WIXLIB

Data Flow Mapping and theEU GDPRAdrian Ross LLB (Hons), MBAGRC ConsultantIT Governance Ltd29 September 2016www.itgovernance.co.uk

TMIntroduction IT Governance Ltd 2016 Adrian Ross GRC Consultant––––––––Infrastructure servicesBusiness process re-engineeringBusiness intelligenceBusiness architectureIntellectual propertyLegal complianceData protection and information securityEnterprise risk managementCopyright IT Governance Ltd 2016 – v1.02

TMIT Governance Ltd: GRC one-stop shop IT Governance Ltd 2016All verticals, all sectors, all organisational sizesCopyright IT Governance Ltd 2016 – v1.0

TMAgenda IT Governance Ltd 2016 An overview of the regulatory landscapeTerritorial scopeRemedies, liabilities and penaltiesRisk management and the GDPRLegal requirements for a DPIAWhy and how to conduct a data flow mapping exerciseWhat are the challengesWhat is an information flowThe questions to askData flow mapping techniquesCopyright IT Governance Ltd 2016 – v1.04

TMThe nature of European law IT Governance Ltd 2016 Two main types of legislation:– Directivesº Require individual implementation in each member stateº Implemented by the creation of national laws approved by the parliaments ofeach member stateº European Directive 95/46/EC is a directiveº UK Data Protection Act 1998– Regulationsº Immediately applicable in each member stateº Require no local implementing legislationº The EU GDPR is a regulationCopyright IT Governance Ltd 2016 – v1.0

TMArticle 99: Entry into force andapplication IT Governance Ltd 2016This Regulation shall be binding in its entirety and directlyapplicable in all member states.KEY DATES On 8 April 2016 the Council adopted the Regulation.On 14 April 2016 the Regulation was adopted by the European Parliament.On 4 May 2016 the official text of the Regulation was published in the EU OfficialJournal in all the official languages.The Regulation entered into force on 24 May 2016 and will apply from 25 n/reform/index en.htmFinal text of the Regulation: 9-2016-REV-1/en/pdfCopyright IT Governance Ltd 2016 – v1.0

TMGDPR IT Governance Ltd 2016The GDPR has eleven chapters:1 Chapter I – General Provisions: Articles 1 - 42 Chapter II – Principles: Articles 5 - 113 Chapter III – Rights of the Data Subject: Articles 12 - 234 Chapter IV – Controller and Processor: Articles 24 - 435 Chapter V – Transfer of Personal Data to Third Countries: Articles 44 - 506 Chapter VI – Independent Supervisory Authorities: Articles 51 - 597 Chapter VII – Cooperation and Consistency: Articles 60 - 768 Chapter VIII – Remedies, Liabilities and Penalties: Articles 77 - 849 Chapter IX – Provisions Relating to Specific Processing Situations: Articles 85 - 91Copyright IT Governance Ltd 2016 – v1.0

Data protection modelunder the GDPREuropean Data Protection BoardInformation Commissioner’s Office (ICO)(supervising ty?Data controller(organisations)DutiesRightsData s?Disclosure?Thirdparties

TMArticles 1 – 3: Who and where? IT Governance Ltd 2016 Natural person a living individual Natural persons have rights associated with:–The protection of personal data.– The protection of the processing personal data.– The unrestricted movement of personal data within the EU. In material scope:–Personal data that is processed wholly or partly by automated means.– Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EUirrespective of where processing takes place. The Regulation also applies to controllers not in the EU.Copyright IT Governance Ltd 2016 – v1.0

TMRemedies, liabilities and penalties IT Governance Ltd 2016 Article 79: Right to an effective judicial remedy against acontroller or processor–Judicial remedy where their rights have been infringed as a result of theprocessing of personal data.ººIn the courts of the member state where the controller or processor has an establishment.In the courts of the member state where the data subject habitually resides. Article 82: Right to compensation and liability–Any person who has suffered material or non-material damage shall have theright to receive compensation from the controller or processor.– A controller involved in processing shall be liable for damage caused byprocessing. Article 83: General conditions for imposing administrative fines–Imposition of administrative fines will in each case be effective, proportionate,and dissuasive.ºFines shall take into account technical and organisational measures implemented.– 20,000,000 or, in case of an undertaking, 4% of total worldwide annualturnover in the preceding financial year (whichever is higher).Module ICopyright IT Governance Ltd 2016 – v1.0

TMRemedies, liability and penalties (cont.) IT Governance Ltd 2016Article 83: General conditions for imposing administrative fines 10,000,000 or, in case of an undertaking, 2% of total worldwide annualturnover in the preceding financial year (whichever is greater). �––8: Child’s consent11: Processing not requiring identification25: Data protection by design and by default26: Joint controllers27: Representatives of controllers not established in EU26 - 29 & 30: Processing31: Cooperation with the supervisory authority32: Data security33: Notification of breaches to supervisory authority34: Communication of breaches to data subjects35: Data protection impact assessment36: Prior consultation37 - 39: DPOs41(4): Monitoring approved codes of conduct42: Certification43: Certification bodiesCopyright IT Governance Ltd 2016 – v1.0

TMRemedies, liability and penalties (cont.) IT Governance Ltd 2016Article 83: General conditions for imposing administrative fines 20,000,000 or, in case of an undertaking, 4% total worldwideannual turnover in the preceding financial year (whichever is higher). Articles––––––––5: Principles relating to the processing of personal data6: Lawfulness of processing7: Conditions for consent9: Processing special categories of personal data (i.e. sensitive personal data)12 - 22: Data subject rights to information, access, rectification, erasure,restriction of processing, data portability, object, profiling44 - 49: Transfers to third countries58(1): Requirement to provide access to supervisory authority58(2): Orders/limitations on processing or the suspension of data flowsCopyright IT Governance Ltd 2016 – v1.0

TMRisk management and the GDPR IT Governance Ltd 2016RISK is mentioned over60times in the Regulation.It is important to understand privacy risk and integrate it into your risk framework.Copyright IT Governance Ltd 2016 – v1.0

TMWhat is risk? IT Governance Ltd 2016 The effect of uncertainty on objectives (ISO 31000 etc.)Risk is the combination of the probability of an event (IRM)A situation involving exposure to danger (OED)Uncertainty of outcome, within a range of exposure, arising from acombination of the impact and the probability of events (OrangeBook HM Treasury) The uncertainty of an event occurring that could have an impact onthe achievement of objectives (Institute of Internal Auditors)Copyright IT Governance Ltd 2016 – v1.0

TMStandards and codes IT Governance Ltd 2016 ISO 31000, Risk management – Principles and guidelines– AS/NZS 4360:2004 now replaced by ISO 31000ISO 31010, Risk management – Risk assessment techniquesIRM/ALARM/AIRMIC – A risk management standardUK Combined code on UK Corporate Governance codeOECD, Principles of corporate governanceCOSO, Enterprise risk management – Integrated frameworkSector specific, e.g. clinical, foodDiscipline specific, e.g. ISO 27005ISO 22301, Business continuity managementCopyright IT Governance Ltd 2016 – v1.0

TMISO 31000: Risk management IT Governance Ltd 2016 Management framework approachPDCA model modified in ISO 27005Generic (all risks)Very similar to a management systemCopyright IT Governance Ltd 2016 – v1.0

TMRisk management process IT Governance Ltd 2016Establishing the contextRisk assessmentCommunicationandconsultationRisk identificationRisk analysisRisk evaluationRisk treatmentCopyright IT Governance Ltd 2016 – v1.0Monitoringandreview

TMEnterprise risk management IT Governance Ltd 2016 Capabilities:––––––Aligning risk appetite and strategyEnhancing risk response decisionsReducing operational surprises and lossesIdentifying and managing multiple and cross-enterprise risksSeizing opportunitiesImproving deployment of capitalCopyright IT Governance Ltd 2016 – v1.0

TMRisk management IT Governance Ltd 2016 Organisational risk "landscape" Strategic–Business performance– Financial performance– Reputation– Employment law– Health & safety– Company law Regulatory Operational– StatutoryOutput capacity– Demand response– Interruption and disruption– Industry/sector specificcompliance requirements– Licence to operate Contractual– SLA targets/levels– Product/service availability– Quality/warrantyCopyright IT Governance Ltd 2016 – v1.0

TMInformation security IT Governance Ltd 2016 Preservation of confidentiality, integrity and availability of informationand the assets and processes that support and enable itsacquisition, storage, use, protection and disposal. Wide variety of assets:–information– ICT– infrastrucure Prevent compromise (loss, disclosure, corruption, etc.). Includes IT security and other forms of security:–physical– HR– supplyCopyright IT Governance Ltd 2016 – v1.0

TMLegal requirements for a DPIA IT Governance Ltd 2016Article 35: Data protection impact assessment Controller must seek the advice of the Data Protection Officer. This is particularly required in situations that involve:–––––––Automated processingProfilingCreation of legal effectsSignificantly affecting the natural personProcessing of large scale categories of sensitive dataData that relates to criminal offences or convictionsMonitoring on a large scale Conduct a post-implementation review when risk profile changes.Copyright IT Governance Ltd 2016 – v1.0

TMLegal requirements for a DPIAArticle 35: Data protection impact assessment DPIA must be performed where:–New technologies are deployed– Nature, scope & context of the project demand it– Processes are likely to result in a high risk to the rights and freedom– It can be used to address sets of processing & risksCopyright IT Governance Ltd 2016 – v1.0 IT Governance Ltd 2016

TMLegal requirements for a DPIA IT Governance Ltd 2016 The DPIA will set out as a minimum:–––––––––––a description of the processing and purposes;legitimate interests pursued by the controller;an assessment of the necessity and proportionality of the processing;an assessment of the risks to the rights and freedoms of data subjects;the measures envisaged to address the risks;all safeguards & security measures to demonstrate compliance;indications of timeframes if processing relates to erasure;an indication of any data protection by design and default measures;list of recipients of personal data;compliance with approved codes of conduct;whether data subjects have been consulted.Copyright IT Governance Ltd 2016 – v1.0

TMLinking the DPIA to the privacy principles IT Governance Ltd 201623456 Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and, where necessary, kept up to date Retained only for as long as necessary Processed in an appropriate manner to maintain securityCopyright IT Governance Ltd 2016 – v1.0Accountability1