other information requested
GDPR Practitioner v1.1
© IT Governance Ltd 2016 165
GDPR Practitioner v1.1
© IT Governance Ltd 2016 55
TM
Session 8: Legal requirements for a DPIA
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 166
Session 9: How to conduct a DPIA
At the end of this session delegates
will be able to:
LG8: Understand how to conduct a DPIA
GDPR Practitioner v1.1
© IT Governance Ltd 2016 167
What is a Data Protection Impact
Assessment?
• A process to identify and reduce the privacy risks of a project or a
system.
• An effective DPIA should be initiated and maintained throughout the
development and implementation of a project or system
• Analyse how a particular project or system will affect the privacy
and rights of the data subjects involved.
And, introducing Richard, our colourful DPIA expert…………
At the end of his description of the DPIA process, we’re going to do
a DPIA for Baratheon, using the handout DPIA tool
GDPR Practitioner v1.1
© IT Governance Ltd 2016 168
GDPR Practitioner v1.1
© IT Governance Ltd 2016 56
TM
The benefits of a DPIA: transparency
Improve how you use information
Helps individuals understand
how and why their information is being
used.
Which Principles does this address?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 169
The benefits of a DPIA: trust
Publish your DPIA to build trust
Which principle does this address?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 170
The benefits of a DPIA: financial
Minimise the amount
of information you
collect - Which
Principle does this
address?
Identifying a problem early will generally
require a simpler and less costly solution.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 171
GDPR Practitioner v1.1
© IT Governance Ltd 2016 57
TM
The benefits of a DPIA: awareness
Increase
awareness of privacy
. and data
protection issues within your organisation
How does the DPIA link back to your risk
framework?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 172
The benefits of a DPIA: compliance
Comply
with
GDPR obligations
Which overarching principle
does this address?
.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 173
The benefits of a DPIA: assurance
Individuals can be
reassured your project
has followed best
practice
GDPR Practitioner v1.1
© IT Governance Ltd 2016 174
GDPR Practitioner v1.1
© IT Governance Ltd 2016 58
TM
How can a DPIA help?
identify and
reduce privacy
risks
GDPR Practitioner v1.1
© IT Governance Ltd 2016 175
What do we mean by Privacy Risk?
Risks to individuals: the potential
for damage or distress.
Risks to organisation: financial
and/or reputational impact of a data breach.
Privacy risk should already be on the corporate risk register
GDPR Practitioner v1.1
© IT Governance Ltd 2016 176
Examples of privacy risk
Physical privacy
The ability of a person to maintain their own physical space
or solitude.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 177
GDPR Practitioner v1.1
© IT Governance Ltd 2016 59
TM
Examples of privacy risk
Informational privacy
control
Ability of a person to , edit,
manage and delete information about
themselves
Discussion: list some examples of privacy risk
GDPR Practitioner v1.1
© IT Governance Ltd 2016 178
Examples of privacy risk
Inaccurate data, insufficient or
out-of-date
Disclosed to wrong people
Excessive or irrelevant Used in ways that are unacceptable to
or unexpected by the person it is
Kept for too long about
Insecure transmission / storage
GDPR Practitioner v1.1
© IT Governance Ltd 2016 179
Examples of risks which may Impact
privacy
• Hacking
• Virus infection
• Intruders
• Phishing
• Spam
• Inadequate training
Inadequate safeguards for :
• Hard copy
• Portable media
• Smartphones
GDPR Practitioner v1.1
© IT Governance Ltd 2016 180
GDPR Practitioner v1.1
© IT Governance Ltd 2016 60
TM
How do we assess the harm and impact?
Identifiability
How easily personal data can be used to
identify specific individuals?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 181
How do we assess the harm and impact?
…cont’d
Quantity
How many individuals are identified
in the information (e.g. number of
records)?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 182
How do we assess the harm and impact?
…cont’d
Sensitivity and variety of
personal data
Consider the sensitivity of each individual
personal data field, as well as the data
fields together.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 183
GDPR Practitioner v1.1
© IT Governance Ltd 2016 61
TM
Examples of where you might use a
DPIA
Database which consolidates A new IT
information held by separate parts system for
of an organisation. storing
and
accessing
personal data.
Monitors members of the public
Unexpected or more
intrusive purpose.
Data sharing initiative
GDPR Practitioner v1.1
© IT Governance Ltd 2016 184
At what point in a project should the DPIA
be conducted?
Applied at a time when it is still
possible to have an impact on the
project.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 185
How does DPIA fit with project
management?
DPIAt process should be flexible
and integrated with existing project
management processes.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 186
GDPR Practitioner v1.1
© IT Governance Ltd 2016 62
TM
Who has responsibility for conducting
the DPIA?
Data Protection Officer
Or
Asset/risk owner with a tool
for Non-experts and
input from various people in the
organisation
GDPR Practitioner v1.1
© IT Governance Ltd 2016 187
What is covered by a DPIA?
• Failure to destroy data
• Inadequate Processes
training
People
Technology
• Inadequate access control
• Encryption
GDPR Practitioner v1.1
© IT Governance Ltd 2016 188
What are the 5 key stages?
Step 1 Step 2 Step 3 Step 4 Step 5
Identify need for Describe the Identify privacy Identify and Sign-off and
DPIA information and related evaluate record outcome
flow risks privacy
solutions
GDPR Practitioner v1.1
© IT Governance Ltd 2016
GDPR Practitioner v1.1
© IT Governance Ltd 2016 63
TM
1. Identifying the need for a DPIA
Ask screening questions to
identify the potential impact on privacy.
Screening process should be embedded into your
organisation’s project management procedures.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 190
What personal data will be processed?
Information about an individual
that is linked or linkable to an
individual. Information identifying
Date of birth, place of birth, race,
religion, weight, geographical personally owned
indicators, employment information, property, such as
medical information, education vehicle registration
information, financial information. number
Address Information, such Telephone numbers,
as street or email address mobile, business,
personal numbers
Personal identification
Name, such as full
number, such as National
name, maiden name, Personal characteristics,
Insurance number, passport
mothers maiden name, including photo (face or
number, drivers licence,
or alias distinguishing features), finger
patient identification number,
financial account or credit prints, biometric data (retina
number scan, etc)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 191
Exercise
List some screening questions you might use
in a DPIA for Baratheon
GDPR Practitioner v1.1
© IT Governance Ltd 2016 192
GDPR Practitioner v1.1
© IT Governance Ltd 2016 64
TM
Example screening questions
Will the project involve the collection of new
information about individuals?
Will the project compel individuals to provide
information about themselves?
Will information about individuals be disclosed to
organisations or people who have not previously had
routine access to the information?
Are you using information about individuals for a
purpose it is not currently used for, or in a way it is
not currently used?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 193
Example screening questions…cont’d
Does the project involve you using new
technology which might be perceived as
being privacy intrusive?
Will the project result in you making
decisions or taking action against
individuals in ways which can have a
significant impact on them?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 194
Example screening questions…cont’d
Is the information about individuals of
a kind particularly likely to raise privacy
concerns or expectations?
Will the project require you to contact
individuals in ways which they may find
intrusive?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 195
GDPR Practitioner v1.1
© IT Governance Ltd 2016 65
TM
Exercise
Use the screening questions to determine if, in the below scenario,
a DPIA is mandatory/necessary/’light touch’/waste of time::
• Baratheon plans to create and maintain a list of its emergency
response team members.
• In the event that a staff member detects any kind of emergency,
standard practise will require that the staff member contacts the
appropriate people on the list.
• The contact list contains names of 250 people worldwide, job
titles, office and work numbers, and their work email addresses.
• Baratheon will make the information available to all staff on its
corporate intranet and, in case the intranet is unavailable, on
encrypted USB stocks.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 196
Is a full DPIA required?
Not all projects will require the same level of analysis
• If the outcome of the screening is that a standard DPIA is not
required then it might still be useful to carry out a ‘light touch’
DPIA exercise.
• In any case, it will still be useful to retain a record of the answers
so it they can be referred to in future if necessary.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 197
‘Light touch’ DPIA?
• A DPIA is mandatory only in certain specific circumstances.
• The concept of Data Protection by Design depends, however, on the
output of activities like a DPIA
• In circumstances where the process is simple, a standard DPIA might
require a disproportionate amount of effort and resource
• In these cases, use a ‘light touch’ DPIA
• Identify data subjects
• Identify data being processed (categories, formats)
• Identify where the data is stored and who has access to it
• Identify key privacy risks
• Identify appropriate technical and organizational measures
GDPR Practitioner v1.1
© IT Governance Ltd 2016 198
GDPR Practitioner v1.1
© IT Governance Ltd 2016 66
TM
2. Describing information flows
A thorough assessment of privacy risks is only possible if your
organisation fully understands how information is being
used in a project.
You should be able to describe how information is
collected, stored, used and deleted
GDPR Practitioner v1.1
© IT Governance Ltd 2016 199
Example information flow
3rd Party users
HR Users HR
HR
System
Finance
system
Recruitment email Workforce
system metrics
Outplacement services Agency
employment
Outplacement Screening
Recruitment services
data
Outsourced Management
CV
Database
Candidate
information
Candidates
GDPR Practitioner v1.1
© IT Governance Ltd 2016 200
3. Identifying privacy and related risks
Assess the corporate risks,
including regulatory action, reputational
damage, and loss of public trust.
Conduct a compliance check
.
against the GDPR and other relevant
legislation.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 201
GDPR Practitioner v1.1
© IT Governance Ltd 2016 67
TM
3. Identifying privacy and related risks
You can align the DPIA with your company’s way of categorising or measuring risk.
A common approach is to assess the risk in terms of its likelihood
and impact.
Impact (total consequence)
Risk
Likelihood/probability
GDPR Practitioner v1.1
© IT Governance Ltd 2016 202
How do we assess the impact
(harm)?
Low Medium High
Harm Criteria
Minor harm (non
Damage or distress (some Significant damage and distress
sensitive data) to an
sensitive data) to large group (variety of sensitive data) to a high
Proposed Impact scale: “Damage individual or small group
(>100) individuals and number of individuals which could
to the reputation of …” (<100 people) which
significant adverse publicity result in sustained adverse publicity
could result in adverse
in national media in international media.
publicity in local media
Operational Dissatisfaction disrupts Significant disruption to
Resignation/ removal of management
Management output operations
Harm Criteria
Security Significant incident involving
Localised incident. No Localised incident. Moderate multiple locations
effect on operations effect on operations seriously affecting continuity of
operations
Finance >2% of monthly budget >5% of monthly budget and/or >10% of monthly budget and/or
(Org’s annual budget) and/or £10,000 limit £50,000 limit £50k+ limit
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Exercise: Example risks
Risk Impact Likelihood
1. Inadequate High (3) High (3)
disclosure controls
increase the likelihood
of information being
shared inappropriately.
