The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

Size: px

Start display at page:

Download "The GDPR and its requirements for implementing data protection impact assessments (DPIAs)"

Eleanore Stewart
5 years ago
Views:

1 The GDPR and its requirements for implementing data protection impact assessments (DPIAs) Presented by: Alan Calder, founder and executive chairman, IT Governance 7 September 2017

International Guide to Data Security and

2 Introduction Alan Calder Founder of IT Governance The single source for IT governance, cyber risk management and IT compliance IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook)

3 IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes

4 Agenda TM The GDPR s impact and the benefits of conducting a DPIA The legal requirements for a DPIA under the GDPR High-risk DPIAs and prior consultation with the supervisory authority DPIAs and their links to an organisation s risk management framework The practical steps to conduct a DPIA v1.0

5 The GDPR s impact and the benefits of conducting a DPIA

measures. This Regulation shall be binding in its entirety and directly applicable in all Member States.

6 The GDPR s impact UK organisations that process personal data only have a short time to make sure that they are compliant. The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. This Regulation shall be binding in its entirety and directly applicable in all Member States. 8 April April May May May 2018 Council of the European Union adopted the GDPR The GDPR was adopted by the European Parliament The official text of the Regulation was published in the Official Journal of the EU The Regulation entered into force The GDPR will apply Final text of the Regulation:

7 Material and territorial scope Natural person = a living individual Natural persons have rights associated with: The protection of personal data The processing of personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means; Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. It applies to controllers outside the EU that provide services into the EU.

8 Penalties TM Administrative fines Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. 20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. v1.0

9 Key terms Article 35: Data protection impact assessments help identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice, and proposing methods to mitigate identified risks. A process to identify and reduce the privacy risks of a project or a system. An effective DPIA should be initiated and maintained throughout the development and implementation of a project or system. Analyse how a particular project or system will affect the privacy and rights of the data subjects involved.

10 The benefits of a DPIA: TRANSPARENCY Improve how you use information. Helps individuals understand how and why their information is being used. It addresses: Principle 1 Fair and lawful processing Principle 2 Purpose limitation

11 The benefits of a DPIA: TRUST Publish your DPIA to build TRUST. Applies to all GDPR principles, particularly principle 6 Security.

12 The benefits of a DPIA: FINANCIAL Minimise the amount of information you collect. Identifying a problem early will generally require a simpler and less costly solution. It applies to principle 3 - Data minimisation

13 The benefits of a DPIA: AWARENESS Increase awareness of privacy and data protection issues within your organisation..

14 The benefits of a DPIA: COMPLIANCE Comply with your GDPR obligations.

15 The benefits of a DPIA: ASSURANCE Individuals will be reassured your project has followed best practice.

16 The legal requirements for a DPIA under the GDPR

17 Legal requirements for a DPIA Article 35: Data protection impact assessment A DPIA is required: Where processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. DPIA is particularly required in the case of: Automated processing, including profiling, and on which decisions are based that produce legal effects concerning natural persons; Large-scale processing of special categories of data or of personal data relating to criminal convictions; A systematic monitoring of a publicly accessible area on a large scale. The controller shall seek the advice of the DPO Supervisory authority to publish a list of operations that require a DPIA.

Legal requirements for a DPIA A DPIA will set out as a minimum: a systematic description of the processing and purposes; legitimate interests (where applicable) pursued by the controller; an

18 Legal requirements for a DPIA A DPIA will set out as a minimum: a systematic description of the processing and purposes; legitimate interests (where applicable) pursued by the controller; an assessment of the necessity and proportionality of the processing; an assessment of the risks to the rights and freedoms of the data subjects; the measures envisaged to address the risks, including: Compliance with approved codes of conduct should be taken into account. all safeguards and security measures to protect data and to demonstrate compliance; Where appropriate, consult the data subjects

19 Legal requirements for a DPIA Is a full DPIA required? Not all projects will require the same level of analysis. If the outcome of the screening is that a standard DPIA is not required then it might still be useful to carry out a light touch DPIA exercise. In any case, it will still be useful to retain a record of the answers so they can be referred to in future if necessary.

