SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Appointing a Data Protection Officer
under the GDPR
Adrian Ross LLB (Hons), MBA
GRC Consultant
IT Governance Ltd
9 March 2017
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Introduction
• Adrian Ross
• GRC consultant
– Infrastructure services
– Business process re-engineering
– Business intelligence
– Business architecture
– Intellectual property
– Legal compliance
– Data protection and information security
– Enterprise risk management
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
IT Governance Ltd: GRC one-stop shop
All verticals, all sectors, all organisational sizes
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• An overview of the regulatory landscape
• Territorial scope
• Remedies, liabilities and penalties
• Security of personal data
• Appointing a data protection officer under the GDPR
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
The nature of European law
• Two main types of legal instrument:
– Directives
º Require individual implementation in each member state
º Implemented by the creation of national laws approved by the parliaments of
each member state
º European Directive 95/46/EC is a directive
º UK Data Protection Act 1998
– Regulations
º Immediately applicable in each member state
º Requires no local laws to implement
º GDPR is a regulation
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 99: Entry into force and
application
“This Regulation shall be binding in its entirety and directly
applicable in all Member States.”
KEY DATES
• On 8 April 2016 the European Council adopted the Regulation.
• On 14 April 2016 the Regulation was adopted by the European Parliament.
• On 4 May 2016, the official text of the Regulation was published in the EU Official
Journal in all the official languages.
• The Regulation entered into force on 24 May 2016, and applies from 25 May 2018.
• http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Final text of the Regulation: http://data.consilium.europa.eu/doc/document/ST-
5419-2016-REV-1/en/pdf
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Articles 1 – 3: Who, and where?
• Natural person = a living individual
• Natural persons have rights associated with:
– The protection of personal data
– The protection of the processing personal data
– The unrestricted movement of personal data within the EU
• In material scope:
– Personal data that is processed wholly or partly by automated means;
– Personal data that is part of a filing system, or intended to be.
• The Regulation applies to controllers and processors in the EU,
irrespective of where processing takes place.
• It also applies to controllers not in the EU
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Remedies, liabilities and penalties
• Natural persons have rights
– Judicial remedy where their rights have been infringed as a result of the
processing of personal data.
º In the courts of the member state where the controller or processor has an establishment.
º In the courts of the member state where the data subject habitually resides.
– Any person who has suffered material, or non-material, damage shall have the
right to receive compensation from the controller or processor.
– Controller involved in processing shall be liable for damage caused by
processing.
• Administrative fines
– Imposition of administrative fines will in each case be “effective, proportionate,
and dissuasive”
º taking into account technical and organisational measures implemented.
– €10,000,000 or, in the case of an undertaking, up to 2% of the total
worldwide annual turnover of the preceding financial year
– €20,000,000 or, in the case of an undertaking, 4% total worldwide
annual turnover in the preceding financial year
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Data breaches in the UK
• January to March 2016 - 448 new cases
• Data breaches by sector
– Health (184)
– Local government (43)
– Education (36)
– General business (36)
– Finance, insurance and credit (25)
– Legal (25)
– Charitable and voluntary (23)
– Justice (18)
– Land or property services (17)
– Other (41)
Source: UK Information Commissioner’s Office
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Key facts about cyber breaches
Number of data breaches detected in 2016
Median number of breaches per company
Costs associated with the most disruptive breaches
• Large organisations: Mean- £50k Highest- £3m
• Small organisations: Mean- £5k Highest- £100k
IPSOS Mori: 2016 Cyber Security
Breaches Survey
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Types of breach occurrence
IPSOS Mori: 2016 Cyber Security
Breaches Survey
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 33: Personal data breaches
• The definition of a personal data breach in GDPR:
– A "'personal data breach' means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed" (Article 4(12)).
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Organisations will have to appoint a DPO in three situations:
– Where the processing is carried out by a public authority or body;
– Where the organisation’s core activities require regular and systematic
monitoring of data subjects on a large scale; or
– Where core activities involve large-scale processing of sensitive personal data or
data relating to criminal convictions or offences.
• A DPO has the same legal status whether the appointment is
voluntary or mandatory
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
• Article 37: Designation of the data protection officer
• Public authority or body
– Usually means national, regional or local authorities, but can also mean other public
bodies governed by applicable national laws:
º Public transport services;
º water and energy supply;
º road infrastructure;
º public service broadcasting;
º public housing;
º disciplinary bodies for regulated professions.
• Exception is courts acting in their judicial capacity.
• The Article 29 Working Party recommends that private organisations
carrying out public tasks or exercising public authority designate a
DPO.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Core activities
– The key operations necessary to achieve the controller’s or processor’s goals.
– Does not exclude processing that is an inextricable part of the controller’s or
processor’s activities.
– Necessary support functions of a business are ancillary to core activities.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Regular and systematic monitoring
– Not defined in the GDPR
• WP29 interprets ‘regular’ as meaning one or more of the following:
– Ongoing or occurring at particular intervals for a particular period
– Recurring or repeated at fixed times
– Constantly or periodically taking place
• WP29 interprets ‘systematic’ as meaning one or more of the following:
– Occurring according to a system
– Pre-arranged, organised or methodical
– Taking place as part of a general plan for data collection
– Carried out as part of a strategy
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Monitoring
– Includes all forms of tracking and profiling on the Internet, including for the
purposes of behavioural advertising.
– Is not restricted to the online environment and online tracking should only be
considered one example of monitoring the behaviour of data subjects.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Large scale
– Not defined in the GDPR
• WP29 recommends considering the following factors:
– The number of data subjects concerned – either as a specific number or as a
proportion of the relevant population.
– The volume of data and/or the range of different data items being processed.
– The duration, or permanence, of the data processing activity.
– The geographical extent of the processing activity.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 37: Designation of the data protection officer
• Examples of large-scale processing include:
– Processing of patient data in the regular course of business by a hospital
– Processing of travel data of individuals using a city’s public transport system (e.g.
tracking via travel cards)
– Processing of real time geolocation data of customers of an international fast
food chain for statistical purposes by a processor that specialises in providing
these services
– Processing of customer data in the regular course of business by an insurance
company or a bank
– Processing of personal data for behavioural advertising by a search engine
– Processing of data (content, traffic, location) by telephone or Internet service
providers
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
• Article 37: Designation of the data protection officer
– Designation applies to both controllers and processors
– Designation on mandatory criteria but also good practice
– WP29 recommends that processor’s DPO oversees its controller’s activities
– Group undertakings can appoint a single DPO if they are easily accessible
– Accessible by data subjects and supervisory authorities, and also internally
– Communication must take place in the language used by the relevant parties
– May be appointed for several public authorities depending on structure and size
– DPO can represent categories of controllers and processors
– DPO designated on the basis of professional qualities and knowledge of data
protection law, but not legally qualified
– May fulfil the role as part of a service contract
– Controller or processor must publish DPOs contact details and notify supervisory
authority
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 38: Position of the data protection officer
– Organisations must ensure proper and timely involvement of the DPO
– Organisations must provide support through necessary resources
– DPO has a large degree of independence
– Protected role within the organisation
– Direct access to highest management
– Data subject must have clear access to DPO
– Bound by confidentiality in accordance with EU or member state law
– No conflict of interest arising from additional tasks or duties
– Involvement of the DPO will facilitate compliance with the GDPR
– Involvement of the DPO will ensure a data protection by design approach
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Section 4: Data protection officers
Article 39: Tasks of the data protection officer:
– To inform and advise controller, processor and employees of obligations;
– To monitor compliance, including assignment of responsibilities;
– To provide advice with regard to data protection impact assessments;
– To monitor performance of the data protection impact assessment;
– To cooperate with the supervisory authority;
– To liaise with the supervisory authority;
– To have due regard to risk associated with processing operations;
– To focus their efforts on issues that present higher data protection risks.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Data protection impact assessment
• Article 35: Data protection impact assessment
• The controller shall seek the advice of the DPO when carrying out a