2. Information is Moderate (2) Low (1)
collected and stored
indefinitely.
3. 3rd Party data High (3) Moderate (2)
breach
4. Accidental theft or High (3) Moderate (2)
loss of data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 204
GDPR Practitioner v1.1
© IT Governance Ltd 2016 68
TM
Example risk acceptance criteria
Likely (3) 3 4 5
Occasional (2) 2 3 4
Likelihood
Unlikely (1) 1 2 3
Low (1) Medium (2) High (3)
Impact
GDPR Practitioner v1.1
© IT Governance Ltd 2016 205
What is your Risk Appetite?
P/L 3 High 3 4 5 P/L 3 High 3 4 5
2 Med 2 3 4 2 Med 2 3 4
1 Low 1 2 3 1 Low 1 2 3
Low Med High Low Med High
1 2 3 1 2 3
Impact Impact
P/L 3 High 3 4 5 P/L 3 High 3 4 5
2 Med 2 3 4 2 Med 2 3 4
1 Low 1 2 3 1 Low 1 2 3
Low Med High Low Med High
1 2 3 1 2 3
Impact Impact
GDPR Practitioner v1.1
© IT Governance Ltd 2016 206
Mapping risks to your Risk Acceptance
Criteria
Likely (3) 3 4 15
Occasional (2) 2 3 4 43
Likelihood
Unlikely (1) 1 2
2 3
Low (1) Medium (2) High (3)
Impact
GDPR Practitioner v1.1
© IT Governance Ltd 2016 207
GDPR Practitioner v1.1
© IT Governance Ltd 2016 69
TM
4. Identifying and evaluating privacy
solutions
Aims of the project vs impact on privacy
Review risks and options
GDPR Practitioner v1.1
© IT Governance Ltd 2016 208
Risk treatment
What actions
address the risks?
Reduce the impact to an acceptable level
GDPR Practitioner v1.1
© IT Governance Ltd 2016 209
Risk options?
Terminate
Transfer
Tolerate
Treat
Discussion: List examples of each risk option
GDPR Practitioner v1.1
© IT Governance Ltd 2016 210
GDPR Practitioner v1.1
© IT Governance Ltd 2016 70
TM
Exercise…cont’d
Risk Vulnerability Impact Likelihood Risk
Decision
Inadequate Lack of training and High High Treat
disclosure controls lack of sufficient
policy.
Information is Inadequate retention Moderate Low Tolerate
collected and policy
stored indefinitely.
3rd Party data Inadequate 3rd Party High Moderate Treat
breach Contract
Accidental theft or Inadequate High Moderate Treat
loss of data encryption
GDPR Practitioner v1.1
© IT Governance Ltd 2016 211
How do you bring risks down to an
acceptable level?
Likely (3) 3 4 15
Occasional (2) 2 3
4 43
Likelihood
Unlikely (1) 1 2 3
Low (1) Medium (2) High (3)
Impact
GDPR Practitioner v1.1
© IT Governance Ltd 2016 212
4. Identifying and evaluating privacy
solutions
Balance
the project’s outcomes with
the impact on individuals.
Discussion:
What controls
could be used
to reduce the
risks described
in the example
HR system?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 213
GDPR Practitioner v1.1
© IT Governance Ltd 2016 71
TM
Example HR database – Risk to
individuals
Risk Impact Likelihood Risk Decision Risk
Treatment
Inadequate disclosure High High Treat Develop privacy policy.
controls. Communicate and test
via training and
awareness
programme.
Information is collected Moderate Low Treat Develop retention
and stored indefinitely. policy
3rd Party data breach High Moderate Tolerate Appropriate clauses in
contracts
Accidental theft or loss High Moderate Transfer Encrypt
of data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 214
Examples of risk treatment
• Reduce data collected
• Retention policy
• Secure destruction of information
• Access control
• Training and awareness
• Anonymise information
• Contracts or data sharing agreements
• Acceptable use policy
• Subject access request process
• External supplier risk assessments
GDPR Practitioner v1.1
© IT Governance Ltd 2016 215
Assess the costs and benefits
Risk Acceptance
Controls
implemented
Cost
Vulnerabilities
Number of Controls
GDPR Practitioner v1.1
© IT Governance Ltd 2016 216
GDPR Practitioner v1.1
© IT Governance Ltd 2016 72
TM
5. Signing off and recording the DPIA
outcomes
• Produce DPIA report
• Obtain sign-off (risk committee / supervisory authority)
• Publish the report / make summary available to
stakeholders.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 217
5. Signing off and recording the DPIA
outcomes
• Report should include an overview of the project
• Describe the impact on privacy
• Describe the data flows
• Describe the privacy risks and associated treatment
GDPR Practitioner v1.1
© IT Governance Ltd 2016 218
6. Integrating the DPIA outcomes back
into the project plan
• Ensure actions recommended by the DPIA are
implemented
• Continue to use the DPIA throughout the project
lifecycle
• DPIA is recorded
GDPR Practitioner v1.1
© IT Governance Ltd 2016 219
GDPR Practitioner v1.1
© IT Governance Ltd 2016 73
TM
Internal consultation
• Project management team
• Data protection officer
• Engineers, developers and designers
• Information technology (IT)
• Procurement
• Potential suppliers and data processors
• Communications
• Customer-facing roles
• Corporate governance/compliance
• Researchers, analysts, and statisticians
• Senior management
GDPR Practitioner v1.1
© IT Governance Ltd 2016 220
External consultation
• Understand the concerns of individuals
• Consult people impacted
• Members of the public
• Staff
GDPR Practitioner v1.1
© IT Governance Ltd 2016 221
Exercise
DPIA Exercise
Use the ITG DPIA Workbook
• For Baratheon’s core online market analysis technology (clasues
1.9 & 4.6) identify
– Categories of data being processed
– Key privacy risks
o Analyse and estimate each risk
– Identify data subjects at risk
– Suggest practical mitigating controls to reduce identified privacy
risks
– Link recommendations to relevant privacy principles
GDPR Practitioner v1.1
© IT Governance Ltd 2016 222
GDPR Practitioner v1.1
© IT Governance Ltd 2016 74
TM
Linking the PIA to the Privacy Principles
• Processed lawfully, fairly and in a transparent manner
1
• Collected for specified, explicit and legitimate purposes
2
Accountability
• Adequate, relevant and limited to what is necessary
3
• Accurate and, where necessary, kept up to date
4
• Retained only for as long as necessary
5
• Processed in an appropriate manner to maintain security
6
GDPR Practitioner v1.1
© IT Governance Ltd 2016 223
Linking the DPIA to the Data Protection
Principles
Principle 1
• Personal data shall be processed fairly and lawfully
• Have you identified the purpose of the project?
• How will individuals be told about the use of their personal
data?
• Do you need to amend your privacy notices?
• Have you established which conditions for processing apply?
• If you are relying on consent to process personal data, how
will this be collected and what will you do if it is withheld or
withdrawn?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 224
Linking the DPIA to the Data Protection
Principles
Principle 2
• Purpose limitation
• Does your project plan cover all of the purposes for
processing personal data?
• Have potential new purposes been identified as the scope
of the project expands?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 225
GDPR Practitioner v1.1
© IT Governance Ltd 2016 75
TM
Linking the DPIA to the Data Protection
Principles
Principle 3
Data minimisation
• Is the information you are using of good enough quality for the
purposes it is used for?
• Which personal data could you not use, without compromising
the needs of the project?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 226
Linking the DPIA to the Data Protection
Principles
Principle 4
Accuracy
• If you are procuring new software does it allow you to amend
data when necessary?
• How are you ensuring that personal data obtained from
individuals or other organisations is accurate?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 227
Linking the DPIA to the Data Protection
Principles
Principle 5
Storage limitation
• What retention periods are suitable for the personal data you
will be processing?
• Are you procuring software which will allow you to delete
information in line with your retention periods?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 228
GDPR Practitioner v1.1
© IT Governance Ltd 2016 76
TM
Linking the DPIA to the Data Protection
Principles
Principle 6
Technical and organisational measures
• Do any new systems provide protection against the security
risks you have identified?
• What training and instructions are necessary to ensure that
staff know how to operate the new system securely?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 229
Session 9: How to conduct a DPIA
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 230
Session 10: Why and how to conduct
a data mapping exercise
At the end of this session delegates
will be able to:
LG 7: Understand how to conduct a Data Mapping
exercise
GDPR Practitioner v1.1
© IT Governance Ltd 2016 231
GDPR Practitioner v1.1
© IT Governance Ltd 2016 77
TM
Data mapping – what are the
challenges?
Identify Identify Understand
personal appropriate legal & Trust and
technical and regulatory confidence
data organisational obligations
safeguards
GDPR Practitioner v1.1
© IT Governance Ltd 2016 232
What is an information flow?
A transfer of information of information from one location to
another.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 233
Describing information flows
Walk through the information
lifecycle to
identify unforeseen or unintended
uses of the data
Ensure the people who will be using
the information are consulted on the
practical implications.
Consider the potential future uses
of the information collected, even if it is not
immediately necessary.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 234
GDPR Practitioner v1.1
© IT Governance Ltd 2016 78
TM
Information flow - Identify the key
elements
Data Items
Name, email, address Health data, Criminal Biometrics, Location
records data
Formats
Hardcopy (paper records Digital (USB) Database
Transfer methods
Post, Telephone, Social Internal (within group) External (data sharing)
Media
Locations
Offices Cloud 3rd Parties
GDPR Practitioner v1.1
© IT Governance Ltd 2016 235
Data flow mapping - questions to ask
• Workflow inputs and outputs
– How is the personal data collected (e.g. form, online, call centre, other)?
– Who is accountable for the personal data ?
– Location of the systems/filing systems containing the data?
– Who has access to the information?
– Is the information disclosed / shared with anyone (e.g suppliers, 3rd
parties)?
– Does the system interface / transfer information with other systems?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 236
Data flow mapping
Whiteboard – freeform diagrams
Template drawings (Visio, Mind map tools)
Post-it notes
Identify:
Data Items
Data Formats
Transfer methods
Locations
Chapter 9 of The Object Primer 3rd Edition: Agile Model Driven Development with UML 2
GDPR Practitioner v1.1
© IT Governance Ltd 2016 237
GDPR Practitioner v1.1
© IT Governance Ltd 2016 79
TM
Data flow map
GDPR Practitioner v1.1
© IT Governance Ltd 2016 238
Exercise
Data mapping
On a flip chart, describe the data flow in Baratheon’s recruitment
process (clause 3.1)
Identify each of the likely stages in the process and the privacy
issues which should be addressed when formalising the process
GDPR Practitioner v1.1
© IT Governance Ltd 2016 239
Session 10: Why and how to conduct a
data mapping exercise
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 240
GDPR Practitioner v1.1
© IT Governance Ltd 2016 80
TM
Day 2: The Course?