20 High-risk DPIAs and prior consultation with the supervisory authority

21 What is risk? The effect of uncertainty on objectives (ISO etc). A combination of the likelihood of an incident occurring and the impact, if it does occur, on the organisation. A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action (businessdictionary.com). Risk can be good or bad.

22 Privacy risk and what it means Risks to individuals: the potential for damage or distress. Risks to organisation: financial and/or reputational impact of a data breach. Privacy risk should already be on the CORPORATE RISK REGISTER

23 Examples of privacy risk Data that is: Inaccurate, insufficient or out-of-date Kept for too long Excessive or irrelevant Disclosed to wrong people Insecurely transmission/storage Used in ways that are unacceptable or unexpected

24 Examples of where you might use a DPIA Database that consolidates information held by separate parts of an organisation. Monitoring members of the public. A new IT system for storing and accessing personal data. An Unexpected or more intrusive purpose. Data sharing initiative.

25 Risk treatment What actions address the risks? Reduce the impact to an acceptable level

26 Prior consultation Article 36: Prior consultation Controller shall consult the supervisory authority prior to processing where the DPIA indicates a high risk to the rights and freedoms of the data subjects : Supervisory authority shall provide written advice to the controller Request for controller to provide further information Information on purposes and means Information on measures and safeguards The contact details of the DPO A copy of the data protection impact assessment Any other information requested

27 DPIAs and their links to an organisation s risk management framework

28 The GDPR and risk management frameworks Article 32: Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. KEY AREAS: Information/cyber security management systems (e.g. ISO 27001) Business continuity management systems (e.g. ISO 22301) Personal information management systems (e.g. BS 10012) Certifications do not remove or reduce accountability for data protection but will demonstrate non-negligence in approaching the Article 32 requirement. v1.0

29 The GDPR and risk management frameworks Article 32: The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. (Article 24-1) DPO plays key bridging role between corporate risk management, broader cyber security risk management and managing risks to personal data. NB: Network and Information Security Directive and Government Cyber Security Strategy

30 The practical steps to conduct a DPIA

31 The practical steps to conduct a DPIA STEP 1 Identify the need for a DPIA

32 The practical steps to conduct a DPIA Describe the STEP 2 information flow

33 The practical steps to conduct a DPIA Identify privacy STEP 3 and related risks

34 The practical steps to conduct a DPIA Identify and STEP 4 evaluate privacy solutions

35 The practical steps to conduct a DPIA Sign-off and STEP 5 record outcome

36 The practical steps to conduct a DPIA Integrate the STEP 6 outcomes into the project plan

37 The practical steps to conduct a DPIA Monitor and evaluate; feed STEP 7 lessons learned back into the process NB: Consult with stakeholders as needed, before, during and after.

IT Governance: GDPR one-stop shop TM Self-help materials A pocket

38 IT Governance: GDPR one-stop shop TM Self-help materials A pocket guide /shop/p roduct/eu-gdpr-a-pocket-guide Implementation manual /shop/pr oduct/eu-general-data-protectionregulation-gdpr-animplementation-and-complianceguide Documentation toolkit /shop/p roduct/eu-general-dataprotection-regulation-gdprdocumentation-toolkit Compliance Gap Assessment Tool /shop/pr oduct/eu-gdpr-compliance-gapassessment-tool

39 IT Governance: GDPR one-stop shop TM Training courses One-day accredited Foundation course (classroom, online, distance learning) /shop/product/certified-eu-general-dataprotection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) /shop/product/certified-eu-general-dataprotection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) /shop/product/data-protection-impactassessment-dpia-workshop

40 IT Governance: GDPR one-stop shop TM GDPR consultancy Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. Data flow audit Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. Data Protection Officer (DPO) as a Service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities. Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. Implementing an information security management system (ISMS) compliant with ISO We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO consultancy services, that will help you implement an ISO compliant ISMS quickly and without hassle, no matter where your business is located. Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.

41 Questions?