DPIA where a process is using new technologies, and taking into
account the nature, scope, context and purposes of the processing,
there is a high risk to the rights and freedoms of natural person
• A single DPIA may be particularly required where:
º "Automated processing, including profiling, informs decisions that produce
legal effects that concern, or similarly significantly affect, natural persons“;
º The processing is on a large scale of special categories of data or personal
data related to criminal convictions;
º "A publicly accessible area is systematically monitored on a large scale."
• A single DPIA may address sets of similar processing operations
that present similar high risks.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Data protection impact assessment
• Article 35: Data protection impact assessment
• A data protection impact assessment shall contain the following:
– a systematic description of the purposes of the processing;
– any legitimate interest pursued by the controller;
– an assessment of the necessity and proportionality of the processing operations;
– an assessment of the risks to the rights and freedoms of data subjects;
– the measures envisaged to address the risks;
– adherence to approved codes of conduct;
– any consultation with data subjects on intended processing;
– any processing in relation to a law to which the controller is subject;
– any processing that changes the risk profile.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Prior consultation
• Article 36: Prior consultation
• The controller shall consult the supervisory authority prior to
processing where the DPIA indicates a “high risk to the rights and
freedoms of the data subjects”.
– Supervisory authority shall provide written advice to the controller;
– Controller has to provide information on responsibilities of controller and
processor;
– Information on purposes and means of intended processing;
– Information on measures and safeguards taken to protect rights and freedoms;
– The contact details of the DPO;
– A copy of the data protection impact assessment;
– Any other information requested.
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Job summary: data protection officer
• The DPO is a strategic role that:
– Develops, coordinates and manages an organisation’s privacy strategy;
– Ensure that operations and business practices adhere to applicable privacy laws;
– Ensures privacy considerations and processes are incorporated into business
practices.
• Q: Should there be a specific board member with accountability for
the privacy strategy?
• Q: What relationship should the DPO have with professional legal
advisers?
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Data protection officers
The realities of the role of the data protection officer
• Legal knowledge of data protection regulations is necessary but not
enough
• Must also:
– Be able to articulate privacy by design and by default to delivery functions
– Have information security knowledge and skills
º An understanding of how to deliver C, I and A within a management framework
º A good understanding of risk management and risk assessments
– Be able to coordinate and advise on data breaches and notification
– Be able to make a cyber security incident response process work.
– Be able to carry out and interpret internal audits against compliance requirements
– Be familiar with codes of conduct for industry sector
– Have a good understanding of compliance standards and data marks
– Lead co-operation with supervisory authority
– Have excellent communication skills
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Cyber security assurance
• GDPR requirement – data controllers must implement “appropriate
technical and organisational measures to ensure and to be able to
demonstrate that the processing is performed in accordance with
this Regulation.”
– Must include appropriate data protection policies
– Organizations may use adherence to approved codes of conduct or management
system certifications “as an element by which to demonstrate compliance with
their obligations”
– ICO and BSI are both developing new GDPR-focused standards
• ISO 27001 already meets the “appropriate technical and
organisational measures” requirement
• It provides assurance to the board that data security is being
managed in accordance with the regulation
• It helps manage ALL information assets and all information security
within the organisation – protecting against ALL threats
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
IT Governance: GDPR one-stop shop
• Accredited training – one-Day Foundation Course
– London or Cambridge: www.itgovernance.co.uk/shop/p-1795-certified-eu-
general-data-protection-regulation-foundation-gdpr-training-course.aspx
– Online www.itgovernance.co.uk/shop/p-1834-certified-eu-general-data-
protection-regulation-foundation-gdpr-online-training-course.aspx
• Practitioner course, classroom or online
– www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protection-
regulation-practitioner-gdpr-training-course.aspx
• Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx
• Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-data-
protection-regulation-gdpr-documentation-toolkit.aspx
• Consultancy support
– Data audit
– Transition/implementation consultancy
– www.itgovernance.co.uk/dpa-compliance-consultancy.aspx
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Questions?
aross@itgovernance.co.uk
0845 070 1750
www.itgovernance.co.uk