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 241
EU GDPR
Practitioner Course
DAY 3
IT Governance
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Day 3
11. The Rights of Data Subjects
12.Data subjects: giving and withdrawing consent
13.Handling Data Subject Access Requests
14.Roles of, and relationships between, controllers and processors
15.Personal data, international organizations, non-EEA states and the EU-
US Privacy Shield
GDPR Practitioner v1.1
© IT Governance Ltd 2016 243
GDPR Practitioner v1.1
© IT Governance Ltd 2016 81
TM
Session 11: The Rights of Data Subjects
At the end of this session delegates
will be able to:
LG 9: Understand the rights of Data Subjects
GDPR Practitioner v1.1
© IT Governance Ltd 2016 244
The Rights of data subjects:
From principles to specific obligations….
Article 6.
Lawfulness
Article 7.
Lawful Consent
Article 8. Childs
1.Fair and lawful
consent
Article 13.
2.Specific
Fair Information to be
purpose(s)
provided
3. Minimum
necessary
Article 5
Principles
4. Accurate
5. Retention
6. Security
GDPR Practitioner v1.1
© IT Governance Ltd 2016 245
Eight Rights of Data Subjects
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 246
GDPR Practitioner v1.1
© IT Governance Ltd 2016 82
TM
1. Right to be informed
Privacy Notice (Recital 39, 42, 58, Article 13, 14)
Not
Data obtained
Requirement obtained
directly
directly
Identity and contact details of the controller and where applicable, the
controller’s representative) and the data protection officer Y Y
Purpose of the processing and the legal basis for the processing Y Y
The legitimate interests of the controller or third party, where applicable
Y Y
Categories of personal data Y Y
Any recipient or categories of recipients of the personal data Y Y
Details of transfers to third country and safeguards Y Y
Retention period or criteria used to determine the retention period Y Y
The existence of each of data subject’s rights Y Y
The right to withdraw consent at any time, where relevant Y Y
The right to lodge a complaint with a supervisory authority Y Y
The source the personal data originates from and whether it came from
publicly accessible sources Y Y
Whether the provision of personal data part of a statutory or contractual
requirement or obligation and possible consequences of failing to provide
the personal data Y Y
The existence of automated decision making, including profiling and
information about how decisions are made,GDPR the significance
Practitioner v1.1 and the
consequences. © IT Governance Ltd 2016 Y Y 247
1. Right to be informed
Privacy Notice (Recital 39, 42, 58, Article 13, 14)
The notice must be:
• Concise
• Clear and in plain language (consider notice if addressed to
child)
• Available and easily accessible to data subjects
GDPR Practitioner v1.1
© IT Governance Ltd 2016 248
1. Right to be informed
Privacy Notice (Recital 39, 42, 58, Article 13, 14)
When to provide a Privacy Notice
Personal data
Collected by data controller
At time of data collection
directly
If used to communicate with
subject then at time of first
communication
Within reasonable time of
Not collected directly
obtaining data
If disclosure to another
recipient is envisaged before
the data is disclosed
GDPR Practitioner v1.1
© IT Governance Ltd 2016 249
GDPR Practitioner v1.1
© IT Governance Ltd 2016 83
TM
2. Right of access
Art 12, 15, Recital 63, 64
Recital 63 – right of access allows data subjects to verify the
lawfulness of processing
• Information must be provided free of charge
– You may be able to charge ‘reasonable fee if there are requests for
further information
– Fee must be based on the administrative cost of providing the
information
• Information must be provided within 1 month of receipt of a
request.
– Can be extended by up to 2 months for complex or numerous request if
you inform the individual within 1 month with reasons for extension.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 250
2. Right of access
Art 12, 15, Recital 63, 64
A data subject
SAR – Individuals must provide
access request
(DSAR) is simply a Application in writing
written request made
by or on behalf of an
individual for the Proof of identity
information which he
or she is entitled.
Some direction
GDPR Practitioner v1.1
© IT Governance Ltd 2016 251
3. Right to rectification
Art 12, 15, Recital 63, 64
Conditions on when rectification applies
• If personal data is inaccurate or incomplete.
• If you have disclosed the personal data in question to third
parties, you must inform them of the rectification where
possible.
You must also inform the individuals about the third parties
to whom the data has been disclosed where appropriate
You must respond within one month
• Can be extended to 2 months if request is complex
GDPR Practitioner v1.1
© IT Governance Ltd 2016 252
GDPR Practitioner v1.1
© IT Governance Ltd 2016 84
TM
4. Right to erasure (‘right to be forgotten’)
Not an absolute right….
Applies in specific circumstances
• Processing is no longer necessary in relation to purpose
• Data subject withdraws consent
• Data subject objects to processing (and there is no legitimate
interest for ongoing processing)
• Processing is unlawful
• Processing has to be erased to comply with legal obligation
GDPR Practitioner v1.1
© IT Governance Ltd 2016 253
4. Right to erasure
You may refuse a request to erase personal data where:
• You need to comply with legal obligation (to keep the data)
• For vital interests or public interest
• Archiving in relation to public interest, scientific/historic and
statistical research
• Exercise of legal claims
GDPR Practitioner v1.1
© IT Governance Ltd 2016 254
4. Right to erasure
Children’s data
(Recital 38)
– GDPR requires specific protection to be applied to processing children's
data as they may be less aware of the risks (when providing consent –
especially in relation to social networking)
– Recital 38: ‘Such specific protection should, in particular, apply to the
use of personal data of children for the purposes of marketing or
creating personality or user profiles and the collection of personal data
with regard to children when using services offered directly to a child.
The consent of the holder of parental responsibility should not be
necessary in the context of preventive or counselling services offered
directly to a child.’
GDPR Practitioner v1.1
© IT Governance Ltd 2016 255
GDPR Practitioner v1.1
© IT Governance Ltd 2016 85
TM
4. Rights to erasure
Recital 66
Informing other organisations of the erasure
• You must inform 3rd parties processing personal data
unless it involves disproportionate effort to do so.
– erase any links or copies of the data
• Take into consideration the available technology and
means available.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 256
5. Right to restrict processing
Recital 68, Articles 12, 20
Restriction - you may retain data that has been suppressed on
the condition it is not further processed.
Conditions on when the right to restrict processing applies:
• Individual contests the accuracy of the personal data.
• Individual has objected to the processing for the purpose of
legitimate interests.
• If the processing is unlawful and the individual opposes erasure and
requests restriction instead.
• If you no longer need the personal data but the individual requires
the data to establish, exercise or defend a legal claim.
You must inform individuals when you decide to lift a restriction
on processing
GDPR Practitioner v1.1
© IT Governance Ltd 2016 257
6. Right to data portability
Recital 67, Articles 18, 19
Portability - allows individuals to obtain and reuse their
personal data for their own purposes across different
services
Condition on when the right to data portability applies
• The right to data portability only applies:
– to personal data an individual has provided to a controller;
– where the processing is based on the individual’s consent or for the
performance of a contract; and
– when processing is carried out by automated means.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 258
GDPR Practitioner v1.1
© IT Governance Ltd 2016 86
TM
6. Right to data portability
Demonstrate compliance:
• Provide data in structured format
• Data must be provided free of charge
• If individual consents’ data can be transmitted to another
organisation.
Important: If the personal data concerns more than one
individual, you must consider whether providing the information
would prejudice the rights of any other individual
You must respond within one month
GDPR Practitioner v1.1
© IT Governance Ltd 2016 259
7. Right to object
Recital 67, Articles 18, 19
Conditions on when right to object applies:
• processing based on legitimate interests or the performance
of a task in the public interest/exercise of official authority
(including profiling);
• direct marketing (including profiling); and
• processing for purposes of scientific/historical research and
statistics.
If processing activities take place online then you must
offer a way for individuals to object online.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 260
7. Right to object
Recital 67, Articles 18, 19
Demonstrating compliance:
If processing on grounds of legitimate interests you must stop
processing unless: -
• you can demonstrate compelling legitimate grounds for the
processing, which override the interests, rights and freedoms of the
individual; or
• the processing is for the establishment, exercise or defence of legal
claims.
You must inform individuals of their right to object “at the point of
first communication” and in your privacy notice.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 261
GDPR Practitioner v1.1
© IT Governance Ltd 2016 87
TM
7. Right to object
Recital 67, Articles 18, 19
Demonstrating compliance:
If you process personal data for research purposes
• Individuals must have “grounds relating to his or her particular
situation” in order to exercise their right to object
• Where the processing of personal data is necessary for the
performance of a public interest task, you are not required to
comply with an objection to the processing.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 262
8. Rights related to automated decision
making and profiling
Recital 71, 72, Articles 4, 9, 22
Conditions on when right ‘not to be subjected to an automated
decision’ apply:
• it is based on automated processing; and
• it produces a legal effect or a similarly significant effect on the
individual.
You must ensure that individuals are able to:
• obtain human intervention;
• express their point of view; and
• obtain an explanation of the decision and challenge it.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 263
8. Rights related to automated decision
making and profiling
Recital 71, 72, Articles 4, 9, 22
• Automated decisions taken for the purposes listed in Article
9(2) must not:
• concern a child; or
• be based on the processing of special categories of data
unless:
– you have the explicit consent of the individual; or
– the processing is necessary for reasons of substantial public interest
GDPR Practitioner v1.1
© IT Governance Ltd 2016 264
GDPR Practitioner v1.1
© IT Governance Ltd 2016 88
TM
8. Rights related to automated decision
making and profiling
Recital 71, 72, Articles 4, 9, 22
Conditions for profiling, you must: -
• Provide meaningful information about the logic involved, as
well as the significance and the envisaged consequences.
• Use appropriate mathematical or statistical procedures for the
profiling.
• Implement appropriate technical and organisational measures
to enable inaccuracies to be corrected and reduce errors.
• Secure personal data in a way that is proportionate to the risk
GDPR Practitioner v1.1
© IT Governance Ltd 2016 265
Article 9: Processing of special
categories of personal data
• Processing of following types of personal data are prohibited:
– Race
– Ethnic origin
– Political opinions
– Religion
– Philosophical beliefs
– Trade union membership
– Genetic data
– Biometric data
– Health data
– Concerning a natural person's sex life
– Sexual orientation.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 266
Article 9: Processing of special
categories of personal data
Conditions for processing special categories of data:
– The data subject has given explicit consent;
– It is necessary to fulfill the obligations of controller and data subject;
– It is necessary to protect the vital interests of the data subject;
– Processing is carried out by a foundation or not-for-profit organisation;
– The personal data has been made public by the data subject;
– Establishment, exercise or defence of legal claims;
– Reasons of public interest in the area of public health;
– Archiving purposes in the public interest;
– A Member State has varied the definition of a special category.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 267
GDPR Practitioner v1.1
© IT Governance Ltd 2016 89
TM
Article 10: Processing not allowing
identification
If the controller cannot identify the natural person there is no
obligation to acquire additional information in order to identify the
data subject.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 268
Session 11: The Rights of Data Subjects
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 269
Session 12: Data Subjects: Giving and
Withdrawing Consent
At the end of this session delegates
will be able to:
LG 10: Understand how consent is given and withdrawn
GDPR Practitioner v1.1
© IT Governance Ltd 2016 270
GDPR Practitioner v1.1
© IT Governance Ltd 2016 90
TM
Consent
Recitals 32, 33, 38, 42, 43, 54, Article 4
GDPR says consent:
‘must be freely given, specific, informed and unambiguous indication of
the data subject’s wishes in which he or she by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.’
Recital 42: ‘For consent to be informed, the data subject should be aware
at least of the identity of the controller and the purposes of the processing
for which the personal data are intended. Consent should not be regarded
as freely given if the data subject has no genuine or free choice or is
unable to refuse or withdraw consent without detriment.’
Recital 43: ‘Consent is presumed not to be freely given if it does not allow
separate consent to be given to different personal data processing
operations.’
GDPR Practitioner v1.1
© IT Governance Ltd 2016 271
Article 7: Conditions for consent
Conditions for consent:
– Controllers must be able to
demonstrate that consent
was given;
– Written consent must be
clear, intelligible, easily
accessible, else not binding;
– Consent can be withdrawn
any time, and as easy to
withdraw consent as give it;
– Consent to processing data
not necessary for the
performance of a contract;
– Ticking a box or choosing
appropriate technical
settings still valid.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 272
Consent
Recitals 32, 33, 38,42,43,54, Article, 4
Conditions for relying on consent
• ‘the controller must be able to demonstrate that the data
subject has consented to the processing’
• Data subject must be able to withdraw consent at any
time
• It shall be as easy to withdraw consent as to give it.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 273
GDPR Practitioner v1.1
© IT Governance Ltd 2016 91
TM
Consent
Recitals 32, 33, 38,42,43,54, Article, 4
Conditions for relying on consent
• Consent should cover all processing activities carried out
for the same purpose(s)
• If processing for multiple purposes consent should be
given for all of them.
• Specific rules applies to children (e.g. verify age, seek
parental consent)
• Consent should not be considered freely given if data
subject has no genuine or free choice
GDPR Practitioner v1.1
© IT Governance Ltd 2016 274
Withdrawing consent
• There is argument over the extent to which consent can be
‘freely given’ by, for instance, an employee to payroll
processing insofar as they have to provide the information or
they won’t get paid. In this case, it might be better to rely for
lawfulness on ‘processing is necessary for the performance of
a contract to which you are both a party’.
• If a data subject gives consent, they have to be able to
withdraw consent – so, again, if an employee can withdraw
consent for their salary details to be processed by your payroll
bureau, this might create unwanted complexities which can be
avoided by finding some other lawful grounds for this
processing.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 275
Consent
Recitals 32, 33, 38,42,43,54, Article, 4
Demonstrating compliance
- Cannot rely on silence, inactivity or pre-ticked boxes
- Policy or process in place to inform how to withdraw
consent
- Separate consent if purpose changes
- Link your privacy policy to tools that enable individuals to
control how the information is used and shared.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 276
GDPR Practitioner v1.1
© IT Governance Ltd 2016 92
TM
Exercise
• Additional consent scenarios – see handouts
GDPR Practitioner v1.1
© IT Governance Ltd 2016 277
Session 12: Giving and Withdrawing
Consent
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 278
Session 13: Handling Data Subject
Access Requests (DSAR)
At the end of this session delegates
will be able to:
LG 11: Understand how to handle a subject access
request
GDPR Practitioner v1.1
© IT Governance Ltd 2016 279
GDPR Practitioner v1.1
© IT Governance Ltd 2016 93
TM
2. Right of access
Art 12, 15, Recital 63, 64
Subject Access - What are the Key Stages ?
Step 1 Step 2 Step 3 Step 4 Step 5
Recognize a Validate the Handle Redaction Maintain
DSAR request, proof requests made records
of: on behalf of: • Remove 3rd
party data
• Photo ID • 3rd parties
• Address • Children • Remove
data exempt
from
disclosure
GDPR Practitioner v1.1
© IT Governance Ltd 2016
‘Simple’ access requests
• Single location for data
• No 3rd parties included in the data
• May involve DPO to validate disclosure
GDPR Practitioner v1.1
© IT Governance Ltd 2016
‘Complex’ access requests
• Multiple information sources
• Release of contentious information
• Several requests from same individual
• Involves release of 3rd party information
• DPO or legal advisor must be consulted
GDPR Practitioner v1.1
© IT Governance Ltd 2016
GDPR Practitioner v1.1
© IT Governance Ltd 2016 94
TM
3rd Party data
If data to be disclosed includes incidental disclosure of 3rd party data
(e.g. family member, referee, care worker, etc.) information should not
be disclosed without 3rd party consent.
If consent cannot be obtained then the following must be taken into
account:
- duty of confidentiality to 3rd party
- steps taken to seek consent
- whether 3rd party is capable of given consent
- any express refusal of consent
DPO or legal advisor should be consulted to identify what can be
disclosed and what should be withheld (e.g. redacted).
Disclosure should inform data subject that some information was
withheld and why.
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Records Management
• Maintain a centralised record of all DSARs
• When received
• Details of request
• Confirmation of identification
• When fulfilled
• Issues or concerns
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Exercise
How should Baratheon deal with this DSAR?
• An individual makes a request for their personal data. When
preparing the response, you notice that a lot of it is in coded form.
For example, attendance at a particular training session is logged
as ‘A’, while non-attendance at a similar event is logged as ‘M’.
Also, some of the information is in the form of handwritten notes
that are difficult to read. Without access to the organisation’s key or
index to explain this information, it would be impossible for anyone
outside the organisation to understand.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 285
GDPR Practitioner v1.1
© IT Governance Ltd 2016 95
TM
Exercise
• Are these methods of submitting a DSAR to an
organisation acceptable?
– Letter
– Email
– Orally
– Social Media – Facebook, Twitter etc.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 286
Session 13: Handling Data Subject Access
Requests
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 287
Session 14: Roles of, and relationships
between, controllers and processors
At the end of this session delegates
will be able to:
LG 12: Understand the roles of and relationships
between controllers and processors
GDPR Practitioner v1.1
© IT Governance Ltd 2016 288
GDPR Practitioner v1.1
© IT Governance Ltd 2016 96
TM
Controllers vs Processors
This session will enable delegates to:
– Differentiate between controllers and processors
– Identify requirements on controllers in respect of processing activities
– Identify how organisations are required to approach data protection
by design
– Identify the requirements in respect of controllers or processors who
are not established in the EU
– Identify the obligations applied to processors
GDPR Practitioner v1.1
© IT Governance Ltd 2016 289
Key Definitions
“data controller” means the natural or legal
person, public authority, agency or any other
“data processor”, means a natural or legal
person, public authority, agency or any other
“processing”, means any operation or set of
operations which is performed upon personal
data or sets of personal data, whether or not
by automated means, such as collection,
recording, organization, structuring, storage,
adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination
or otherwise making available, alignment or
combination, erasure or destruction;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 290
Data controllers
Controllers determine:
• the legal basis for collecting data;
• which items of personal data to collect, ie the content of the
data;
• the purpose or purposes the data are to be used for;
• which individuals to collect data about;
• whether to disclose the data, and if so, who to;
• whether subject access and other individuals’ rights apply ie
the application of exemptions; and
• how long to retain the data or whether to make non-routine
amendments to the data.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 291
GDPR Practitioner v1.1
© IT Governance Ltd 2016 97
TM
General obligations
Article 24: Responsibility of controller
Adhere
to codes
of
conduct
Controller
Implement Implement
data technical and
protection organizational
measures
policies
GDPR Practitioner v1.1
© IT Governance Ltd 2016 292
Data processors
Within the terms of the agreement with the data controller, and its
contract, a data processor may decide:
• what IT systems or other methods to use to collect personal data;
• how to store the personal data;
• the detail of the security surrounding the personal data;
• the means used to transfer the personal data from one organisation
to another;
• the means used to retrieve personal data about certain individuals;
• the method for ensuring a retention schedule is adhered to; and
• the means used to delete or dispose of the data.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 293
Exercise
Controller or Processor?
Market research company
A bank contracts a market research company to carry out
some research. The bank’s brief specifies its budget and
that it requires a satisfaction survey of its main retail
services based on the views of a sample of its customers
across the UK. The bank leaves it to the research
company to determine sample sizes, interview methods
and presentation of results.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 294
GDPR Practitioner v1.1
© IT Governance Ltd 2016 98
TM
Exercise
Controller or Processor?
Payment services
An online retailer works in co-operation with a third-party
payment company to process customers’ transactions.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 295
Exercise
Controller or Processor?
Accountants
A firm uses an accountant to do its books.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 296
Controller vs Processor – test...
Cloud providers
A local authority uses a cloud provider to store data about its
housing stock and residents, rather than holding the data on its
own IT system. The cloud provider is also contracted to delete
certain data after a particular period and to grant members of the
public access to their own records via a secure online portal. It
also hosts a residents’ discussion forum.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 297
GDPR Practitioner v1.1
© IT Governance Ltd 2016 99
TM
General obligations
Article 25: Data protection by design and by default
• The controller shall implement appropriate technical and
organisational measures.
• Only data necessary for each specific purpose is processed.
• The obligation applies to the following:
– the amount of data collected;
– the extent of the processing;
– the period of storage;
– the accessibility to that data.
• Personal data is not made accessible to an indefinite number of
natural persons without the individuals intervention.
