gdpr training session 2
TRANSCRIPT
EU General Data Protection Regulation (GDPR)
Wale Omolere –February , 2017
Topic • GDPR Assessment Readiness
• How to Conduct Gap Analysis • How to Develop GDPR Questions • Response to Questions and Recommendations • Data Mapping Analysis • Data Management Lifecycle• Data Governance
GDRP Roadmap
Assessment Develop Plan
Build Consensus
Implement Program
Assess Readiness
Gather Key Requirements
Analyse Information
Conduct Gap Analysis
Document Report
Communicate Report
Assess Business Impact
Peer Review Information
(with Management
team)
Peer Review Information (with SMEs)
GDPR Regulation
What is Gap Analysis?Gap analysis is technique that businesses use to determine what steps need to be taken in order to move from its current state to its desired, future state.
CI want to be here
CI is here
Time
Gap Analysis G
DPR
Co
mpl
ianc
e Gap
Calculating the “Gap”Questions 1. Where are we now?2. Where do we want to be?3. How will we get there?4. When will we get there?
The point between where you are NOW and where you want to BE is known as the gap. Calculating the "gap" is known as gap analysis and is starts with information gathering –by asking the right questions
Conducting Gap Analysis (Activities) Goal Gain understanding of Careers Insight current
compliance postureTask No Task Name Activities (input) Output1 Gap analysis • Review regulatory
requirements• Prepare and send
GDPR Assessment Questionnaires
• Review responses to completed GDPR assessment questionnaire (OPTIONAL ) conduct staff interviews/calls
Gap analysis report
Gap Analysis Exercise Steps No.
Activities
1 Pre Assessment Phase • Meeting with key stakeholders / SME’s • Walk-through of engagement activities, and agree roles.• Confirm regulatory requirements have been provided• Review existing Data Protection Policy (if available)• Review existing Information Security Policy Documents (if
available)• Provide questions to support information gathering in advance
of on-site workshop & Gap Analysis.
GDPR Assessment Questionnaires 1-1
# Article Title Questions Conditions (Y/N)
4 Definition of personal data Do you know perfectly well your information assets?Do you know the location and the flow of personal data into your organisation
No No
6 Lawfulness of processing When processing data for a purpose other than it was originally collected, do you assess whether it is compatible with the original purpose and identify appropriate safeguards?
No
7 Conditions for consent Do you obtain consent from data subjects prior to processing their data?Do you stop processing personal data when a data subject withdraws consent?
No No
15 Right of access by the data subject
Do you enable individuals to get access to personal data you hold about them?
No
17 Right to erasure (“right to be forgotten")
Do you erase personal data when requested by data subjects (where required by law)?Do operating procedures provide guidance for analysing and responding to requests for erasure?
No
No
33 Notification of a personal data breach to the supervisory authority
Have you identified activities related to processing special categories of personal data and documented the legal basis for processing (e.g., consent, contract, vital interests, legitimate activities, etc.)?
No
GDPR Assessment Questionnaires 1-2
# Article Title Questions Conditions (Y/N)
20 Right to data portability Do you provide personal data in a structured and commonly used machine-readable format when requested?Do operating procedures provide guidance for analysing and responding to requests for data portability?
No
No
32 Security of processing Have you conducted (or reviewed) an audit of access to personal data to determine if existing procedures are appropriate based on the purpose for which the data was collected and the nature of access?
No
32 Security of processing Do you have in place technical security and organisational measure to protect confidentiality, integrity and availability of personal data?
No
33 Notification of a personal data breach to the supervisory authority
Do operating procedures provide guidance for identifying, escalating, and responding to data breaches, including notification to supervisory authorities, controllers, and data subjects?Do you maintain records related to personal data breaches?
No No
34 Communication of a personal data breach to the data subject
Do you Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol
No
Gap Analysis Report Article GAP RISK LEVEL
SUBJECT MATTER OWNERS RECOMMENDED ACTIONS
4No information on how data is received and where they are stored VERY HIGH Business
Conduct a comprehensive data mapping analysis –depict data origin, path and storage
6No record of policies/procedures for primary / secondary uses of personal data VERY HIGH Business
Develop personal Data Usage Policy –HandleConduct PIAs/DPIAs for change to existing programs, systems, or processes Establish legal basis (if any) for processing personal data
7No procedures to respond to requests to opt-out of, restrict or object to processing VERY HIGH Business
Develop marketing communications plan (workflow) for opt-in & out customer Develop data handling policy
15No procedures to respond to requests for access to personal data VERY HIGH Business
Develop data handling procedure and /plan –this should include how CI will handle requests for customer (Data Subject)
17No procedures to respond to requests to be forgotten or for erasure of data HIGH Business
Develop an operating procedure for analysing and responding to request for erasure or correction od data
32
Personal data is not adequately protected from unauthorised access No technical security controls / measures in place HIGH Business
Perform Data Privacy Impact Assessment(DPIA) Implement security measures to protect confidentiality, integrity & availability of customer data
33No procedure for detecting, reporting and investigating personal data breach HIGH Business Develop data breach incident response plan
Data Flow Mapping Data flow maps are recognised method of tracing or tracking the flow of data through a process or physically through a network
What to show on a data flow mapThe data flow map should show where device, systems, applications etc. handling personal data exist on the CI network
Objectives of data flow map • To create a picture of CI’s data’s origins, paths, exit points and
storage locations• To indicate where PII information exists in CI’s network,
infrastructure, servers and devices • To present an overview of CI’s data and improve data lifecycle
management.
Data Flow Mapping ActivitiesSteps No.
Activities
1 Data discovery exercise • Hold scoping workshop with IT team, Data protection and
Information security represented at decision maker level in CI.
• Review existing practices to see what kind of data have already been or are routinely collected in CI. Also determine whether the sources of all these data are available and reliable, e.g. is there a source indicated for the data, it the source a primary source, etc.?
• Walkthrough of existing Data Flow Diagram • Discuss extent of current personal data holding knowledge and
usage for business purposes.• Identify contacts for more accurate information on data holding
and change process (as needed)• Combine all of the above steps into one document. This is your
data flow map
Overview Data Management Lifecycle
Data Collection
Data Usage &
Data Handling
Data Transfer &
Access
Data Retention & Destruction
Data Security
Article Nos.
Areas
4,5,6,9 Data Collection
4,9,12 Data Usage
13,14,15,44
Data Transfer &Access
5 Data Retention & Destruction
9,23,32 Data Security
Data Mapping Activities Areas Lifecycle Categories Data Collection • Source
• Means of Collection Data Usage • Purpose of Processing
• Meaning of processing• Location of Data
Data Transfers & Access
• Internal transfers / Access / Interfaces• External Transfers / Access / Interfaces • International Data Transfers / Access / Interfaces
Data Retention & Destruction
• Destruction / Archive Retention
Data Security • Technical & Organisational Security Consideration
Data Lifecycle MappingKey data lifecycle categories
Key elements of Information captured
1. Data Collection Source of data • Where the personal information originates
prior to being entered into the CI system. For example, data may be generated from a web form /link on FB, LinkedIn, Google etc.
Means of collection • How the personal information was collected,
obtained or generated for the purposes of the system / process. For example, direct input by CI candidate, email received and data manually input to system by user, or automated feeds from linked systems or databases.)
Data Lifecycle MappingKey data lifecycle categories
Key elements of Information captured
2. Data Usage & Data Handling • Purpose of processing the personal information
• Key manual data handling or automated data processing activities
• Handling of hard copy documents or files containing personal information
3. Data Transfers and Access & Disclosure (if applicable)
• Internal, external and onward transfers, access or disclosures to personal information
• Disclosures to service providers, vendors, and relevant parties
• Assess locations for the purposes of identifying cross border data transfers
Data Lifecycle MappingKey data lifecycle categories
Key elements of Information captured
4. Data Retention & Destruction • Data retention and destruction processes around how personal information is archived or destroyed
• Retention periods prior to destruction• Responsibilities of external vendors for the
archiving / destruction of personal information transferred
5. Security • Scope to include specific technical and organizational security considerations which have been applied. For example, access controls and restrictions, use of passwords / encryption
Data Lifecycle QuestionnaireKey data lifecycle categories
Questions
1. Data Collection • Describe where the data originate from prior to being used in relation to the process / activity
• Describe how the data was collected, obtained or generated relating to the process / activity
2. Data Usage & Data Handling • State the reason for which the data is collected and used / process
• Describe how the data is used /processed for the purpose of the process /activity
• Describe where the data is stored as part of the process / activity including the country in which the data is physically located or hosted
3. Data Transfer & Access • Provide details of any internal transfers or interfaces in relation to the process / activity (including situations where access is given to such data)
• Provide details of any internal transfers or interfaces in relation to the process / activity for example sharing of personal data with external service providers
• Provide details of any cross border transfer of data in relation to the process / activity for internal or external purpose
Data Lifecycle QuestionnaireKey data lifecycle categories
Questions
4. Data Retention & Destruction • Describe how data is retained / archive or destroyed in relations to the Process /Activity. Where possible state retention period prior to destruction
5. Data Security • Describe any specific technical & physical security measures which are applied to data in relation to the process or activity. For example, this may include passwords / encryption when sharing files
Data Origin, Path, Process & Storage
CI Candidate Input System Output Database
• Facebook• Referrals• Telephone order• Mail-based order• Google search• LinkedIn
• Career insight website
• eWorkexperience website
• CRM (Saleforce)
• Personal data
• Credit card information
• Enterprise data warehouse
• Sql database• Oracle
database
• Inventory & order processing
Data Flow Mapping
GDPR relates to Data Governance
Principles of data collection•Fairly and lawfully•Receiving consent•Relevance•Proportionality•Types of data
Permission applies to:
• Specific data• Specific purpose• Notify of changes
Retain• Duration
• Types of dataSecure
• People• Process
• Technology• Data loss
Management of:•Access•Right to rectify data•Data destruction policy•Data transfers•Applicable rules•Right to be forgotten
ProcessRetain & SecureManageCollect
Reference https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/https://ico.org.uk/media/1546/data-controllers-and-data-processors-dp-guidance.pdfhttp://www.datagovernance.com/wpcontent/uploads/2014/11/dgi_framework.pdfhttps://www.dropbox.com/home/GDPR?preview=Distinction+btw+DPA1998+and+GDPR.docx