Managing privacy with a privacy program Governance and
- Slides: 18
Managing privacy with a privacy program: Governance and Structure Nordic Privacy Arena – Stockholm, 24 October 2017 Paul Breitbarth – Director of EU Certification Research & Senior Solutions Advisor Copyright © 2017 by Nymity Inc. All rights reserved. This document is provided “as is” without any express or implied warranty. This document does not constitute legal advice and if you require legal advice you should consult with an attorney. Forwarding this document outside your organisation is prohibited. Reproduction or use of this document for commercial purposes requires the prior written permission of Nymity Inc. WWW. NYMITY. COM
Outline • Understanding Accountability under the GDPR • Dealing with Technical and Organisational Measures • Operationalising Accountability at Enterprise and Project Level 146 Business Days Left WWW. NYMITY. COM 2
Introducing Nymity A Data Privacy Research and Software Company • Research: 27 full-time privacy professionals/11 lawyers (38 IAPP certifications) • Innovation: Compliance content, methodologies, software solutions • Free Thought Leadership: 1 framework and 4 methodologies, 2 regulator projects • Established: 2002 – 15 year experience – same mandate “Support the Privacy Office” • Solid & Stable: Steady growth, profitable, no debt • Customer First: We strive to be your solutions partner • Headquarters: Toronto (CA) • Global Presence: London (UK), The Hague (NL), Boulder, Colorado (US) & Bogotá (COL) WWW. NYMITY. COM 3
Demonstrating Compliance under the GDPR The Enterprise and Project Approach Enterprise Level ⇣ & Article 24 GDPR: Appropriate technical and organisational measures Project Level ⇡ Article 30 GDPR: Records of Processing Activities Register Article 35 GDPR (if high risk): data protection impact assessments WWW. NYMITY. COM 4
Demonstrating Compliance under the GDPR Three obligations The GDPR requires organisations not only to be accountable, but also to demonstrate compliance. There are three main obligations (Article 24(1) GDPR) Enterprise Level ⇣ 1. Organisations need to implement appropriate technical and organisational measures to meet the requirements of the GDPR 2. Organisations need to ensure they can demonstrate their data processing operations are compliant with the GDPR 3. Organisations need to ensure their technical and organisational measures are reviewed on a regular basis, and where needed, brought up-to-date. WWW. NYMITY. COM 5
Demonstrating Compliance under the GDPR Structured Privacy Management will help you tell the story behind your Privacy Policy and illustrate it with supporting documents. It means you embed your technical and organisational measures (ongoing Privacy Management Activities) throughout the organisation, resulting in the ability to Demonstrate Accountability and Compliance with Evidence. RESPONSIBILITY Privacy Management Activities have been implemented and are maintained on an ongoing basis. OWNERSHIP Privacy Management Activities are embedded throughout the organisation within each function or business unit that processes personal data. EVIDENCE Documentation is produced as a result of a Privacy Management Activity that can be used as Evidence of Accountability and Compliance. WWW. NYMITY. COM Enterprise Level ⇣ 6
Demonstrating Compliance under the GDPR Accountable Organisations Enterprise Level ⇣ Organisations with the capacity to comply are accountable organisations An Accountable Organisation: • Invests in compliance with structured privacy management; • Embeds privacy throughout organisation; • Ensures data protection is not only the responsibility of the privacy office; • Has one person taking the lead per department, reporting back to privacy office • Tailors their appropriate technical and organisational measures on the characteristics of department and organisation. WWW. NYMITY. COM 7
Demonstrating Compliance under the GDPR At Enterprise Level • Top-down approach, coordinated by the privacy office / DPO • Focus on implementing the appropriate technical and organisational measures in the organisation and ensuring the are operationalised • Ask your privacy liaisons in the business to report on their privacy management activities on a regular basis • Self-reporting WWW. NYMITY. COM Enterprise Level ⇣ 8
Demonstrating Compliance under the GDPR The Compliance Capacity Report Enterprise Level ⇣ WWW. NYMITY. COM 9
Demonstrating Compliance under the GDPR The Compliance Capacity Report • Ties the technical and organisational measures that are maintained to the relevant provisions of the law • Reflects the organisation’s structured approach to recording appropriate technical and organisational measures (collected evidence, questions & owners) • Could be generated for the organisation as a whole, and for one or more departments (‘reportable units’) or at an aggregated country or operational level • Could be generated automatically at set intervals or “as needed” WWW. NYMITY. COM Enterprise Level ⇣ 10
Demonstrating Compliance under the GDPR The Compliance Capacity Report Enterprise Level ⇣ WWW. NYMITY. COM 11
Demonstrating Compliance under the GDPR The GDPR Compliance Toolkit Enterprise Level ⇣ www. nymity. com/gdpr-toolkit/ WWW. NYMITY. COM 12
Demonstrating Compliance under the GDPR The Enterprise and Project Approach Enterprise Level ⇣ & Article 24 GDPR: Appropriate technical and organisational measures Project Level ⇡ Article 30 GDPR: Records of Processing Activities Register Article 35 GDPR (if high risk): data protection impact assessments WWW. NYMITY. COM 13
Demonstrating Compliance under the GDPR At Project Level ⇡ • Bottom-up approach: – The business records all processing activities as required by Article 30 GDPR • The Processing Activities Register provides the foundation for other elements of your privacy program – – Purpose Grounds for processing Retention periods Etc. • On the basis of the Processing Activity Record, the business can identify if the processing is high risk – If so, complete DPIA to demonstrate risks and harms to rights and freedoms of individuals were mitigated effectively WWW. NYMITY. COM 14
Demonstrating Compliance under the GDPR Using the Accountability PIA™ • Organisations can mitigate identified risks using Accountability Mechanisms Project Level ⇡ – internal policies, procedures, guidelines, etc. , developed to protect personal data • Tying the Accountability Mechanisms to a data processing operation helps to mitigate risk in reality and allows for an effectiveness assessment • An Accountability PIA™ report provides valuable granular insight into data processing operations AND risk mitigation – Relevant for the DPA when following up on complaints or undertaking an investigation WWW. NYMITY. COM 15
Demonstrating Compliance under the GDPR The Enterprise and Project Approach Enterprise Level ⇣ & Article 24 GDPR: Appropriate technical and organisational measures Project Level ⇡ Article 30 GDPR: Records of Processing Activities Register Article 35 GDPR (if high risk): data protection impact assessments WWW. NYMITY. COM 16
Questions WWW. NYMITY. COM
146 Business Days Left Thank You! www. nymity. com/GDPR-toolkit | paul. breitbarth@nymity. com | @Nymity / @Euro. Paul. B
Privacy awareness and hipaa privacy training cvs answers
Business intelligence objectives
Sequential program and an event-driven program?
Care certificate 7
Azure security privacy compliance and trust
Family education rights and privacy act
Chapter 9 privacy security and ethics
Chapter 9 privacy security and ethics
Family educational rights and privacy act of 1974
Confidentiality and privacy controls
Chapter 9 privacy security and ethics
Three primary privacy issues are accuracy property and
Hipaa privacy and security awareness training
Computer security safety ethics and privacy
Data governance and risk management
Informational and behavioral control
Oracle governance risk and compliance
Hr governance risk and compliance
Hpe information management and governance