• Pseudonymisation and Minimisation are recognised techniques in
data protection by design.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 298
Privacy by design
Respect • Lifecycle
for protection
users
Privacy
by
default
• Proactive Personal
• Preventive data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 299
Privacy by design
Define the Data Understand the Understand impact
Security Data workflow on the individual
requirements
• Confidentiality • Volume • Damage
• Integrity • Variety • Distress
• Availability • Velocity • Disruption
GDPR Practitioner v1.1
© IT Governance Ltd 2016 300
GDPR Practitioner v1.1
© IT Governance Ltd 2016 100
TM
General obligations
Article 27: Representatives of controllers or processors not
established in the Union
• Where the controller or the processor is not established in the
Union:
– They shall designate in writing a representative in the Union;
– Representative shall be established where data processing or profiling
resides;
– The representative shall be mandated to be addressed by supervisory
authorities and data subjects for the purposes of the Regulation;
– Designation of representative does not absolve controller or processor
from legal liabilities.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 301
General obligations
Article 28: Processor
A legal contract must ensure that the processor:
• processes the personal data only on documented instructions from the
controller;
• ensures that persons authorised to process the personal data observe
confidentiality;
• takes appropriate security measures;
• respects the conditions for engaging another processor;
• assists the controller by appropriate technical and organisational
measures;
• assists the controller in ensuring compliance with the obligations to
security of processing;
• deletes or returns all the personal data to the controller after the end of
the provision of services;
• makes available to the controller all information necessary to
demonstrate compliance with the Regulation.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 302
General obligations
Article 28: Processor
Model Clauses set out legal contract between Controller and Processor:
Definitions – personal data, data subject etc
Details of Transfer – special categories of data etc
Third Party Beneficiary Clause – data subject can enforce legal rights
Obligations of the data exporter – adherence to data protection law
Obligations of the data importer – process in accordance with instructions
Liability – entitlement to compensation
Mediation and Jurisdiction – by an independent person or court of the member state
Co-operation with Supervisory Authorities – deposit of contract and right to audit
Governing Law – where controller is established
Variation of Contract – undertaking not to vary model clauses
Sub Processing – no subcontracting of processing without prior consent
Obligation – for processor to return data
GDPR Practitioner v1.1
© IT Governance Ltd 2016 303
GDPR Practitioner v1.1
© IT Governance Ltd 2016 101
TM
General obligations
Article 30: Records of processing activities
• The controller or their representative, shall maintain a record of processing
activities containing all of the following information:
– the name and contact details of the controller, joint controller,
controller's representative and data protection officer;
– the purposes of the processing;
– a description of the categories of data subjects and of the categories of
personal data;
– the categories of recipients to whom the personal data have been or will
be disclosed;
– international transfers of personal data and the documentation of
appropriate safeguards;
– the envisaged time limits for erasure of the different categories of data;
– a general description of the technical and organisational security
measures implemented.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 304
Codes of conduct and certification
Article 40: Codes of conduct
• Codes of conduct available at national and European level.
• Associations and other representative bodies with regard to:
– fair and transparent processing;
– the legitimate interests pursued by controllers in specific contexts; i.e.
the collection of personal data;
– the pseudonymisation of personal data;
– the information provided to the public and to data subjects;
– the exercise of the rights of data subjects;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 305
Session 12: Roles of, and Relationships
between, controllers and processors
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 306
GDPR Practitioner v1.1
© IT Governance Ltd 2016 102
TM
Session 13: Personal data, international
organizations, non-EEA states and the EU-
US Privacy Shield
At the end of this session delegates
will be able to:
LG 13: Understand how to comply with GDPR
requirements covering international organizations, non-
EEA states (includes cloud data storage) and the EU-US
Privacy Shield
GDPR Practitioner v1.1
© IT Governance Ltd 2016 307
Transfer of personal data to third
countries or international organisations
Article 44: General principle for transfers
• Any transfer of personal data by controller or processor shall
take place only if certain conditions are complied with:
a. Transfers on the basis of adequacy;
b. Transfers subject to the appropriate safeguards
c. Binding corporate rules apply.
• All provisions shall be applied to ensure the protection of
natural persons is not undermined.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 308
Transfer of personal data to third countries or
international organisations
Recitals 103-107, 169, Article 45
a) Transfers on the basis of adequacy
• A transfer may take place where there is an adequate level of
protection.
• The adequacy criteria:
– the rule of law;
– respect for human rights and fundamental freedoms;
– relevant legislation, both general and sectoral, including:
o concerning public security;
o defence;
o national security; and
o criminal law.
• Official Journal of the European Union (published on the EU
Commission website)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 309
GDPR Practitioner v1.1
© IT Governance Ltd 2016 103
TM
Transfer of personal data to third countries or
international organisations
Recitals 103-107, 169, Article 45
a) Transfers on the basis of adequacy
No restrictions on transfers to EEA Countries
GDPR Practitioner v1.1
© IT Governance Ltd 2016 310
Transfer of personal data to third countries or
international organisations
Recitals 103-107, 169, Article 45
a) Transfers on the basis of adequacy
The following additional countries are considered by the EU as
having adequate data protection laws:
Andorra Guernsey New Zealand
Argentina Isle of Man Switzerland
Canada Israel Uruguay
Faroe Islands Jersey
GDPR Practitioner v1.1
© IT Governance Ltd 2016 311
Transfer of personal data to third
countries or international organisations
a) Transfers on the basis of adequacy
The GDPR limits your ability to transfer personal data outside the EU
where this is based only on your own assessment of the adequacy of the
protection afforded to the personal data.
• Authorisations of transfers made by Member States or supervisory
authorities and decisions of the Commission regarding adequate safeguards
made under the Directive will remain valid/remain in force until amended,
replaced or repealed.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 312
GDPR Practitioner v1.1
© IT Governance Ltd 2016 104
TM
Transfers of personal data
Recital 108-10, 114, Article 46
b) Transfers subject to appropriate safeguards
Adequate safeguards include:
• a legally binding agreement between public authorities or bodies;
• standard data protection clauses in the form of template transfer
clauses adopted by the Commission;
• standard data protection clauses in the form of template transfer
clauses adopted by a supervisory authority and approved by the
Commission;
• compliance with an approved code of conduct approved by a
supervisory authority;
• certification under an approved certification mechanism as provided for
in the GDPR;
• contractual clauses agreed authorised by the competent supervisory
authority; or
• provisions inserted in to administrative arrangements between public
authorities or bodies authorised by the competent supervisory authority.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 313
Transfer of personal data to third countries or
international organisations
Recitals 111, 112, Article 49
Derogations – GDPR provides derogations from the general prohibition on
transfers of personal data outside the EU for certain specific situations.
Conditions on when a derogation applies:
• made with the individual’s informed consent;
• necessary for the performance of a contract between the individual and the
organisation or for pre-contractual steps taken at the individual’s request;
• necessary for the performance of a contract made in the interests of the
individual between the controller and another person;
• necessary for important reasons of public interest;
• necessary for the establishment, exercise or defence of legal claims;
• necessary to protect the vital interests of the data subject or other persons,
where the data subject is physically or legally incapable of giving consent; or
• made from a register which under UK or EU law is intended to provide
information to the public (and which is open to consultation by either the public
in general or those able to show a legitimate interest in inspecting the register).
GDPR Practitioner v1.1
© IT Governance Ltd 2016 314
Transfer of personal data to third countries or
international organisations
Recitals 113, Article 49
What about one-off (or infrequent) transfers of personal data
concerning only relatively few individuals?
One-off transfer are permitted only where the transfer:
• is not being made by a public authority in the exercise of its public powers;
• is not repetitive (similar transfers are not made on a regular basis);
• involves data related to only a limited number of individuals;
• is necessary for the purposes of the compelling legitimate interests of the
organisation (provided such interests are not overridden by the interests of the individual)
• is made subject to suitable safeguards put in place by the organisation (in the
light of an assessment of all the circumstances surrounding the transfer) to protect the
personal data.
In these cases, organisations are obliged to inform the relevant
supervisory authority of the transfer and provide additional information to
individuals.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 315
GDPR Practitioner v1.1
© IT Governance Ltd 2016 105
TM
Transfer of personal data to third countries or
international organisations
Recitals 71, 50, 53, 153-165, Article 6, 9, 23, 85-91
Derogations:
Member States can introduce exemptions from the GDPR’s transparency obligations and
individual rights, but only where the restriction respects the essence of the individual’s
fundamental rights and freedoms and is a necessary and proportionate measure in a
democratic society to safeguard:
• national security;
• defence;
• public security;
• the prevention, investigation, detection or prosecution of criminal offences;
• other important public interests, in particular economic or financial interests, including
budgetary and taxation matters, public health and security;
• the protection of judicial independence and proceedings;
• breaches of ethics in regulated professions;
• monitoring, inspection or regulatory functions connected to the exercise of official authority
regarding security, defence, other important public interests or crime/ethics prevention;
• the protection of the individual, or the rights and freedoms of others; or
• the enforcement of civil law matters.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 316
Model Contract Clauses as a basis for
transferring personal data outside the EEA
The European Commission is empowered to recognise standard
contractual clauses (known as model contract clauses) as
offering adequate safeguards for the purposes of Article 26(2)1.
• Set II controller – controller 2004 controller to controller
• Set II controller – processor 2010 controller to processor
GDPR Practitioner v1.1
© IT Governance Ltd 2016 317
Model Contract Clauses as a basis for
transferring personal data outside the EEA
Controller-to-controller clauses
• The model clauses impose obligations on both the exporter
and the importer of the data to ensure that the transfer
arrangements protect the rights and freedoms of the data
subjects.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 318
GDPR Practitioner v1.1
© IT Governance Ltd 2016 106
TM
Model Contract Clauses as a basis for
transferring personal data outside the EEA
Amending the clauses, incorporating the clauses in other
contracts and inserting additional clauses
• If you are relying on any of the European Commission sets of
model contract clauses as ‘stand-alone contracts’ you cannot
change the clauses in any way (other than to add an
additional party, such as an additional data importer).
• The model contract clauses may be incorporated into other
contracts (such as data processing service agreements)
provided nothing in the other contract or additional clauses
alters the effect of any of the model clauses.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 319
Model Contract Clauses as a basis for
transferring personal data outside the EEA
Drawbacks with the use of contracts
• Potentially hundreds of contracts are required to cover
transfers between all entities.
• Burden to ensure contracts are kept up to date to keep pace
with the changing corporate structure can be difficult and time
consuming.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 320
Binding corporate rules
What are Binding Corporate Rules designed to achieve?
• Binding Corporate Rules (BCRs) are designed to allow
multinational companies to transfer personal data from the
European Economic Area (EEA) to their affiliates located
outside of the EEA.
• Applicants must demonstrate that their BCRs put in place
adequate safeguards for protecting personal data throughout
the organisation.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 321
GDPR Practitioner v1.1
© IT Governance Ltd 2016 107
TM
Binding corporate rules
How to get authorisation for BCRs?
• You need to choose a supervisory authority to be a lead
authority.
• If the lead authority is satisfied as to the adequacy of the
safeguards put in place in your BCRs, that authority decision
is binding across the other supervisory authorities in Europe
It is important to note that BCRs do not provide a basis for
transfers made outside the group.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 322
Binding corporate rules
What are the benefits of BCRs?
• BCRs can provide a framework for intra-group transfers.
• Ongoing obligation to monitor your compliance
– regular audits
– maintain a training programme for staff handling personal data.
