GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

Transcription

1 A partner of Minerva Group Service AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION Andrea LEONARDI - Stefano MICHELOTTI Lugano (CH), 20 and 21 November2017 1

2 SPEAKERS LEONARDI, Andrea (CONSULTANT, TRAINER, AUDITOR MINERVA GROUP SERVICE) Graduating from Bocconi University with over 20 years experience in several industries, functions and projects, Andrea LEONARDI is Co-Founder and Vice President of Minerva Gorup Service s.c.c.pa, a company focused in providing advisory, training and audit services. He is advisor, trainer and auditor for and related standards (e.g Information Security Management System, IT Service Management System, Business Continuity Management System). MICHELOTTI, Stefano (CHAIRMAN MINERVA GROUP SERVICE) Stefano MICHELOTTI is Co-Founder and Chairman of Minerva Group Service s.c.c.p.a, a cooperative joint stock consortium company that is the hub of a network of companies (consortium companies). Minerva Group Service is strongly committed to providing professional and business services (e.g. GRC,, Management System, Cybersecurity, Project Management, etc.). He is advisor, trainer and auditor for, Risk Management ( 31000) and Compliance Management( 19600). 2

3 IS LANDING ON YOUR PLANET ARE YOU READY? What and When? REGULATION(EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation) Tempus fugit. 25 May 2018 Who and Where? Personal data information relating to an identified or identifiable natural person ( data subject ) Personal data EU Data Subjects Processing (automated means or other) Controller Why? Controller No (compliance)?! No (Business) Party.and hugeadministrativefines! Compliance Governance Risk Management up to 4 % of the total worldwide annual turnover Fines Supervisory Authority A GRC road mapto following Management Systems! 3

4 What? Foreword(173 items) CHAPTER I General provisions CHAPTER II Principles CHAPTER III Rights of the data subject Section 1 Transparency and modalities Section 2 Information and access to personal data Section3 Rectificationand erasure Section 4 Right to object and automated individual decision-making Section 5 Restrictions 4

5 What? CHAPTER IV Controller and processor Section 1 General obligations Section 2 Security of personal data Section 3 Data protection impact assessment and prior consultation Section 4 Data protection officer Section 5 Codes of conduct and certification 5

6 What? CHAPTER V Transfers of personal data to third countries or international organisations CHAPTER VI Independent supervisory authorities Section 1 Independent status Section 2 Competence, tasks and powers CHAPTER VII Cooperation and consistency CHAPTER VIII Remedies, liability and penalties CHAPTER IX Provisions relating to specific processing situations CHAPTER X Delegated acts and implementing acts 6

7 Who? CHAPTER I General provisions Applies PERSONAL DATA PROCESSING FILING SYSTEM DATA SUBJECT This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form partofafilingsystemorareintendedtoformpartofafilingsystem 7

8 Who? CHAPTER I General provisions PERSONAL DATA genetic data biometric data data concerning health any information relating to an identified or identifiable natural person( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 8

9 Who? CHAPTER I General provisions PERSONAL DATA PROCESSING any operation or set ofoperations which is performedon personal data oron setsof personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction profiling any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements pseudonymisat ion the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person 9

10 Where? CHAPTER I General provisions PROCESSING CONTROLLER PROCESSOR Established in EU EU EXTRA EU This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes placeintheunionornot l119/32officialjournal oftheeuropeanunionen PROCESSING Goods services CONTROLLER PROCESSOR NOT established in EU OFFERING Monitoring of behavioring DATA SUBJECT.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviouras far as their behaviourtakes place within the Union. UE 10

11 Why? CHAPTER VIII Remedies, liability and penalties effective, proportionateand dissuasive. administrative fines imposition SUPERVRY AUTHORITY e.g. for Italy 11

12 Why? administrative fines up to EUR up to2 % of the total worldwide annual turnover of the preceding financial year COMPANY Infringements of the following provisions obligations of the controller and the processor CONTROLLER PROCESSOR obligations of the controller and the processor CHAPTER II Principles Art. 8 Art. 11 obligations of the controller and the processor CHAPTER IV Controller and processor Art Art

13 Why? administrative fines up to EUR up to 4 % of the total worldwide annual turnover of the preceding financial year COMPANY Infringements of the following provisions CHAPTER II Principles Art.5 Art.6 Art.7 Art.9 basic principles for processing PROCESSING Infringements of the following provisions CHAPTER III Rights of the data subject Art DATA SUBJECT 13

14 GRC Governance, Risk Management, Compliance for Data Protection GOVERNANCE PRIVACY RISK MANAGEMENT COMPLIANCE

15 29100 Standard 29100:2011 «information technology security techniques privacy framework» Standard 31000:2009 Risk management Principles and guidelines Standard 19600:2014 «Compliance management systems Guidelines» /IEC Information technology Security techniques Guidelines for privacy impact assessment Standard 19011:20111 Guidelines for auditing management Systems 15