Contenu connexe

Tendances

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideDaniel Li
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designblogzilla
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowPiwik PRO
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 

Tendances (20)

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical GuideComplying with Singapore Personal Data Protection Act - A Practical Guide
Complying with Singapore Personal Data Protection Act - A Practical Guide
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
DLP
DLPDLP
DLP
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 

Similaire à Appointing a Data Protection Officer under the GDPR

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associatesMohsin Termezy
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 

Similaire à Appointing a Data Protection Officer under the GDPR (20)

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associates
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 

Plus de IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0IT Governance Ltd
 

Plus de IT Governance Ltd (14)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Dernier

Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakEditores1
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZKanakChauhan5
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 

Dernier (20)

Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerak
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZ
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 

Appointing a Data Protection Officer under the GDPR

  • 1. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Appointing a Data Protection Officer under the GDPR Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 9 March 2017
  • 2. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Introduction • Adrian Ross • GRC consultant – Infrastructure services – Business process re-engineering – Business intelligence – Business architecture – Intellectual property – Legal compliance – Data protection and information security – Enterprise risk management
  • 3. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 IT Governance Ltd: GRC one-stop shop All verticals, all sectors, all organisational sizes
  • 4. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Agenda • An overview of the regulatory landscape • Territorial scope • Remedies, liabilities and penalties • Security of personal data • Appointing a data protection officer under the GDPR
  • 5. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 The nature of European law • Two main types of legal instrument: – Directives º Require individual implementation in each member state º Implemented by the creation of national laws approved by the parliaments of each member state º European Directive 95/46/EC is a directive º UK Data Protection Act 1998 – Regulations º Immediately applicable in each member state º Requires no local laws to implement º GDPR is a regulation
  • 6. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 99: Entry into force and application “This Regulation shall be binding in its entirety and directly applicable in all Member States.” KEY DATES • On 8 April 2016 the European Council adopted the Regulation. • On 14 April 2016 the Regulation was adopted by the European Parliament. • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. • http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final text of the Regulation: http://data.consilium.europa.eu/doc/document/ST- 5419-2016-REV-1/en/pdf
  • 7. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Articles 1 – 3: Who, and where? • Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data – The protection of the processing personal data – The unrestricted movement of personal data within the EU • In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. • The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. • It also applies to controllers not in the EU
  • 8. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Remedies, liabilities and penalties • Natural persons have rights – Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the member state where the controller or processor has an establishment. º In the courts of the member state where the data subject habitually resides. – Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. – Controller involved in processing shall be liable for damage caused by processing. • Administrative fines – Imposition of administrative fines will in each case be “effective, proportionate, and dissuasive” º taking into account technical and organisational measures implemented. – €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year – €20,000,000 or, in the case of an undertaking, 4% total worldwide annual turnover in the preceding financial year
  • 9. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Data breaches in the UK • January to March 2016 - 448 new cases • Data breaches by sector – Health (184) – Local government (43) – Education (36) – General business (36) – Finance, insurance and credit (25) – Legal (25) – Charitable and voluntary (23) – Justice (18) – Land or property services (17) – Other (41) Source: UK Information Commissioner’s Office
  • 10. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Key facts about cyber breaches Number of data breaches detected in 2016 Median number of breaches per company Costs associated with the most disruptive breaches • Large organisations: Mean- £50k Highest- £3m • Small organisations: Mean- £5k Highest- £100k IPSOS Mori: 2016 Cyber Security Breaches Survey
  • 11. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Types of breach occurrence IPSOS Mori: 2016 Cyber Security Breaches Survey
  • 12. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 33: Personal data breaches • The definition of a personal data breach in GDPR: – A "'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Article 4(12)).
  • 13. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Organisations will have to appoint a DPO in three situations: – Where the processing is carried out by a public authority or body; – Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or – Where core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences. • A DPO has the same legal status whether the appointment is voluntary or mandatory
  • 14. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers • Article 37: Designation of the data protection officer • Public authority or body – Usually means national, regional or local authorities, but can also mean other public bodies governed by applicable national laws: º Public transport services; º water and energy supply; º road infrastructure; º public service broadcasting; º public housing; º disciplinary bodies for regulated professions. • Exception is courts acting in their judicial capacity. • The Article 29 Working Party recommends that private organisations carrying out public tasks or exercising public authority designate a DPO.
  • 15. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Core activities – The key operations necessary to achieve the controller’s or processor’s goals. – Does not exclude processing that is an inextricable part of the controller’s or processor’s activities. – Necessary support functions of a business are ancillary to core activities.
  • 16. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Regular and systematic monitoring – Not defined in the GDPR • WP29 interprets ‘regular’ as meaning one or more of the following: – Ongoing or occurring at particular intervals for a particular period – Recurring or repeated at fixed times – Constantly or periodically taking place • WP29 interprets ‘systematic’ as meaning one or more of the following: – Occurring according to a system – Pre-arranged, organised or methodical – Taking place as part of a general plan for data collection – Carried out as part of a strategy
  • 17. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Monitoring – Includes all forms of tracking and profiling on the Internet, including for the purposes of behavioural advertising. – Is not restricted to the online environment and online tracking should only be considered one example of monitoring the behaviour of data subjects.
  • 18. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Large scale – Not defined in the GDPR • WP29 recommends considering the following factors: – The number of data subjects concerned – either as a specific number or as a proportion of the relevant population. – The volume of data and/or the range of different data items being processed. – The duration, or permanence, of the data processing activity. – The geographical extent of the processing activity.
  • 19. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • Examples of large-scale processing include: – Processing of patient data in the regular course of business by a hospital – Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards) – Processing of real time geolocation data of customers of an international fast food chain for statistical purposes by a processor that specialises in providing these services – Processing of customer data in the regular course of business by an insurance company or a bank – Processing of personal data for behavioural advertising by a search engine – Processing of data (content, traffic, location) by telephone or Internet service providers
  • 20. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers • Article 37: Designation of the data protection officer – Designation applies to both controllers and processors – Designation on mandatory criteria but also good practice – WP29 recommends that processor’s DPO oversees its controller’s activities – Group undertakings can appoint a single DPO if they are easily accessible – Accessible by data subjects and supervisory authorities, and also internally – Communication must take place in the language used by the relevant parties – May be appointed for several public authorities depending on structure and size – DPO can represent categories of controllers and processors – DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified – May fulfil the role as part of a service contract – Controller or processor must publish DPOs contact details and notify supervisory authority
  • 21. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 38: Position of the data protection officer – Organisations must ensure proper and timely involvement of the DPO – Organisations must provide support through necessary resources – DPO has a large degree of independence – Protected role within the organisation – Direct access to highest management – Data subject must have clear access to DPO – Bound by confidentiality in accordance with EU or member state law – No conflict of interest arising from additional tasks or duties – Involvement of the DPO will facilitate compliance with the GDPR – Involvement of the DPO will ensure a data protection by design approach
  • 22. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Section 4: Data protection officers Article 39: Tasks of the data protection officer: – To inform and advise controller, processor and employees of obligations; – To monitor compliance, including assignment of responsibilities; – To provide advice with regard to data protection impact assessments; – To monitor performance of the data protection impact assessment; – To cooperate with the supervisory authority; – To liaise with the supervisory authority; – To have due regard to risk associated with processing operations; – To focus their efforts on issues that present higher data protection risks.
  • 23. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • The controller shall seek the advice of the DPO when carrying out a DPIA where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural person • A single DPIA may be particularly required where: º "Automated processing, including profiling, informs decisions that produce legal effects that concern, or similarly significantly affect, natural persons“; º The processing is on a large scale of special categories of data or personal data related to criminal convictions; º "A publicly accessible area is systematically monitored on a large scale." • A single DPIA may address sets of similar processing operations that present similar high risks.
  • 24. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • A data protection impact assessment shall contain the following: – a systematic description of the purposes of the processing; – any legitimate interest pursued by the controller; – an assessment of the necessity and proportionality of the processing operations; – an assessment of the risks to the rights and freedoms of data subjects; – the measures envisaged to address the risks; – adherence to approved codes of conduct; – any consultation with data subjects on intended processing; – any processing in relation to a law to which the controller is subject; – any processing that changes the risk profile.
  • 25. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Prior consultation • Article 36: Prior consultation • The controller shall consult the supervisory authority prior to processing where the DPIA indicates a “high risk to the rights and freedoms of the data subjects”. – Supervisory authority shall provide written advice to the controller; – Controller has to provide information on responsibilities of controller and processor; – Information on purposes and means of intended processing; – Information on measures and safeguards taken to protect rights and freedoms; – The contact details of the DPO; – A copy of the data protection impact assessment; – Any other information requested.
  • 26. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Job summary: data protection officer • The DPO is a strategic role that: – Develops, coordinates and manages an organisation’s privacy strategy; – Ensure that operations and business practices adhere to applicable privacy laws; – Ensures privacy considerations and processes are incorporated into business practices. • Q: Should there be a specific board member with accountability for the privacy strategy? • Q: What relationship should the DPO have with professional legal advisers?
  • 27. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Data protection officers The realities of the role of the data protection officer • Legal knowledge of data protection regulations is necessary but not enough • Must also: – Be able to articulate privacy by design and by default to delivery functions – Have information security knowledge and skills º An understanding of how to deliver C, I and A within a management framework º A good understanding of risk management and risk assessments – Be able to coordinate and advise on data breaches and notification – Be able to make a cyber security incident response process work. – Be able to carry out and interpret internal audits against compliance requirements – Be familiar with codes of conduct for industry sector – Have a good understanding of compliance standards and data marks – Lead co-operation with supervisory authority – Have excellent communication skills
  • 28. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Cyber security assurance • GDPR requirement – data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation.” – Must include appropriate data protection policies – Organizations may use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance with their obligations” – ICO and BSI are both developing new GDPR-focused standards • ISO 27001 already meets the “appropriate technical and organisational measures” requirement • It provides assurance to the board that data security is being managed in accordance with the regulation • It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats
  • 29. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 IT Governance: GDPR one-stop shop • Accredited training – one-Day Foundation Course – London or Cambridge: www.itgovernance.co.uk/shop/p-1795-certified-eu- general-data-protection-regulation-foundation-gdpr-training-course.aspx – Online www.itgovernance.co.uk/shop/p-1834-certified-eu-general-data- protection-regulation-foundation-gdpr-online-training-course.aspx • Practitioner course, classroom or online – www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protection- regulation-practitioner-gdpr-training-course.aspx • Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx • Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-data- protection-regulation-gdpr-documentation-toolkit.aspx • Consultancy support – Data audit – Transition/implementation consultancy – www.itgovernance.co.uk/dpa-compliance-consultancy.aspx
  • 30. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk