Data Flow Mapping and the EU GDPR

Similar documents
Accountability under the GDPR: What does it mean for Boards & Senior Management?

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

ARTICLE 29 DATA PROTECTION WORKING PARTY

GENERAL DATA PROTECTION REGULATION Guidance Notes

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

The Privacy Battlefield What does the GDPR Require?

Brasenose College Data Protection Policy Statement v1.2

CNPD Training: Data Protection Basics

December 28, 2018, New Delhi, INDIA

EU GENERAL DATA PROTECTION REGULATION

General Data Protection Regulation (GDPR) A brief guide

Getting Ready for the GDPR

Preparing for the General Data Protection Regulation (GDPR)

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

A summary of the implications of the General Data Protection Regulations (GDPR)

GDPR factsheet Key provisions and steps for compliance

EU General Data Protection Regulation (GDPR)

Nissa Consultancy Ltd Data Protection Policy

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

General Personal Data Protection Policy

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

THE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy

DATA PROTECTION POLICY

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

What do companies need to do?

Preparing Your Vendor Agreements for the General Data Protection Regulation

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

GDPR Factsheet - Key Provisions and steps for Compliance

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

The ICT Service:

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

What is GDPR and Should You Care?

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

NEWSFLASH GDPR N 10 - New Data Protection Obligations

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

GDPR.

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

GDPR: What Every MSP Needs to Know

ARTICLE 29 Data Protection Working Party

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Data Protection Policy

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

General Data Protection Regulation. The changes in data protection law and what this means for your church.

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

General Data Protection Regulation (GDPR) Business Guide

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

Preparing for the GDPR

GDPR - Salon Guide Contents

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

10366/15 VH/np DGD 2C LIMITE EN

The General Data Protection Regulation (GDPR)

ACCENTURE BINDING CORPORATE RULES ( BCR )

European Union General Data Protection Regulation 2016 (Effective 25 May 2018)

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

St Michael s CE Primary School Data Protection Policy

GDPR Impacts on Digital Transformation

Introduction to basic principles of Regulation (EC) 45/2001. Sophie Louveaux María Verónica Pérez Asinari

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Preparation Guide to the New European General Data Protection Regulation

General Data Protection Regulation (GDPR)

General Data Protection Regulation - Explained

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

What does the GDPR mean for recruitment?

ARTICLE 29 DATA PROTECTION WORKING PARTY

WHITE PAPER EU General Data Protection Regulation Compliance

Data protection (GDPR) policy

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

DATA PROTECTION POLICY VERSION 1.0

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Baptist Union of Scotland DATA PROTECTION POLICY

General Data Protection Regulation

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

DATA PROTECTION POLICY 2018

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Technical factsheet: General Data Protection Regulation (GDPR) April 2018

Paul Jordan Thursday 12 October,

ECDPO 1: Preparing for the EU General Data Protection Regulation

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

SAP and SAP Ariba Solution Support for GDPR Compliance

GDPR journey: from ready to compliant GDPR survey results

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Data Protection Impact Assessment Policy

The General Data Protection Regulation (GDPR)

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

GENERAL DATA PROTECTION REGULATION.

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Introduction to the General Data Protection Regulation (GDPR)

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Information governance strategy

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

GDPR The role of the Internal Audit Function

Transcription:

Data Flow Mapping and the EU GDPR Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 29 September 2016 www.itgovernance.co.uk

Introduction Adrian Ross GRC Consultant Infrastructure services Business process re-engineering Business intelligence Business architecture Intellectual property Legal compliance Data protection and information security Enterprise risk management 2

IT Governance Ltd: GRC one-stop shop All verticals, all sectors, all organisational sizes

Agenda TM An overview of the regulatory landscape Territorial scope Remedies, liabilities and penalties Risk management and the GDPR Legal requirements for a DPIA Why and how to conduct a data flow mapping exercise What are the challenges What is an information flow The questions to ask Data flow mapping techniques 4

The nature of European law Two main types of legislation: Directives º Require individual implementation in each member state º Implemented by the creation of national laws approved by the parliaments of each member state º European Directive 95/46/EC is a directive º UK Data Protection Act 1998 Regulations º Immediately applicable in each member state º Require no local implementing legislation º The EU GDPR is a regulation

Article 99: Entry into force and application TM This Regulation shall be binding in its entirety and directly applicable in all member states. KEY DATES On 8 April 2016 the Council adopted the Regulation. On 14 April 2016 the Regulation was adopted by the European Parliament. On 4 May 2016 the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016 and will apply from 25 May 2018. http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final text of the Regulation: http://data.consilium.europa.eu/doc/document/st- 5419-2016-REV-1/en/pdf

GDPR The GDPR has eleven chapters: TM Chapter I General Provisions: Articles 1-4 1 Chapter II Principles: Articles 5-11 2 Chapter III Rights of the Data Subject: Articles 12-23 3 Chapter IV Controller and Processor: Articles 24-43 4 Chapter V Transfer of Personal Data to Third Countries: Articles 44-50 5 Chapter VI Independent Supervisory Authorities: Articles 51-59 6 Chapter VII Cooperation and Consistency: Articles 60-76 7 Chapter VIII Remedies, Liabilities and Penalties: Articles 77-84 8 Chapter IX Provisions Relating to Specific Processing Situations: Articles 85-91 9

Data protection model under the GDPR European Data Protection Board Information Commissioner s Office (ICO) (supervising authority) Assessment Enforcement Data processor Security? Data controller (organisations) Duties Rights Data subject (individuals) Inform? Third countries Guarantees? Disclosure? Third parties

Articles 1 3: Who and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data. The protection of the processing personal data. The unrestricted movement of personal data within the EU. In material scope: Personal data that is processed wholly or partly by automated means. Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. The Regulation also applies to controllers not in the EU.

Remedies, liabilities and penalties TM Article 79: Right to an effective judicial remedy against a controller or processor Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the member state where the controller or processor has an establishment. º In the courts of the member state where the data subject habitually resides. Article 82: Right to compensation and liability Any person who has suffered material or non-material damage shall have the right to receive compensation from the controller or processor. A controller involved in processing shall be liable for damage caused by processing. Article 83: General conditions for imposing administrative fines Imposition of administrative fines will in each case be effective, proportionate, and dissuasive. º Fines shall take into account technical and organisational measures implemented. 20,000,000 or, in case of an undertaking, 4% of total worldwide annual turnover in the preceding financial year (whichever is higher). Module I

Remedies, liability and penalties (cont.) Article 83: General conditions for imposing administrative fines 10,000,000 or, in case of an undertaking, 2% of total worldwide annual turnover in the preceding financial year (whichever is greater). Articles: 8: Child s consent 11: Processing not requiring identification 25: Data protection by design and by default 26: Joint controllers 27: Representatives of controllers not established in EU 26-29 & 30: Processing 31: Cooperation with the supervisory authority 32: Data security 33: Notification of breaches to supervisory authority 34: Communication of breaches to data subjects 35: Data protection impact assessment 36: Prior consultation 37-39: DPOs 41(4): Monitoring approved codes of conduct 42: Certification 43: Certification bodies

Remedies, liability and penalties (cont.) Article 83: General conditions for imposing administrative fines 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher). Articles 5: Principles relating to the processing of personal data 6: Lawfulness of processing 7: Conditions for consent 9: Processing special categories of personal data (i.e. sensitive personal data) 12-22: Data subject rights to information, access, rectification, erasure, restriction of processing, data portability, object, profiling 44-49: Transfers to third countries 58(1): Requirement to provide access to supervisory authority 58(2): Orders/limitations on processing or the suspension of data flows

Risk management and the GDPR TM RISK is mentioned over 60 times in the Regulation. It is important to understand privacy risk and integrate it into your risk framework.

What is risk? TM The effect of uncertainty on objectives (ISO 31000 etc.) Risk is the combination of the probability of an event (IRM) A situation involving exposure to danger (OED) Uncertainty of outcome, within a range of exposure, arising from a combination of the impact and the probability of events (Orange Book HM Treasury) The uncertainty of an event occurring that could have an impact on the achievement of objectives (Institute of Internal Auditors)

Standards and codes ISO 31000, Risk management Principles and guidelines AS/NZS 4360:2004 now replaced by ISO 31000 ISO 31010, Risk management Risk assessment techniques IRM/ALARM/AIRMIC A risk management standard UK Combined code on UK Corporate Governance code OECD, Principles of corporate governance COSO, Enterprise risk management Integrated framework Sector specific, e.g. clinical, food Discipline specific, e.g. ISO 27005 ISO 22301, Business continuity management

ISO 31000: Risk management TM Management framework approach PDCA model modified in ISO 27005 Generic (all risks) Very similar to a management system

Risk management process TM Establishing the context Risk assessment Communication and consultation Risk identification Risk analysis Monitoring and review Risk evaluation Risk treatment

Enterprise risk management Capabilities: Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing multiple and cross-enterprise risks Seizing opportunities Improving deployment of capital

Risk management Organisational risk "landscape" Strategic Business performance Financial performance Reputation Operational Output capacity Demand response Interruption and disruption Statutory Employment law Health & safety Company law Regulatory Industry/sector specific compliance requirements Licence to operate Contractual SLA targets/levels Product/service availability Quality/warranty

Information security Preservation of confidentiality, integrity and availability of information and the assets and processes that support and enable its acquisition, storage, use, protection and disposal. Wide variety of assets: information ICT infrastrucure Prevent compromise (loss, disclosure, corruption, etc.). Includes IT security and other forms of security: physical HR supply

Legal requirements for a DPIA Article 35: Data protection impact assessment Controller must seek the advice of the Data Protection Officer. This is particularly required in situations that involve: Automated processing Profiling Creation of legal effects Significantly affecting the natural person Processing of large scale categories of sensitive data Data that relates to criminal offences or convictions Monitoring on a large scale Conduct a post-implementation review when risk profile changes.

