The Role of the Data Protection Officer

Similar documents
Data Breaches and the EU GDPR

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

The GDPR: The catalyst for customer July 2017

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Motorola Mobility Binding Corporate Rules (BCRs)

How the GDPR will impact your software delivery processes

General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) Achieving compliance

Cybersecurity Considerations for GDPR

Data Protection and GDPR

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Element Finance Solutions Ltd Data Protection Policy

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Creative Funding Solutions Limited Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

GDPR: A QUICK OVERVIEW

GDPR and the Privacy Shield

CNPD Course: Data Protection Basics

DATA PROCESSING TERMS

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

Introductory guide to data sharing. lewissilkin.com

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

General Data Protection Regulation (GDPR) The impact of doing business in Asia

General Data Protection Regulation (GDPR) Key Facts & FAQ s

SCHOOL SUPPLIERS. What schools should be asking!

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation (GDPR)

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

GDPR compliance: some basics & practical to do list

GDPR - Are you ready?

Regulating Cyber: the UK s plans for the NIS Directive

Data Processing Agreement

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

ADIENT VENDOR SECURITY STANDARD

NEWSFLASH GDPR N 8 - New Data Protection Obligations

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

GDPR Compliance. Clauses

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

DATA PROTECTION POLICY THE HOLST GROUP

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

UWC International Data Protection Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Protection Policy

Data Sheet The PCI DSS

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Getting ready for GDPR

Preparing for the GDPR

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Prohire Software Systems Limited ("Prohire")

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

DATA PROCESSING AGREEMENT

Data Processing Clauses

Our agenda. The basics

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

DATA PROTECTION A GUIDE FOR USERS

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

The GDPR Are you ready?

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

GDPR Customer Briefing. How Creditsafe is using GDPR to drive better business

Google Cloud & the General Data Protection Regulation (GDPR)

Embedding GDPR into the SDLC

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

EXAM PREPARATION GUIDE

Knowing and Implementing the GDPR Part 3

Islam21c.com Data Protection and Privacy Policy

All you need to know and do to comply with the EU General Data Protection Regulation

NYDFS Cybersecurity Regulations

falanx Cyber ISO 27001: How and why your organisation should get certified

Data Breach Notification: what EU law means for your information security strategy

DATA PROCESSING AGREEMENT

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

GLOBAL DATA PROTECTION POLICY

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

Data Processing Agreement

RVC DATA PROTECTION POLICY

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Transcription:

The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk

Introduction Adrian Ross GRC consultant Infrastructure services Business process re-engineering Business intelligence Business architecture Intellectual property Legal compliance Data protection and information security Enterprise risk management 2

IT Governance Ltd: GRC One-stop shop All verticals, all sectors, all organisational sizes

Agenda TM An overview of the regulatory landscape Territorial scope Remedies, liabilities and penalties Security of personal data Data protection officer 4

The nature of European law Two main types of legislation: Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a Directive º UK Data Protection Act 1998 Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a Regulation

Article 99: Entry into force and application TM This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES On 8 April 2016 the Council adopted the Regulation. On 14 April 2016 the Regulation was adopted by the European Parliament. On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final Text of the Directive: http://data.consilium.europa.eu/doc/document/st- 5419-2016-REV-1/en/pdf

Articles 1 3: Who, and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data The protection of the processing personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means; Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. It applies to controllers not in the EU

Remedies, liabilities and penalties Natural Persons have rights Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. Controller involved in processing shall be liable for damage caused by processing. Administrative fines Imposition of administrative fines will in each case be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year

Data breaches in the UK January to March 2016-448 new cases Data breaches by sector Health (184) Local government (43) Education (36) General business (36) Finance, insurance and credit (25) Legal (25) Charitable and voluntary (23) Justice (18) Land or property services (17) Other (41) Source: UK Information Commissioner s Office

Key facts about cyber breaches Which organisations suffered data breaches in 2015? 69% of large organisations 38% of small organisation What was the median number of breaches per company? Large organisations: 14 Small organisations: 4 What was the average cost of the worst single breach? Large organisations: 1.46m - 3.14m Small organisations: 75k - 311k What will happen next year? 59% of respondents expect more breaches this year than last PwC and BIS: 2015 ISBS Survey 10 60% of breached small organisations close down within 6 months National Cyber Security Alliance

What sorts of breaches? Of Large Organisations: External attack 69% Malware or viruses 84% Denial of service 37% Network penetration (detected) 37% (if you don t think you ve been breached, you re not looking hard enough) Know they ve suffered IP theft 19% Staff-related security breaches 75% Breaches caused by inadvertent human error 50% PwC and BIS: 2015 ISBS Survey 11