Any change to process requires a reapplication
GDPR Practitioner v1.1
© IT Governance Ltd 2016 323
Privacy Shield
Applies to transfers to US only
• The decision on the EU-U.S. Privacy Shield was adopted by
the European Commission on 12 July, 2016
Commercial sector U.S Government
Strong obligations on access
companies and robust Clear safeguards and
enforcement transparency obligations
Redress Monitoring
Directly with the company Annual joint review
With the data protection mechanism between US
authority Department of commerce
Privacy shield panel and EU Commission
GDPR Practitioner v1.1
© IT Governance Ltd 2016 324
GDPR Practitioner v1.1
© IT Governance Ltd 2016 108
TM
Privacy Shield
Applies to transfers to US only
Why should an organization that
previously participated in the Safe
Harbor program self-certify to the
Privacy Shield?
• The Privacy Shield Framework was
deemed adequate by the European
Commission.
• Participating organizations are
deemed to provide “adequate”
privacy protection,
• Compliance requirements of the
Privacy Shield Framework are clearly
laid out and can be implemented by
small and medium-sized enterprises.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 325
Privacy Shield
Applies to transfers to US only
How will an organization’s participation in the U.S.-EU Safe
Harbor Framework be affected by it joining the EU-U.S.
Privacy Shield Framework?
• Privacy Shield supersedes Safe Harbor (mutually exclusive)
• Withdrawal from Safe Harbor requires recertification from Privacy
Shield.
• NB: Privacy Shield reflects DPD, not GDPR.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 326
Privacy Shield
Applies to transfers to US only
• The information that an organization must provide during the
self-certification process includes
• Organisation information
– Company name
– Address
– Contact
– Mechanism to investigate complaints
– Description of privacy policy
• The following URL must be included in an organization’s
privacy policy to meet the Framework requirement
https://www.privacyshield.gov
GDPR Practitioner v1.1
© IT Governance Ltd 2016 327
GDPR Practitioner v1.1
© IT Governance Ltd 2016 109
TM
Privacy Shield Principles
1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability
GDPR Practitioner v1.1
© IT Governance Ltd 2016 328
Apps & Cloud Services
GDPR Practitioner v1.1
© IT Governance Ltd 2016 329
GDPR: Controllers or processors outside
the EU
Article 27: Representatives of controllers or processors not
established in the Union
– Recital 23: In order to determine whether such a controller or processor is offering
goods or services to data subjects who are in the Union, it should be ascertained
whether it is apparent that the controller or processor envisages offering services to
data subjects in one or more Member States in the Union. Whereas the mere
accessibility of the controller's, processor's or an intermediary's website in the Union,
of an email address or of other contact details, or the use of a language generally
used in the third country where the controller is established, is insufficient to ascertain
such intention, factors such as the use of a language or a currency generally used in
one or more Member States with the possibility of ordering goods and services in that
other language, or the mentioning of customers or users who are in the Union, may
make it apparent that the controller envisages offering goods or services to data
subjects in the Union.
• Where the controller or the processor are not established in the Union:
– They shall designate in writing a representative in the Union;
– Representative shall be established where data processing or profiling resides;
– The representative shall be mandated to be addressed by supervisory authorities and
data subjects for the purposes of the Regulation;
– Designation of representative does not absolve controller or processor from legal
liabilities.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 330
GDPR Practitioner v1.1
© IT Governance Ltd 2016 110
TM
GDPR: Cloud processor obligations
Policy and procedure requirements
Article 28: Processor
A legal contract must ensure that the processor:
• processes the personal data only on documented instructions from the
controller;
• ensures that persons authorised to process the personal data observe
confidentiality;
• takes appropriate security measures;
• respects the conditions for engaging another processor;
• assists the controller by appropriate technical and organisational
measures;
• assists the controller in ensuring compliance with the obligations to
security of processing;
• deletes or returns all the personal data to the controller after the end of
the provision of services;
• makes available to the controller all information necessary to
demonstrate compliance with the Regulation.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 331
International transfers & Cloud providers
• The Cloud is not automatically territorially limited
• Any transfer of personal data by controller or processor shall take
place only if certain conditions are complied with:
– Transfers on the basis of adequacy;
– Transfers subject to the appropriate safeguards
– Binding corporate rules apply.
• All provisions shall be applied to ensure the protection of natural
persons is not undermined.
• To countries with similar data protection regulations
– Cloud providers are a key risk area
– Highest penalties apply to breaches of these provisions
• Cloud providers need to ensure they are able to differentiate their
EU and non-EU provision and provide clarity to data subjects and
controllers
GDPR Practitioner v1.1
© IT Governance Ltd 2016 332
Cloud Controls Matrix
• Application & Interface Security (controls AIS-01 to 03)
• Audit Assurance & Compliance (AAC-01 to 03)
• Business Continuity Management & Operational Resilience (BCR-01 to 12)
• Change Control & Configuration Management (CCC-01 to 05)
• Data security & Information Lifecycle Management (DSI-01 to 08)
• Datacentre Security (DCS-01 to 09)
• Encryption & Key Management (EKM-01 to 04)
• Governance and Risk Management (GRM-01 to 12)
• Human Resources (HRS-01 to 12)
• Identity & Access Management (IAM-01 to 13)
• Infrastructure & Virtualization Security (IVS-01 to 12)
• Interoperability & Portability (IPY-01 to 5)
• Mobile Security (MOS-01 to 20)
• Security Incident Management, E-Discovery & Cloud Forensics (SEF-01 to 05)
• Supply Chain Management, Transparency and Accountability (STA-01 to 09)
• Threat and Vulnerability Management (TVM-01 to 03)
GDPR Practitioner v1.1
© IT Governance Ltd 2016 333
GDPR Practitioner v1.1
© IT Governance Ltd 2016 111
TM
Cloud-based services
• Controller still needs legitimizing reason for transfer;
• Data protection principles still apply;
• Use of model clauses meets the above requirement;
• Obligation is on the data controller to ensure compliance with
law;
• Obligation on the data controller to inform data subjects of
transfer.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 334
Exercise
• Identify, in Baratheon’s relationship with Calamity Jane,
the roles of both parties in relation to one another and in
relation to the personal data that is processed within
that relationship.
• Identify the key contractual requirements that need to be
in place.
• Identify any exposures either organization may have in
terms of trans-border data flows
GDPR Practitioner v1.1
© IT Governance Ltd 2016 335
Session 13: Personal data, international
organizations, non-EEA states and the EU-US
Privacy Shield
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 336
GDPR Practitioner v1.1
© IT Governance Ltd 2016 112
TM
Day 3: The Course?
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 337
EU GDPR
Practitioner Course
DAY 4
IT Governance
GDPR Practitioner v1.1
© IT Governance Ltd 2016
Day 4
16. Incident response and data breach reporting
17. Enforcement, regulatory and compensatory issues
18. Transition to, and demonstrating compliance with, the GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 339
GDPR Practitioner v1.1
© IT Governance Ltd 2016 113
TM
Learning goals
At the end of Day 4 delegates will be
able to:
LG 14: Understand incident response management
and how to comply with the GDPR’s data breach
reporting requirements
LG 15: Understand the range of enforcement,
regulatory and compensatory aspects of the GDPR
LG 16: Understand how to transition to, and
demonstrate compliance with, the GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 340
Session 16: Incident response and data
breach reporting
At the end of this session delegates
will be able to:
LG 14: Understand incident response
management and how to comply with the data
breach reporting requirements
GDPR Practitioner v1.1
© IT Governance Ltd 2016 341
Article 33: Personal data breaches
• The definition of a Personal Data Breach in GDPR:
– A 'personal data breach' means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed.
– Discussion:
o What steps are necessary to ensure personal data breaches are reported
internally?
o What steps are necessary to reduce the likelihood of the range of possible
personal data breaches?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 342
GDPR Practitioner v1.1
© IT Governance Ltd 2016 114
TM
Article 33: Personal data breaches
• Obligation for data processor to notify data controller
– Notification without undue delay after becoming aware
– No exemptions
– All data breaches have to be reported
– EDPB to issue clarification with regard to ‘undue delay’
GDPR Practitioner v1.1
© IT Governance Ltd 2016 343
Article 33: Personal data breaches
• Obligation for data controller to notify the supervisory authority
– Notification without undue delay and not later than 72 hours
– Unnecessary in certain circumstances
– Description of the nature of the breach
o Categories of data
o Approximate numbers of records and data subjects affected
– Describe likely consequences
– Describe measures taken – or to be taken – to mitigate the breach
– Communicate details of the Data Protection Officer
– No requirement to notify if unlikely to result in a high risk to the rights and
freedoms of natural persons
– Failure to report within 72 hours must be explained
– Controller must document personal data breaches, effects and remedial
action – to enable assessment of compliance with these requirements
– EDPB to issue further clarification with regard to “undue delay”
GDPR Practitioner v1.1
© IT Governance Ltd 2016 344
Article 34: Personal data breaches
• Obligation for data controller to communicate a personal data
breach to data subjects
– Communication to the data subject without undue delay if high risk
– Communication in clear plain language
– Supervisory authority may compel communication with data subject
– Exemptions if:
o appropriate technical and organisational measures taken
o High risk to data subject will not materialise
o Communication with data subject would involve disproportionate effort
GDPR Practitioner v1.1
© IT Governance Ltd 2016 345
GDPR Practitioner v1.1
© IT Governance Ltd 2016 115
TM
Session 14 – Incident response and data
breach reporting
Policy expected to commit• Dutchto satisfy e-Gov applicable
requirements, sp. laws and regulations, MS will not
guarantee full compliance at any particular point in
time. Under such circumstances, it should not be
considered out of conformance so long as prompt
detection and corrective action of the system
deficiencies that contributed to the instance(s) of
noncompliance. Draft guidance doc. for Tech Committees
GDPR Practitioner v1.1
© IT Governance Ltd 2016 346
Breach landscape
• Not if, but when
• Being prepared is key
• Develop the resilience to respond
• Don’t wait until after the event
• 72 hour window to respond
• How and when you respond goes towards mitigation
• Incident response mandated in ISO27001, ISO 22301, PCI
DSS
GDPR Practitioner v1.1
© IT Governance Ltd 2016 347
Incident response: top ten challenges
• Organisations can have significant difficulty in responding to cyber
security incidents, particularly sophisticated cyber security attacks.
• The top ten challenges organisations face in responding to a cyber
security incident in a fast, effective and consistent manner are:
– Identifying a suspected cyber security incident;
– Establishing the objectives of an investigation and a clean-up operation;
– Analysing all available information related to the potential cyber security incident;
– Determining what has actually happened;
– Identifying what systems, networks and information (assets) have been compromised;
– Determining what information has been disclosed to unauthorised parties, stolen,
deleted or corrupted;
– Finding out who did it and why;
– Working out how it happened;
– Determining the potential business impact of the cyber security incident;
– Conducting sufficient investigation using forensics to identify those responsible.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 348
GDPR Practitioner v1.1
© IT Governance Ltd 2016 116
TM
CREST Cyber incident response process
• Prepare:
– Conduct a criticality assessment;
o Which critical systems are most likely to be breached?