16 29100 PRIVACY FRAMEWOK Roles, responsibilities and interactions CONTROLLER the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data PROCESSOR natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;.. PII Mapping PROCESSING CONTROLS records of processing activities appropriate technical and organisational measures Principles Principles Policies COMPLIANCE 16

17 DATA PROTECTION OFFICER..to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to cooperate with the supervisory authority.. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter

18 31000 RISK MANAGEMENT FRAMEWOK Taking into account the nature, scope, context and purposes of processing the risks of varying likelihood and severity for the rights and freedoms of natural persons.. Risk Management Establishingthe context Establishingthe external context Establishingthe internal context Risk assessment Risk identification Risk analysis Risk evaluation appropriate technical and organisational measures Risk treatment 18

19 29134 Preparing the grounds for PIA process for conducting a PIA General PIA Report General Annex A (informative) Scale criteria on the level of impact and on the likelihood Determine whether a PIA is necessary (threshold analysis) Report structure Preparation of the PIA Scope of PIA Perform the PIA Risk Assessment Follow the PIA Risk Treatment Plan Conclusions and Decisions PIA Public Summary 19

20 19600 COMPLIANCE MANAGEMENT FRAMEWOK Legal, contractual, regulatory, technical Requirements Compliance Privacy Shield Standa rds SUPERVRY AUTHORITY COMPLIANCE FRAMEWOK Code of Conduct Certificati on 20

21 GRC appropriate technical and organisational measures INFORMATION SECURITY IT SERVICE GRC BUSINESS CONTINUITY

22 Standard /IEC :2011 «Information technology Service management Part 1: Service management system requirements» Standard /IEC 27001:2013 «Information technology Security Techniques Information Security Management Systems Requirements» Standard 22301:2012 Societal security Business continuity management systems Requirements 22

23 SMS and relationships with ISMS 27001andBCMS22301 SMS PROCESS Design and transition of new or changed services Capacity management Service continuity& availability management Service delivery processes Information security Management Budgeting& accounting for services Service level management Service reporting A , AnnexA Resolution processes Incident and service request management Problem management Control processes Configuration management Change management Release and deployment management Relationship processes Business relationship management Supplier management 23

24 SMS and main relationships with SMS PROCESS Design and transition of new or changed services Service delivery processes Privacy by design Privacy by default Privacy Impact assessment Rights of the data subject Privacy breach External processors and third parties Capacity management Service continuity& availability management Service level management Resolution processes Incident and service request management Problem management Information security Management Budgeting& accounting for services Service reporting Control processes Configuration management Change management Release and deployment management Relationship processes Business relationship management Supplier management 24

25 27001 INFORMATION SECURITY PHYSICAL SECURITY HR AND ORGANIZATIONAL SECURITY DATA PROTECTION PERSONAL DATA cloud IT SECURITY «CYBERSECURITY» Standard /IEC : 2012 «Information technology Security techniques Guidelines for cybersecurity» Standard /IEC 27018: 2014 Information technology Security techniques Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors 25

26 27001 Threat Vulnerability assetts SW Incident DATA Processing Information Security Objectives Integrity, Availability, Confidentiality Physical and Environmental security perimeter 26

27 27001 Annex A appropriate technical and organisational measures A.5 Information Security Policy A.6 Organization of Information Security A.7 Human Resource Security A.8 Assett Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.12 Operations Security A.13 Communication Security A.14 System Acquisition, developmentand maintenance A.15 Supplier relationships A.16 Information Security Incident Management A.17 Information Security aspectsof business continuity A.18 Compliance 27

28 27001 Annex A A.18 CLAUSE A.18 Compliance CONTROL OBJECTIVE A.18.1 compliance with legal and contractual requirements CONTROL A privacy and protection of personal identifiables information(pii) 28

29 22301 Privacy breach Incident DISRUPTION PROCESSING DATA Impact Loss of Availability DATA SUBJECT RESILIENCE RISK ASSESSMENT (BIA) BUSINESS IMPACT ANALYS BUSINESS CONTINUITY STRATEGY BUSINESS CONTINUITY PLANS TESTING AND EXERCISING (PIA) Privacy Impact Assessment Privacy by design Privacy by default

30 : AN INFOGRAPHIC and relationshipswith main standards Desig nation GOVERNANCE Training and Awareness proce dures Controller DPO Processors & Data handlers Risk(confidentiality, integrity,availability) Technical and organisational measures Resilience RISK MANAGEMENT Privacy Impact Assessmen Personal data breach COMPLIANCE Rights of the Data Subject Issues of Supervisory Authority Information & Consent GRC in data processing Recordsof processing activities data EU DataSubjects doc purposes of processing DATA PROCESSING operations on data data Perimeter and means in data processing («privacy by default & privacy by design») doc Storage Transmission Dissemination (internal and external)) ORGANIZATION & HR PHYSICAL SITES (including external Datacenter) cloud («cybersecurity») INFORMATION TECHNOLOGY 30