Article 33: Personal data breaches TM The definition of a personal data breach in GDPR: A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Section 4: Data protection officers Article 37: Designation of the data protection officer DPOs appointed in three situations: Where the processing is carried out by a public body; Where core activities require regular and systematic monitoring of personal data on a large scale; Where core activities involve large-scale processing of sensitive personal data. Module IV

Section 4: Data protection officers TM Article 37: Designation of the data protection officer Group undertakings can appoint a single DPO Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size DPO can represent categories of controllers and processors DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified May fulfill the role as part of a service contract Controller or processor must publish DPO and notify supervisory authority

Section 4: Data protection officers Article 38: Position of the data protection officer Controller and processor must ensure proper and timely involvement of the DPO Controller and processor must provide support through necessary resources DPO has a large degree of independence Protected role within the organisation Direct access to highest management Data subject has clear access to DPO Bound by confidentiality in accordance with EU law No conflict of interest arising from additional tasks or duties Module IV

Section 4: Data protection officers Article 39: Tasks of the data protection officer: to inform and advise of obligations; to monitor compliance; to provide advice with regard to data protection impact assessments; to monitor performance to cooperate with the supervisory authority; to liaise with the supervisory authority; to have due regard to risk associated with processing operations. To advise on data protection impact assessments Module IV

Data protection impact assessment Article 35: Data protection impact assessment The controller shall seek the advice of the DPO where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural persons DPIA is particularly required where: º Taking into account automated processing including profiling there are legal effects concerning natural persons; º The processing is on a large scale of special categories of data or personal data related to criminal convictions; º A systematic monitoring of publicly accessible area on a large scale.

Data protection impact assessment Article 35: Data protection impact assessment A data protection impact assessment shall contain the following: a systematic description of the purposes and means of the processing: any legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks; adherence to approved codes of conduct; any consultation with data subjects on intended processing; any processing in relation to a law to which the controller is subject; any processing that changes the risk profile.

Prior consultation Article 36: Prior consultation Controller shall consult the supervisory authority prior to processing where the DPIA indicates a high risk to the rights and freedoms of the data subjects : Supervisory authority shall provide written advice to the controller Request for controller to provide further information Information on purposes and means Information on measures and safeguards The contact details of the DPO A copy of the data protection impact assessment Any other information requested

Section 4: Data protection officers The realities of the role of the data protection officer Legal knowledge of data protection Regulation is not enough Must also have information security knowledge and skills An understanding of how to deliver C, I and A within a management framework A good understanding of risk management and risk assessments Familiarity with and adherence to codes of conduct for industry sector A good understanding of compliance standards and data marks Able to carry out and interpret internal audits information security standard Understand and be able to articulate privacy by design to delivery functions Able to coordinate and advise on data breaches and notification Able to make a cyber security incident response process work. Leads co-operation with supervisory authority

Section 4: Data protection officers Where does the role sit within the organisation Outside delivery functions of IT or Business The role is about delivering compliance You cant have compliance under the direction of the delivery team The DPO should sit within a Risk, Compliance or Governance function. Independent of the business with direct access to the Board An effective DPO should ensure that Data Protection is on Board Agenda Company Directors now being considered personally liable for Data Breaches Begin with EU GDPR Foundation Course

GDPR - Summary TM Complete overhaul of data protection framework Covers all forms of PII, including biometric, genetic and location data Applies across all member states of the European Union Applies to all organisations processing the data of EU citizens wherever those organisations are geographically based Specific requirements around rights of data subjects, obligations on controllers and processors, including privacy by design Administrative penalties for breach up to 4% revenue or 20 million Intended to be dissuasive Data subjects have a right to bring actions (in their home state) and to receive damages if their human rights have been breached Fines to take into account the technical and organisational measures implemented

Information security TM Processes People Technology

Cyber security assurance GDPR requirement data controllers must implement: appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation. Must include appropriate data protection policies Organizations may use adherence to approved codes of conduct or management system certifications as an element by which to demonstrate compliance with their obligations ICO and BSI are both developing new GDPR-focused standards ISO 27001 already meets the appropriate technical and organisational measures requirement It provides assurance to the board that data security is being managed in accordance with the regulation It helps manage ALL information assets and all information security within the organisation protecting against ALL threats

IT Governance: GDPR one-stop shop Accredited training 1-Day Foundation Course London OR Cambridge: http://www.itgovernance.co.uk/shop/p-1795-certified-eugeneral-data-protection-regulation-foundation-gdpr-training-course.aspx ONLINE http://www.itgovernance.co.uk/shop/p-1834-certified-eu-general-dataprotection-regulation-foundation-gdpr-online-training-course.aspx Practitioner course, classroom or online www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protectionregulation-practitioner-gdpr-training-course.aspx Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-dataprotection-regulation-gdpr-documentation-toolkit.aspx Consultancy support Data audit Transition/implementation consultancy www.itgovernance.co.uk/dpa-compliance-consultancy.aspx

Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback