Data Mapping & Data Subject Rights Session 4 Peter Murphy, Director Ioanna Karariga, Chief Digital Information Officer Vienna International School

Why data mapping is needed Protecting data can be difficult. Data breaches are common. ~10% of breaches employee error or negligence ~7% accidental exposure ~5 insider theft. Right now, protecting data can be difficult. It’s often spread across and copied to a number of different environments, and it’s hard to know what to restrict it to and where it’s located. This data sprawl inevitably leaves organizations open to data breaches, and not just from hackers. In its 2017 end of year review of data breaches, the Identity Theft Resource Center revealed that ~10% of breaches were caused by employee error or negligence, ~7% were a result of accidental exposure, and ~5% were down to insider theft. Image source: Adetiqadetiq.co.uk

Why data mapping is needed? Article 30 of the regulation places a legal requirement on organizations to maintain a record of processing activities under their responsibility, and make it available to the relevant supervisory authority on request. Right now, protecting data can be difficult. It’s often spread across and copied to a number of different environments, and it’s hard to know what to restrict it to and where it’s located. This data sprawl inevitably leaves organizations open to data breaches, and not just from hackers. In its 2017 end of year review of data breaches, the Identity Theft Resource Center revealed that ~10% of breaches were caused by employee error or negligence, ~7% were a result of accidental exposure, and ~5% were down to insider theft. Image source: onetrust.com

What needs to be included? The purposes of processing data (customer management, marketing, etc) The categories of the individuals involved (customers, patients, etc) The categories of personal data being processed (financial information, health data, etc) The categories of any recipients of the data (suppliers, credit reference agencies, etc) Details of any transfers to other countries How long the data will be kept for The technical and organizational security measures in place (encryption, access controls, etc)

Rights of the individuals Organizations which employ less than 250 people need only document processing activities that are regularly undertaken, or are likely to result in a risk to the rights and freedoms of individuals, or involve special category data, or data related to criminal convictions and offences. For everyone else, Article 30 is the key to being compliant – and demonstrating compliance – and will also help meet other aspects of the GDPR. It will aid in drafting the privacy notice, for example, that is now required whenever personal data is collected. It will enable organizations to respond to requests from individuals for access to their data, or its rectification or erasure, faster and easier. Image source childbasepartnership.com

Why is data mapping important? It will give organizations an accurate picture of what data they hold, where it is, and whether it is data which needs to be protected. That knowledge, in turn, will immediately flag up any access controls that are required, and where measures like pseudonymization, encryption, anonymization and aggregation should be adopted. If copies of databases are used in development and testing, for example, personal data should be masked. This is where data mapping comes in – the process of discovering and classifying data so that it can then be protected and managed in a consistent, reliable way. Image source: superiorvan.com

Vienna International School approach At VIS we conducted a Data Mapping Audit Procedure, using a modified version of the 9nine template. The original version was very detailed and without a formal training, the filling out procedure was a not realistic goal. We have distributed it to almost 40 areas of responsibility, and after a short training we gathered the data from the responsible people of each area . Image source: https://www.9ine.uk.com/services#further

Vienna International School approach From there, we started making the audit of the tools that they use, and the data retention period that should be in place. We produced an updated list of software that are compliant and is being constantly updated. We produced the Data Retention Schedule for all data that are processed in our School Image source: Computerworld.com

Vienna International School findings This procedure, revealed that as an organisation we gather a lot of data for different purposes. VIS has implemented a laptop model distribution to teachers, and this is an area where a lot of data stays on those machines as local copies. Image source: securedatarecovery.com

Vienna International School findings Teachers tend to use many free online tools for their lessons, and this shift in practice in order to be compliant with GDPR was/is a big challenge. Student photos used to be taken and distributed freely to parents. Parents were used to taking photos at special events (concerts, field trips, school events). Some people find the acceptance of a new practice very challenging. Image source: Slideshare.net

Vienna International School findings The multiple systems in school, do not permit an entry log per student, so that makes a SAR a very challenging procedure. Image source: Privacycompliancehub.com