Legal requirements for a DPIA Article 35: Data protection impact assessment DPIA must be performed where: New technologies are deployed Nature, scope & context of the project demand it Processes are likely to result in a high risk to the rights and freedom It can be used to address sets of processing & risks

Legal requirements for a DPIA The DPIA will set out as a minimum: a description of the processing and purposes; legitimate interests pursued by the controller; an assessment of the necessity and proportionality of the processing; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks; all safeguards & security measures to demonstrate compliance; indications of timeframes if processing relates to erasure; an indication of any data protection by design and default measures; list of recipients of personal data; compliance with approved codes of conduct; whether data subjects have been consulted.

Accountability TM Linking the DPIA to the privacy principles 1 2 Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes 3 4 5 6 Adequate, relevant and limited to what is necessary Accurate and, where necessary, kept up to date Retained only for as long as necessary Processed in an appropriate manner to maintain security

How to conduct a data mapping exercise The ICO staged approach to an effective DPIA: 1. Required when there is a change in processing of personally identifiable information (PII). 2. Determine the information flows throughout the organisation in order to make a proper assessment of the privacy risks. 3. Identify the risks related to privacy and processing, including the necessity and proportionality of the change in processing. 4. Identify possible privacy solutions to address the risks that have been identified. 5. Assess how the data protection principles have been applied throughout the organisation. 6. Sign-off and record the DPIA, including details of which privacy solutions are too be implemented. 7. Integrate the result of the DPIA back into the project plan. 8. Conduct a post-implementation review where risk profile of PII data has changed.

Why and how to conduct a data mapping exercise

Data mapping what are the challenges? TM Identify personal data Identify appropriate technical and organisational safeguards Understand legal & regulatory obligations Trust and confidence

What is an information flow? A transfer of information from one location to another. For example: Inside and outside the European Union. From suppliers and sub-suppliers through to customers. When mapping information flow, you should identify the interaction points between the parties involved. NB: Cloud providers present their own challenges.

Describing information flows Walk through the information lifecycle to identify unforeseen or unintended uses of the data. Ensure the people who will be using the information are consulted on the practical implications. Consider the potential future uses of the information collected, even if it is not immediately necessary.

Information flow identify the key elements TM Name, email, address Data items Health data, criminal records Formats Hardcopy (paper records) Digital (USB) Database Post, telephone, social media Transfer methods Internal (within group) Locations Biometrics, location data External (data sharing) Offices Cloud Third parties

Data flow mapping questions to ask Workflow inputs and outputs: How is personal data collected (e.g. form, online, call centre, other)? Who is accountable for personal data? What is the location of the systems/filing systems containing the data? Who has access to the information? Is the information disclosed/shared with anyone (e.g suppliers, third parties)? Does the system interface with, or transfer information to, other systems?

Data flow mapping techniques TM Inspect existing documents Facilitation workshops Questionnaires Observation Whiteboard freeform diagrams Template drawings (Visio, mind map tools) Post-it notes

Example information flow TM Third party users HR users HR system Recruitment system HR Email Workforce metrics Finance system Recruitment services CV database Outplacement services Outplacement data Outsourced management Candidate information Agency employment screening Candidates

Data Flow Mapping Tool TM Gain full visibility over the flow of data through your organisation Simplify the process of creating data flow maps Create consistent visual representations of the flow of personal data through all your business processes Find out more >>

IT Governance: GDPR one-stop shop Accredited training, one-day foundation course: London OR Cambridge: http://www.itgovernance.co.uk/shop/p-1795-certified-eugeneral-data-protection-regulation-foundation-gdpr-training-course.aspx ONLINE: http://www.itgovernance.co.uk/shop/p-1834-certified-eu-general-dataprotection-regulation-foundation-gdpr-online-training-course.aspx Practitioner course, classroom or online: http://www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protectionregulation-practitioner-gdpr-training-course.aspx Pocket guide: http://www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocketguide.aspx Documentation toolkit: http://www.itgovernance.co.uk/shop/p-1796-eu-generaldata-protection-regulation-gdpr-documentation-toolkit.aspx Consultancy support : Data audit Transition/implementation consultancy http://www.itgovernance.co.uk/dpa-compliance-consultancy.aspx

Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback