Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

Transcription

1 Conducting a data flow mapping exercise under the GDPR Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

2 TM Introduction Alan Calder Founder of IT Governance The single source for IT governance, cyber risk management and IT compliance IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook)

3 TM IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes

4 Agenda TM The General Data Protection Regulation s (GDPR) impact, liabilities and penalties. Data flows and identifying the key elements. The benefits of conducting a data mapping exercise. The challenges of data mapping. Techniques and best practices for data flow mapping. Live demonstration of the Data Flow Mapping Tool. v1.0

5 TM The GDPR s impact UK organisations that process personal data only have a short time to make sure that they are compliant. The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. This Regulation shall be binding in its entirety and directly applicable in all Member States. 8 April April May May May 2018 Council of the European Union adopted the GDPR The GDPR was adopted by the European Parliament The official text of the Regulation was published in the Official Journal of the EU The Regulation entered into force The GDPR will apply Final text of the Regulation:

6 TM Material and territorial scope Natural person = a living individual Natural persons have rights associated with: The protection of personal data. The processing of personal data. The unrestricted movement of personal data within the EU. In material scope: Personal data that is processed wholly or partly by automated means. Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. The Regulation applies to controllers outside the EU that provide services into the EU.

7 Penalties TM Administrative fines Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. 20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year. v1.0

8 TM Data flows under GDPR A data flow is a transfer of information from one location to another. For example: From suppliers and subsuppliers through to customers. Inside and outside the European Union. When mapping information flow, you should identify the interaction points between the parties involved. NB: Cloud providers present their own challenges.

9 TM Data flows under the GDPR Walk through the information lifecycle to identify unforeseen or unintended uses of the data. Ensure the people who will be using the information are consulted on the practical implications. Consider the potential future uses of the information collected, even if it is not immediately necessary.

10 Data mapping challenges TM Identify personal data Identify appropriate technical and organisational safeguards Understand legal and regulatory obligations Trust and confidence

11 Identify the key elements TM Data items Name, , address Health data, criminal records Biometrics, location data Formats Hardcopy (paper records) Digital (USB) Database Transfer methods Post, telephone, social media Internal (within group) External (data sharing) Locations Offices Cloud Third parties

12 Techniques Data flow mapping techniques TM Inspect existing documents Facilitation workshops Questionnaires Observation Whiteboard freeform diagrams Template drawings (Visio, mind map tools) Post-it notes

13 TM Data flow mapping Questions to ask? Workflow inputs and outputs: How is personal data collected (e.g. form, online, call centre, other)? Who is accountable for personal data? What is the location of the systems/filing systems containing the data? Who has access to the information? Is the information disclosed/shared with anyone (e.g. suppliers, third parties)? Does the system interface with, or transfer information to, other systems?

14 Data flow mapping TM

15 Data flow example TM Third-party users HR users HR system Recruitment system HR Workforce metrics Finance system Recruitment services CV database Outplacement services Outplacement data Outsourced management Candidate information Agency employment screening Candidates

16 Data flow audit process report sample

17 TM Data flow audit process report

18 TM Data flow audit process report

19 TM Data flow audit process report

20 TM Data flow audit process report

21 Data Flow Mapping Tool Live demonstration

22 The practical steps to conduct a data flow audit

23 TM The practical steps to conduct a DFA Document the STEP 1 scope and purposes of processing

24 TM The practical steps to conduct a DFA Add personal STEP 2 data to a data flow map of the process

25 TM The practical steps to conduct a DFA Add the supporting STEP 3 assets used to process personal data

26 TM The practical steps to conduct a DFA Add data transfers to STEP 4 show the flow of data between assets

27 TM The practical steps to conduct a DFA STEP 5 Review the process

28 IT Governance: GDPR one-stop shop TM Self-help materials A pocket guide /shop/p roduct/eu-gdpr-a-pocket-guide Implementation manual /shop/pr oduct/eu-general-data-protectionregulation-gdpr-animplementation-and-complianceguide Documentation toolkit /shop/p roduct/eu-general-dataprotection-regulation-gdprdocumentation-toolkit Compliance Gap Assessment Tool /shop/pr oduct/eu-gdpr-compliance-gapassessment-tool

29 IT Governance: GDPR one-stop shop TM Training courses One-day accredited Foundation course (classroom, online, distance learning) /shop/product/certified-eu-general-dataprotection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) /shop/product/certified-eu-general-dataprotection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) /shop/product/data-protection-impactassessment-dpia-workshop

30 IT Governance: GDPR one-stop shop TM Data Flow Mapping Tool Gain full visibility over the flow of data through your organisation. Simplify the process of creating data flow maps. Create consistent, visual representations of the flow of personal data through all your business processes. Find out more >>

31 IT Governance: GDPR one-stop shop TM GDPR consultancy Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. Data flow audit Data mapping involves plotting all of your data flows, which requires drawing up an extensive inventory of the data to understand where it flows from, within and to. This type of analysis is a key requirement of the GDPR. Data Protection Officer (DPO) as a Service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities. Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. Implementing an information security management system (ISMS) compliant with ISO We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO consultancy services, that will help you implement an ISO compliant ISMS quickly and without hassle, no matter where your business is located. Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.

32 Questions?