Data Warehouse Risk Assessment (GDPR)

Transcription

1 Data Warehouse Risk Assessment (GDPR) The new data protection law is effective from Individuals will have more control of their personal data and organisations will have to implement a risk / evidence based system, controls and processes to manage and demonstrate compliance with GDPR. The assessment highlights the risks for the Data Warehouse. No What are the issues? What are the risks? What are we already doing? Do we need to do anything else? When? Responsible Done 1 Need authority to process personal data. Will need to identify all our authority (legislation) and publish them. Most services will have an idea of the legislation used to process personal data. Identify all the legislation applicable to local government and create a database for services to update and maintain. Information available for London Council 2 Need consent to process personal data if we do not have the authority. Not compliant with the data protection law. Consent is obtained is some services. Implement a process to obtain informed consent and record it on a database because it has to be managed. Implemented and procedures is available 3 Consent is required if don t have the authority. Processing any data that that is not required using authority e.g. phone numbers, address etc. Information is requested from individuals Affirmative consent is required Record of consent maintained. Consent data base to Awareness raised April 2018 Page 1 of 7

2 hold, view, amend and delete consent. 4 Consent data base is required to hold, view, edit and delete consent Consent is managed locally 5 Current data held may not be compliant Not compliant with GDPR. Compliant with DPA. Review and make it compliant with GDPR. Ongoing 6 Profiling is not allowed without consent. Automated processing of data to make decisions about individuals. No automation is used at present Will need to develop a process that includes informed consent. No automated profiling or decision making identified. 7 Security by design The network and data is not secure. Annual penetration tests DPIA assessment Audit planned this year Access based on permissions and an Review security Review access and permissions. May need to increase levels of access. Review DPIA Mobile devices and April 2018 Page 2 of 7

3 approval process containerisation Automated reviews and disabling accounts Limit processing Limit data collection 8 Privacy framework Not compliant with the GDPR law. We are compliant with the DPA 1998 act Need to build on the DPA 1998 framework, including: Interest of the Authority Official authority Consent Right to be forgotten Re-use of data Information (notice) 9 Privacy Impact Assessment Not compliant if not completed. DPIA completed Need to review and complete another PIA for GDPR compliance. To be completed after all data flows mapped and April 2018 Page 3 of 7

4 assets identified. 10 Transparency Must be transparent and disclose all information about the processing of personal data. Use of Privacy statement and other basic information about data protection. Publish more information about the processing of personal data. Publish retention schedule Most information created and published. This is an ongoing process. Publish authority and interest Publish whom information is shred with. Publish information about the data warehouse and how it is used. 11 Identify and classify data assets personal and sensitive data. Sensitive data must be categorised and explicit consent obtained to process. Informed consent is obtained to process social care data. Need to review and categorise data that is sensitive data and make sure additional security and controls are implemented. and in BAU. April 2018 Page 4 of 7

5 12 Identify data inputs, processing and outputs Need to identify re-use and whom data is shared with. Data is not mapped Need to map data across the organisation. BAU 13 Data Portability Individuals have the right to be given a copy of their data. Data can be exported when and if required. Review this process and the volume of data that can be exported in a readable format. Right to be forgotten The individual has the right to have their data deleted. Data is deleted from the system when changes made to the source data. Mainly uploaded weekly with ad-hoc changes. Set a process to delete data unless there is an authority to retain the data or interest in the authority. 14 Ongoing awareness and communication Employees must be trained in GDPR and aware of their responsibilities. Staff must have completed the data protection training before given access to the DW. Online GDPR training Workshops Information on the Intranet Information on screen savers April 2018 Page 5 of 7 Information when staff

6 log on to the DW. 15 Children s data Parental or guardian consent is required if the person is under 16 unless the UK Gov changes the law. Parental or guardian consent is usually obtained if the person is under 16. Review and ensure that parental or guardian consent is recorded. Will need to capture date of birth of the under age person. 16 Rights of data subjects Individuals have the following rights / conditions: Right to be informed Individuals can request a copy of the data held and request that the data is not processes. Need to review and implement processes and controls to manage the rights / conditions. Right to access Right to rectification Right to be forgotten Right to restrict processing Right to data April 2018 Page 6 of 7

7 portability Right to object Right to automated decision making & profiling April 2018 Page 7 of 7