– Carry out a cyber security threat analysis;
o Which threats are most likely to succeed
– Consider the vulnerabilities in people, process, technology and
information, including weaknesses in defence in depth
– Analyse and assess the risks.
– Identify additional control requirements;
– Review your state of readiness for cyber security incident response
GDPR Practitioner v1.1
© IT Governance Ltd 2016 349
CREST Cyber incident response process
• Respond:
– Identify cyber security incident/s;
– Define objectives and investigate the situation;
– Take appropriate action;
– Recover systems, data and connectivity.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 350
CREST Cyber incident response process
• Follow up:
– Investigate incident more thoroughly;
– Report incident to relevant stakeholders;
– Carry out a post incident review;
– Communicate and build on lessons learned;
– Update key information, controls and processes;
– Perform trend analysis.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 351
GDPR Practitioner v1.1
© IT Governance Ltd 2016 117
TM
Cyber security assurance
• GDPR requirement - data controllers must implement:
– “appropriate technical and organizational measures to ensure and to be
able to demonstrate that the processing is performed in accordance with the
regulation.”
– Must include appropriate data protection policies
– Organizations may use adherence to approved codes of conduct or
management system certifications “as an element by which to demonstrate
compliance with their obligations”
– ICO and BSI are both developing new GDPR-focused standards
• ISO 27001 already meets the “appropriate technical and
organizational measures” requirement
• It provides assurance to the board that data security is being
managed in accordance with the regulation
• It helps manage ALL information assets and all information security
within the organization – protecting against ALL threats
GDPR Practitioner v1.1
© IT Governance Ltd 2016 352
Cyber incident reality
• Most organizations have inadequate cyber defences
• Under-defended organizations may already have crimeware
and malware in their systems
• Breaches are inevitable
• Even given adequate budget and resources, establishing
adequate security will take time
• Therefore, in parallel:
– Establish a Cyber security incident response team
– Establish reporting and escalation processes, with appropriate training
– SIRO (Senior Incident Response Officer)
– Identify, anticipate and document breach scenarios
– Plan and document remedial action to mitigate breaches
– Plan, document and test breach reporting process
GDPR Practitioner v1.1
© IT Governance Ltd 2016 353
Exercise
• Identify two areas in Baratheon most vulnerable to a personal data
breach
• Propose members of a Baratheon cyber incident response team
GDPR Practitioner v1.1
© IT Governance Ltd 2016 354
GDPR Practitioner v1.1
© IT Governance Ltd 2016 118
TM
Session 16: Incident response and data
breach reporting
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 355
Session 17: Enforcement, regulatory
and compensatory issues
At the end of this session delegates
will be able to:
LG 15: Understand the range of enforcement,
regulatory and compensatory aspects of the
GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 356
Enforcement, regulatory and
compensatory issues
GDPR Practitioner v1.1
© IT Governance Ltd 2016 357
GDPR Practitioner v1.1
© IT Governance Ltd 2016 119
TM
Remedies, liability and penalties
Article 77: Right to lodge a complaint with a supervisory
authority
– Every data subject has the right to launch a complaint with a
supervisory authority
– In Member State of habitual residence
– Place of work
– Place of alleged infringement
• Supervisory authority shall inform the complainant of
progress, including the possibility of judicial remedy
GDPR Practitioner v1.1
© IT Governance Ltd 2016 358
Remedies, liability and penalties
Article 78: Right to an effective judicial remedy against a
supervisory authority
– Right to judicial remedy against a legally binding decision.
– Right to judicial remedy where the supervisory authority does not handle
a complaint or does not inform data subject of progress or outcome.
– Judicial remedy shall be brought before the courts of the Member State
where the supervisory authority is established.
– Supervisory authority must provide opinion or decision of the Board to
the court.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 359
Remedies, liability and penalties
Article 79: Right to an effective judicial remedy against a
controller or processor
– Right to judicial remedy where their rights have been infringed as a
result of the processing of personal data.
– Proceedings shall be brought before the courts of the Member State
where the controller or processor has an establishment.
– Proceedings may be brought before the courts of the Member State
where the data subject habitually resides.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 360
GDPR Practitioner v1.1
© IT Governance Ltd 2016 120
TM
Remedies, liability and penalties
Article 82: Right to compensation and liability
– Any person who has suffered material, or non-material, damage shall
have the right to receive compensation from the controller or processor.
– Controller involved in processing shall be liable for damage caused by
processing.
– Processor liable only for damage caused by processing or where it has
acted contrary to lawful instructions of the controller.
– Exemption for controller and processor where they are not responsible.
– Joint and several liability to ensure effective compensation.
– Compensation clawback provision.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 361
Remedies, liability and penalties
Article 83: General conditions for imposing administrative
fines
– Imposition of administrative fines will in each case be effective,
proportionate, and dissuasive.
– Administrative fine imposed in addition to, or instead of, the corrective
powers of the supervisory authority in Article 58(2):
o Issue warnings;
o Issue reprimands;
o Order compliance with Data Subjects requests;
o Communicate the Personal Data breach directly to the Data Subject
GDPR Practitioner v1.1
© IT Governance Ltd 2016 362
Remedies, liability and penalties
Article 83: General conditions for imposing administrative
fines
– the nature, gravity and duration of the infringement;
– the intentional or negligent character of the infringement;
– any action taken by the controller or processor to mitigate the
damage suffered by data subjects;
– the degree of responsibility of the controller or processor taking into
account technical and organisational measures implemented by
them;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 363
GDPR Practitioner v1.1
© IT Governance Ltd 2016 121
TM
Remedies, liability and penalties (cont.)
Article 83: General conditions for imposing administrative
fines
– any relevant previous infringements;
– the degree of cooperation;
– the categories of personal data affected by the infringement;
– the manner in which the infringement became known;
– where corrective powers have previously been ordered against the
controller or processor;
– adherence to approved codes of conduct or approved certification
mechanisms;
– and any other aggravating or mitigating factors.
GDPR Practitioner v1.1
© IT Governance Ltd 2016 364
Remedies, liability and penalties (cont.)
Article 83: General conditions for imposing administrative fines
• € 10,000,000 or, in case of an undertaking, 2% total worldwide annual turnover in the preceding
financial year (whichever is greater):
• Articles
– 8: Child’s consent
– 11: Processing not requiring identification
– 25: Data protection by design and by default
– 26: Joint controllers
– 27: Representatives of controllers not established in EU
– 26 - 29 & 30: Processing
– 31: Cooperation with the supervisory authority
– 32: Data Security
– 33: Notification of breaches to supervisory authority
– 34: Communication of breaches to data subjects
– 35: Data protection impact assessment
– 36: Prior consultation
– 37 - 39: DPOs
– 41(4): Monitoring approved codes of conduct
– 42: Certification
– 43: Certification bodies
GDPR Practitioner v1.1
© IT Governance Ltd 2016 365
Remedies, liability and penalties (cont.)
Article 83: General conditions for imposing administrative fines
• € 20,000,000 or, in case of an undertaking, 4% total worldwide
annual turnover in the preceding financial year (whichever is higher)
• Articles
– 5: Principles relating to the processing of personal data
– 6: Lawfulness of processing
– 7: Conditions for consent
– 9: Processing special categories of personal data (i.e. sensitive personal
data)
– 12 - 22: Data subject rights to information, access, rectification, erasure,
restriction of processing, data portability, object, profiling
– 44 - 49: Transfers to third countries
– 58(1): Requirement to provide access to supervisory authority
– 58(2): Orders/limitations on processing or the suspension of data flows
GDPR Practitioner v1.1
© IT Governance Ltd 2016 366
GDPR Practitioner v1.1
© IT Governance Ltd 2016 122
TM
Session 17: Enforcement, regulatory and
compensatory issues
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 367
Session 18: Transition to, and demonstrating
compliance with, the GDPR
At the end of this session delegates
will be able to:
LG 16: Understand how to transition to, and
demonstrate compliance with, the GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 368
Accountability & governance framework
• Brief the board on GDPR – risks and rewards
• Board support for a GDPR compliance project
– Resources (people, money, time)
– Top management support (tone from the top)
• Accountable director
• Incorporate data protection risk into corporate risk
management and internal control framework
• Create a project team
• Establish the DPO
GDPR Practitioner v1.1
© IT Governance Ltd 2016 369
GDPR Practitioner v1.1
© IT Governance Ltd 2016 123
TM
Scope and plan project
• Identify which entities will be in scope
– Business units, territories, jurisdictions
– Interfaces and dependencies – identify third party relationships in which you
are the processor or controller
– Identify contract managers for them all
• Identify other already-implemented standards, frameworks or
management systems that my be impacted – or could contribute
– ISO 9001
– ISO 27001
– ISO 20000
– ISO 22301
– PCI DSS
• Identify IT or other business projects about to commence or
currently under way and which involve processing personal data –
consider whether these should be early candidates for DPIA activity
GDPR Practitioner v1.1
© IT Governance Ltd 2016 370
Project team
• Create a project team
– Use existing project management methodology
o PID
o Identified project roles and responsibilities
o Training and awareness for project team
o Necessary resources,
o Top management sign off, etc
– Appoint a project manager (probably not the DPO!)
– Create a project plan
– Create an internal communications strategy
GDPR Practitioner v1.1
© IT Governance Ltd 2016 371
Quick wins (but time required)
• Identify high risk databases
– HR databases
– Customer databases (contact details, payment cards, etc)
– Mobile devices (laptops, phones, pads)
– Initiate an feasibility study into deploying encryption
• Identify high risk data flows
– Email that contains high volumes of personal data
– Initiate a feasibility study into deploying encryption
• Identify Internet-facing IP addresses and URLs
– Ensure there are up-to-date penetration tests
– Ensure there is an effective plan for vulnerability remediation
• Identify and cull old data archives
– Unless you already have/can identify a lawful basis for processing, you may find
yourself holding much illegal information – get rid of it
– Requires a retention policy, and clarity about lawfulness (under DPA) of deleting it
GDPR Practitioner v1.1
© IT Governance Ltd 2016 372
GDPR Practitioner v1.1
© IT Governance Ltd 2016 124
TM
Data inventory
• Build on scoping work, archive listing and ‘quick wins’
• What categories of personal data are you collecting or
processing?
• Where does it come from and what was the basis on which it
was received?
• What security controls are currently in place
• What do you have to do to bring your processing of those
data categories into alignment with GDPR
GDPR Practitioner v1.1
© IT Governance Ltd 2016 373
Data flow audit
• Much more detailed than the data inventory
– More relevant for large complex organisations with complex processes
• Identify for all the data categories
– Roles and responsibilities
– Underlying assets
– Changes in access
– Changes in processing
• Identify data breach risks and generate a remediation plan
– Prioritise implementation of remediation
– Ensure appropriate privacy notices are in place asap for all new
processing – which means data you collect now will be under a
compliant process by May 2018
GDPR Practitioner v1.1
© IT Governance Ltd 2016 374
Detailed gap analysis
• Once you have details about exactly what data flows where,
how, to whom, and in what format, you can
• Assess detailed compliance with
– Data privacy principles
– Requirements on controllers and processors
– Appropriate technical and organizational measures
– Trans-border data flows
GDPR Practitioner v1.1
© IT Governance Ltd 2016 375
GDPR Practitioner v1.1
© IT Governance Ltd 2016 125
TM
Create/improve key processes
• Draft article 30 compliance statements
• Commence drafting data protection policy
• Data subject access request process
• Incident response/breach reporting process
– Integrate with existing service desk/helpdesk processes
– Integrate with existing business continuity processes
• Ensure appropriate privacy notices are in place for all new
processing
• Identify and prioritise necessary contract reviews
– Employees
– Customers
– Partners, processors – particularly cloud-based organizations
GDPR Practitioner v1.1
© IT Governance Ltd 2016 376
Communications strategy
• Build on initial work
• Cover all staff within scope
• Reflect contract negotiations
• Regular staff awareness and briefings
– Integrate with Cyber Security Staff awareness
– Consider e-learning for staff awareness
o Administrative aspects – proof of attendance, proof of knowledge
GDPR Practitioner v1.1
© IT Governance Ltd 2016 377
Draw breath!
• Review what is on track, and what not
• Re-prioritise to minimise exposure on 25 May 2018
GDPR Practitioner v1.1
© IT Governance Ltd 2016 378
GDPR Practitioner v1.1
© IT Governance Ltd 2016 126
TM
Session 18: Transition to, and demonstrating
compliance with, the GDPR
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 379
Final session: Summary and recap
GDPR Practitioner v1.1
© IT Governance Ltd 2016 380
Recap – New concepts in GDPR
• Accountability
• Transparency
• Children’s data
• Definition of personal data
• Pseudonymisation
• Data breach reporting
• Enhanced rights
• European data protection board
GDPR Practitioner v1.1
© IT Governance Ltd 2016 381
GDPR Practitioner v1.1
© IT Governance Ltd 2016 127
TM
Principles...from 8 to 6
1 • Lawful and Fair
2 • Specific Purpose
3 • Adequate, relevant, not excessive
4 • Accurate and up to date
5 • Retention
6 • Rights – no longer a principle - Chapter 3
7 • Security
8 • Transfers – no longer a principle – Chapter 5
GDPR Practitioner v1.1
© IT Governance Ltd 2016 382
Recap – 2 new rights
• Right to be forgotten
• Right to data portability
GDPR Practitioner v1.1
© IT Governance Ltd 2016 383
Recap – Mandatory Breach reporting
• Must report breaches within 72 hours
• Not necessary to notify where breach is “unlikely to result in a
risk for the rights and freedoms” of data subjects;
GDPR Practitioner v1.1
© IT Governance Ltd 2016 384
GDPR Practitioner v1.1
© IT Governance Ltd 2016 128
TM
Recap – Data subject access
• Fee abolished
• Time period reduced from 40 days to 1 month
GDPR Practitioner v1.1
© IT Governance Ltd 2016 385
Recap – Obligations of controllers and
processors
• Processors are now liable for processing only
• Data protection by design and default
• Controllers or processors outside EU must designate a
representative where the data processing or profiling resides.
• Specific requirements for legal contracts
• Accountability
– Maintain records of processing activities
– Appoint DPO where appropriate
GDPR Practitioner v1.1
© IT Governance Ltd 2016 386
Practitioner (C-GDPR-P) exam
• IBITGQ examination
• ISO/IEC 17024-certified exam
• 90 minutes
• 40 questions
• 65% pass mark
GDPR Practitioner v1.1
© IT Governance Ltd 2016 387
GDPR Practitioner v1.1
© IT Governance Ltd 2016 129
TM
Day 4: The Course?
• Queries?
• Understanding?
• Implementation?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 388
The course?
• Queries?
• Understanding?
• Implementation?
• Objectives achieved?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 389
Thank you!
Thank you for attending!
GDPR Practitioner v1.1
© IT Governance Ltd 2016
GDPR Practitioner v1.1
© IT Governance Ltd 2016 130
TM
Delegate-only discount: Save 20% on GDPR-compliant
documentation
EU General Data Protection Regulation (GDPR) Documentation Toolkit
Contains:
• Pre-written GDPR documentation, including all the
necessary policies and procedures
• Project tools to help manage and integrate the
GDPR across your organisation
• Guidance documents to help you map the flow of
data
Use GDPR20 at the checkout to save 20%
Shop: www.itgovernance.co.uk/shop/product/eu-general-data-protection-regulation-gdpr-
documentation-toolkit
GDPR Practitioner v1.1
© IT Governance Ltd 2016 391
What next?
• IT Governance consultancy/mentoring/ongoing support?
• Further training?
• ISO 27001 or BS 10012 implementation?
• GDPR document toolkit or bespoke review?
GDPR Practitioner v1.1
© IT Governance Ltd 2016 392
Stay in touch!
• Visit our website: www.itgovernance.co.uk
• E-mail us: [email protected]
• Call us: 0845 070 1750
• Follow us on Twitter: www.twitter.com/itgovernance
• Read our blog: http://itgovernance.co.uk/blog
• Join us on LinkedIn: www.linkedin.com/company/it-governance
• Join us on Facebook: www.facebook.com/ITGovernanceLtd
GDPR Practitioner v1.1
© IT Governance Ltd 2016 393
GDPR Practitioner v1.1
© IT Governance Ltd 2016 131
You might also like
- The EU Data Protection Code of Conduct for Cloud Service Providers: A guide to complianceFrom EverandThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to complianceNo ratings yet
- GDPR Data Protection Impact Assessments Tool - Res - Eng - 0917100% (1)GDPR Data Protection Impact Assessments Tool - Res - Eng - 091727 pages
- Privacy Management Accountability Framework-GDPR Edition100% (1)Privacy Management Accountability Framework-GDPR Edition1 page
- General Data Protection Regulation Gap Assessment PDFNo ratings yetGeneral Data Protection Regulation Gap Assessment PDF3 pages
- Demystifying The General Data Protection Regulation (GDPR)100% (3)Demystifying The General Data Protection Regulation (GDPR)29 pages
- 7.4 - Defradar - GDPR Preparation Project PlanNo ratings yet7.4 - Defradar - GDPR Preparation Project Plan1 page
- Example GDPR Data Mapping Impact Assessment0% (1)Example GDPR Data Mapping Impact Assessment24 pages
- 7.5 - Defradar - GDPR Roles Responsibilities and AuthoritiesNo ratings yet7.5 - Defradar - GDPR Roles Responsibilities and Authorities18 pages
- All About A Data Protection Impact Assessment (DPIA) : Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001100% (1)All About A Data Protection Impact Assessment (DPIA) : Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 2700160 pages
- GDPR Implementation The Requirements To Achieve Full Compliance100% (1)GDPR Implementation The Requirements To Achieve Full Compliance22 pages
- Iapp Passguide Cipp-E Vce Download 2022-Apr-27 by Kelly 112q VceNo ratings yetIapp Passguide Cipp-E Vce Download 2022-Apr-27 by Kelly 112q Vce23 pages
- Defradar - Supplier GDPR Assessment ProcedureNo ratings yetDefradar - Supplier GDPR Assessment Procedure6 pages
- Accountability Roadmap For Demonstrable GDPR Compliance100% (2)Accountability Roadmap For Demonstrable GDPR Compliance70 pages
- Data Protection Impact Assessment PolicyNo ratings yetData Protection Impact Assessment Policy29 pages
- 7.11 - Defradar - GDPR - EXAMPLE Personal Data Breach Notification Form - v2No ratings yet7.11 - Defradar - GDPR - EXAMPLE Personal Data Breach Notification Form - v24 pages
- 7.13 - Defradar - ISO27k GDPR Mapping Release - v2No ratings yet7.13 - Defradar - ISO27k GDPR Mapping Release - v212 pages
- Data Protection Officer Requirements by CountryNo ratings yetData Protection Officer Requirements by Country8 pages
- Legend Register of Processing Activities RopaNo ratings yetLegend Register of Processing Activities Ropa12 pages
- Six Ways: Privacy Awarenesstraining Will Transform Your StaffNo ratings yetSix Ways: Privacy Awarenesstraining Will Transform Your Staff4 pages
- Checklist of Mandatory Documentation Required by EUGDPR ENNo ratings yetChecklist of Mandatory Documentation Required by EUGDPR EN9 pages
- Checklist For Tasks Needed in Order To Comply With GDPR: Legal02#67236978v1 (RXD02)No ratings yetChecklist For Tasks Needed in Order To Comply With GDPR: Legal02#67236978v1 (RXD02)10 pages
- Defradar - Personal Data Flow Mapping ToolNo ratings yetDefradar - Personal Data Flow Mapping Tool2 pages
- The 1 ASEAN-Korea Academic Essay Contest: Application FormNo ratings yetThe 1 ASEAN-Korea Academic Essay Contest: Application Form2 pages
- Defradar - Personal Data Mapping ProcedureNo ratings yetDefradar - Personal Data Mapping Procedure7 pages
- Senate Hearing, 106TH Congress - Privacy in The Digital Age: Discussion of Issues Surrounding The InternetNo ratings yetSenate Hearing, 106TH Congress - Privacy in The Digital Age: Discussion of Issues Surrounding The Internet238 pages
- Data Security and Privacy Protection Issues in Cloud ComputingNo ratings yetData Security and Privacy Protection Issues in Cloud Computing5 pages
- Annex Ii General Conditions Applicable To European Union-Financed Grant Contracts For External ActionsNo ratings yetAnnex Ii General Conditions Applicable To European Union-Financed Grant Contracts For External Actions18 pages
- Pastebincom FAQ Frequently Asked QuestionsNo ratings yetPastebincom FAQ Frequently Asked Questions3 pages
- Wellington House 133-155 Waterloo Road London SE1 8UG T: 020 3747 0000 E: Enquiries@monitor - Gov.uk W: WWW - Monitor.gov - UkNo ratings yetWellington House 133-155 Waterloo Road London SE1 8UG T: 020 3747 0000 E: Enquiries@monitor - Gov.uk W: WWW - Monitor.gov - Uk4 pages
