Running a Privacy Impact Assessment (PIA)

Slides:



Advertisements
Similar presentations
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Advertisements

Data Protection Overview
HIPAA PRIVACY AND SECURITY AWARENESS.
Guidance for AONB Partnership Members Welsh Member Training January 26/
The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]
Business Challenges in the evolution of HOME AUTOMATION (IoT)
GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
Data Protection Officer’s Overview of the GDPR
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Privacy Impact Assessments (PIAs)
GDPR Awareness and Training Workshop
General Data Protection Regulation
Running a Privacy Impact Assessment (PIA)
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
GDPR Overview Gydeline – October 2017
Service-centric policies – Update (NA3.2)
GDPR Overview Gydeline – October 2017
GDPR Security: How to do IT? IT reediness for competitive advantage
Bob Siegel President Privacy Ref, Inc.
GENERAL DATA PROTECTION REGULATION (GDPR)
Data Protection Reform in Local Government
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
GDPR - New Data Protection Regulation
General Data Protection Regulation
GDPR – The Role of the Data Protection Officer (DPO)
Information Governance Team
Security measures Introducing Risk Assessment in GDPR
#IASACFO.
EU Data Protection Legislation Managing The Security of Medical Data
Data protection reform – update from the ICO
Information Governance
The GDPR & Schools - An Introduction -
Data Protection Impact Assessments Drop-in advice session

GDPR Overview and Use Cases.
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulation (GDPR)
How is the GDPR enforced ?
Data Protection Impact Assessments How do we carry out a DPIA?
Data Protection and Audit
Welcome!.
GDPR enforcement begins
Management of a Data Breach under the GDPR
Detecting, reporting & investigating data breaches under GDPR
The activity of Art. 29. Working Party György Halmos
Complaints Investigation Presenter: Ms H Phetoane Senior Investigator :HealthCare Cases Prepared for OHSC Consultative Workshops.
Complaints Investigation Presenter: Ms H Phetoane Senior Investigator :HealthCare Cases Prepared for OHSC Consultative Workshops.
Operationalizing Export Certification and Regionalization Programmes
Complaints Investigation Presenter: Ms H Phetoane Senior Investigator :HealthCare Cases Prepared for OHSC Consultative Workshops.
Complaints Investigation Presenter: Ms H Phetoane Senior Investigator :HealthCare Cases Prepared for OHSC Consultative Workshops.
Governing the risk of GDPR compliance
 GDPR Readiness Quiz Quick Insight: Quick Insight: Quick Insight:
Key Value Indicators (KVIs)
General Data Protection regulation (GDPR)
OHSC 2018 CONSULTATIVE WORKSHOP - GAUTENG PROVINCE ENFORCEMENT
Data Protection in Law Enforcement Area Chapter 9a of the draft law
Complaints Investigation Presenter: Ms H Phetoane Senior Investigator :HealthCare Cases Prepared for OHSC Consultative Workshops.
Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe.
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Session 4: Data Mapping and Data Subject Rights
Session 4: Data Mapping and Data Subject Rights
General Data Protection Regulation “11 months in”
CR-GR-HSE-801 Management of HSE Events and Return on Experience
Getting Ready For GDPR Simon Marks Director
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Running a Privacy Impact Assessment (PIA) Presenter: John Ghent

The GDPR & PIAs Article 33 – Data Protection Impact Assessment and Prior Consultation “Where a type of processing … result in a high risk for the rights and freedoms of individuals, the controller shall … carry out an assessment of the impact.” The assessment shall contain at least: (a) a systematic description… (b) an assessment of the necessity and proportionality… (c) an assessment of the risks… (d) the measures envisaged to address the risks…

The GDPR & PIAs - what’s involved A data protection impact assessment referred to in paragraph 1 shall in particular be required in the following cases: (a) …based on automated processing, including profiling, and on which decisions are based that produce legal effects… (b) processing on a large scale of special categories of data referred to in Article 9(1)… (c) a systematic monitoring of a publicly accessible area on a large scale.

The GDPR & PIAs – Who’s involved. Article 33 (The Data Protection Commissioner) The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the European Data Protection Board. Article 37 (Data Protection Officer) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 33;

What is a Privacy Impact Assessment (PIA) A process specifically designed to identify and address Data Protection risks within a new or existing project. The provenance of the data ; What processing is done on the data; Where the data is sent and to whom; When is the data deleted or anonymised.

Who should be involved in a PIA Operations IT DPO Compliance Engagement can vary depending on the customer and the complexity of processing

PIA - a six step process Stakeholders, Entities & Systems Identify Processes Work flow analysis Data Protection Assessment Risk Analysis Implementation

Step 1 Stakeholders, Systems and Entities A complete list of stakeholders, entities and systems. Anyone or anything that comes into contact with data should be considered in this category. This could be A job role, A person, A third party A computer system, etc…

Step 2 Identify Processes A complete list of data management processes. A process is any event that is required to complete a business function. Focus on processes that involve personal and sensitive personal data

Step 3 Workflow Analysis For processes identified in Step 2, we workflow each relevant process into appropriate swim lanes. These swim lanes identify What data is processed What systems have visibility of this data Where this data sent

Step 3 Workflow Analysis (Deliberately Blurred)

Step 4 Data Protection Assessment For each process identified in Step 3, we categorise the processing according to current and upcoming Data Protection legislation, areas of consideration and evaluation of potential risk. The numbers in the sub process above indicate Rules 1, 2 and 6 are relevant for consideration by the DPO when assessing this particular process.

Step 5 Risk Analysis A Risk Register is created in parallel with Step 4 to measure risk against likelihood and severity. Each risk is categorised into Ref Number Risk Date Raised Likelihood Impact Score Action Status

Step 5 Score Likelihood Impact 1 Never happened and unlikely to ever happen Low to no DP related impact (brand, operational, commercial) 2 Has happened but very rarely Minor Impact, easily resolved 3 Happens from time to time Significant impact to company brand and could trigger a user complaint or ODPC investigation. 4 Happens frequently but not continuously May trigger a breach notification process and damaging to company brand, could result in penalties and likely an investigation 5 Happening continuously Should trigger a breach notification process and severely damaging to company brand. Will trigger an investigation from the ODPC and likely fines.

Step 5 – Point in time score card

Step 6 Implementation An agreed implementation plan is formalised into the following categories Ref Number Problem Resolution Agreed Action Complete Old Score New Likelihood New Impact New Score

Overview & recap Stakeholders, Entities & Systems Identify Processes Work flow analysis Data Protection Assessment Risk Analysis Implementation