SlideShare a Scribd company logo

Data protection: Steps Organisations can take to ensure compliance

Download as PPTX, PDF
EquiGov Institute, profile picture
EquiGov Institute

The document outlines data protection steps organizations should take to ensure compliance with privacy laws, emphasizing the importance of safeguarding personal information. Recommended actions include obtaining support from top management, appointing a privacy officer, understanding data compliance requirements, and implementing a comprehensive personal data protection policy. It also highlights the need for ongoing training, monitoring, and auditing to adapt to new data privacy risks and regulations.

Business
Related topics:
Data Governance InsightsData Protection Practices Data Privacy
1 of 44
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
1 DATA PROTECTION STEPS CAN YOUR ORGANISATION TAKE TO ENSURE COMPLIANCE Presented by Rishi Maharaj Executive Director EquiGov Institute
"It takes 20 years to build a reputation and five minutes to ruin it." -- —Warren Buffett
Digital Economy and Data 3
Data is the new Oil. Data is just like crude. It’s valuable, but if unrefined it cannot really be used. – Clive Humby, We have for the first time an economy based on a key resource [Information] that is not only renewable, but self-generating. Running out of it is not a problem, but drowning in it is.
Our personal digital footprint, an ineradicable record of every electronic interaction, just keeps increasing. Your email traffic, internet search history, geotagged images on our smartphone and social media sites, retail purchases, loyalty program transactions, invoice payments, toll road payments and medical records all add to the unique tread that makes up the footprint. People’s day-to-day movements are often so predictable that even anonymised location data can be linked back to identified individuals with relative ease when it is correlated with other outside information. Apparently our movement patterns are so repetitive and predictable that as few as 4 data points that include date and time are enough to identify an individual.
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
Data Protection Laws 8
• Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions. • Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system
Data protection: Steps Organisations can take to ensure compliance
UNREASONABLE INTRUSION REASONABLE EXPECTATION OF PRIVACY
GENERAL DATA PROTECTION REGULATION 12
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
WHAT STEPS CAN YOUR ORGANISATION TAKE 16
Data protection: Steps Organisations can take to ensure compliance
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Monitor Audit 1 2 3 4 5 6 7 9 108
Appoint a Point Person or Team KYD Know Your Data Compliance Requirements Analyse Your Risk Policy Process 2 3 4 5 6 7 9 1081 Buy in from the Top Training and Awareness Monitor Audit
Top management should:  convey to all staff of their support to cultivate a personal data privacy respectful culture and commitment to the implementation of PMP through staff meetings or internal circulars;  appoint a Point Privacy Officer;  endorse the programme controls and the whole PMP;  allocate adequate resources (including finance and manpower) to implement PMP;  actively participate in the assessment and review of PMP;  report to the Board on the programme regularly.
Buy In from the Top KYD Know Your Data Compliance Requirements Analyse Your Risk Policy Process 1 3 4 5 6 7 9 1082 Appoint a Point Person or Team Training and Awareness Monitor Audit
• Depending on your organization’s size, or on the sort of data it collects/stores, some regulations will require a formal DPO, but even if this is not mandatory, doing so will make creating a solid Data Privacy Strategy much easier. • On more practical terms, having a person in charge of your Data Privacy Efforts will make sure the next steps (creating a data inventory, mapping requirements, analysing risks, creating both policies and procedures, monitoring compliance)
Buy In from the Top Appoint a Point Person or Team Compliance Requirements Analyse Your Risk Policy Process 1 2 4 5 6 7 9 1083 KYD Know Your Data Training and Awareness Monitor Audit
• It is not possible to protect that which you do not know. • Once you have the approval for your new Data Privacy Strategy, someone (or even a whole team) should be assigned the task of creating a data inventory. • This should include every piece of information stored or processed by your company, both electronically and/or hard copies. • The idea is understanding what sort of data is
 WHY … is personal data processed?  WHOSE … personal data is processed?  WHAT … personal data is processed?  WHEN … is personal data processed?  WHERE … is personal data processed?
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Analyse Your Risk Policy Process 1 2 3 5 6 7 9 1084 Legal Compliance Requirements Training and Awareness Monitor Audit
Now that you know your data, it is time to understand its privacy requirements. Requirements will be dependent on what sort of data your company is storing/processing and your line of business. For example, since May 2018, the General Data Protection Regulation (GDPR) is mandatory for any organization (including the ones located outside of the EU) that offer goods or services to, or monitor the behavior of, EU data subjects.
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Policy Process 1 2 3 4 6 7 9 1085 Analyse your Risk Training and Awareness Monitor Audit
• A risk-based approach is your safest bet for making sure every data privacy vulnerability, threat source, and their joint impact is properly understood so it can be adequately treated. • Privacy risk is defined as the “potential loss of control over personal information • Impact assessment is an important part of any PMP to ensure that the privacy policies and practices of organisations are and remain compliant with
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Process 1 2 3 4 5 7 9 1086 Policy Training and Awareness Monitor Audit
• The principles in a personal data protection policy sets the tone and provides guidance for the organisation’s treatment of personal data. • Organisations should develop and communicate a personal data protection policy for both its internal stakeholders (e.g. staff) and external parties (e.g. customers). This will provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work.
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy 1 2 3 4 5 6 9 1087 Process Training and Awareness Monitor Audit
• Process will help with any day-to-day tasks. • Some common procedures such as the necessary steps for customer consent, retention of records, secure data disposal, international data transfer, and complaints, amongst others. • One way to translate data protection policies to business processes is by adopting a Privacy by Design (PbD) approach in which organisations consider the protection of personal data from the earliest possible design stage of any project, and throughout the project’s operational lifecycle. This can be as simple as putting data protection considerations in the
• Establish a process for data breach incidents • Personal data breaches can occur due to various reasons such as malicious activity, human error or computer system error. Organisations should develop and implement a personal data breach management process to address breach incidents. The plan may include the following set of activities –  C- Containing the breach  A – Assessing the risk  R – Reporting the incident
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process 1 2 3 4 5 6 7 9 108 Training and Awareness Monitor Audit
• A sound PMP requires all members of an organisation to be aware of, and be ready to act on personal data protection obligations. Organisation should provide employees with up- to-date training and education tailored to specific needs. The organisation should also document its training processes and measure participation and effectiveness. • It is not possible do have significant corporate cultural change without educating every involved party. For instance, while normal employees should at least understand the basic requirements for working with private data, some specialized functions, including IT staff, Security team, Legal, Auditors, and even the Point Person, may require advanced training, especially if they are expected to
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Audit 1 2 3 4 5 6 7 108 Monitor 9
• The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised. Organisations may consider the following factors before determining whether the programme controls should be revised: • What are the latest threats and risks? • Are the programme controls addressing new threats and reflecting the latest complaint or audit findings? • Are new services being offered that involve increased collection, use or disclosure of personal data?
Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Monitor 1 2 3 4 5 6 7 98 10 Audit
• The aims of Data Protection Audits address the wider aspects of data protection including: • Mechanisms for ensuring that information is obtained and processed fairly, lawfully and on a proper basis • Quality Assurance - ensuring that information is accurate, complete and up-to-date, adequate, relevant and not excessive • Retention - appropriate weeding and deletion of information • Documentation on authorised use of systems, e.g. codes of practice, guidelines etc. • Compliance with individual’s rights, such as subject access
We are a Boutique Consulting and Training Firm Specialising in Data Protection, Governance & Monitoring and Evaluation.
Data protection: Steps Organisations can take to ensure compliance
• Privacy Impact Risk Assessment and Policy Development Privacy impact assessments, Data Flow Mapping, Policy development and training based on chosen privacy framework, organizational culture and applicable regulations. • FREEDOM OF INFORMATION Advising on formal FOI request, review of current case law and assessment of your current FOI program to ensure that efficiencies are achieved and legislated requirements are being met. • WHISTLE BLOWING Development/review of whistleblowing policy for your organisation, evaluation of current capability and identify any weaknesses, formulation the right strategy to help people speak up before they speak out.
Data protection: Steps Organisations can take to ensure compliance

More Related Content

PPT
Ventricular Rhythms - BMH/Tele
TeleClinEd
 
PPTX
Cardiopulmonary bypass
Alireza Kashani
 
PPTX
Syncope assessement
SCGH ED CME
 
PDF
Arrhythmias
Rashad Siddiqi
 
PDF
♕ Badrawy notes for mrcp ➜【basic science】
Sherif Elbadrawy
 
PPT
ECG PART 7
Ramzan Ali
 
PPTX
Pacemaker ECGs. Yasmeen Kamal
Tanta Rhythm Group
 
PPTX
Bradycardias and conduction defects
AayushPokharel10
 
Ventricular Rhythms - BMH/Tele
TeleClinEd
 
Cardiopulmonary bypass
Alireza Kashani
 
Syncope assessement
SCGH ED CME
 
Arrhythmias
Rashad Siddiqi
 
♕ Badrawy notes for mrcp ➜【basic science】
Sherif Elbadrawy
 
ECG PART 7
Ramzan Ali
 
Pacemaker ECGs. Yasmeen Kamal
Tanta Rhythm Group
 
Bradycardias and conduction defects
AayushPokharel10
 

Similar to Data protection: Steps Organisations can take to ensure compliance (20)

PDF
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
PDF
TrustArc Webinar - Data Privacy: The Hidden Beast within Mergers & Acquisitions
TrustArc
 
PPTX
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
PDF
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Ivan Tsarynny
 
PDF
PrivacyOps Framework
Feroot
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PDF
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
PDF
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
PPTX
How to Ensure your Healthcare Organisation is IG compliant
Proofreading4all
 
PDF
What is a data protection impact assessment? what are the essential stages to...
Infinity Legal Solutions
 
PDF
privacy-transformation-services-2020.pdf
hardicgarg1
 
PDF
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
PDF
What is a data protection impact assessment?
Infinity Legal Solutions
 
PDF
What is CT- DPO.pdf
tsaaroacademy
 
PPTX
2016 Risk Management Workshop
Stacy Willis
 
PDF
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
PDF
9-Steps-Info-Sec-Whitepaper-final.pdf
SoniaCristina49
 
PPTX
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
PPTX
Best practices to mitigate data breach risk
Livingstone Advisory
 
PDF
CHAPTER 5 -Information assurance management.pdf
Knkikn21
 
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
TrustArc Webinar - Data Privacy: The Hidden Beast within Mergers & Acquisitions
TrustArc
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Ivan Tsarynny
 
PrivacyOps Framework
Feroot
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
AIIM International
 
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
How to Ensure your Healthcare Organisation is IG compliant
Proofreading4all
 
What is a data protection impact assessment? what are the essential stages to...
Infinity Legal Solutions
 
privacy-transformation-services-2020.pdf
hardicgarg1
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
What is a data protection impact assessment?
Infinity Legal Solutions
 
What is CT- DPO.pdf
tsaaroacademy
 
2016 Risk Management Workshop
Stacy Willis
 
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
9-Steps-Info-Sec-Whitepaper-final.pdf
SoniaCristina49
 
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Best practices to mitigate data breach risk
Livingstone Advisory
 
CHAPTER 5 -Information assurance management.pdf
Knkikn21
 
Ad

More from EquiGov Institute (8)

PDF
Freedom of Information - Implementation and Statutory Provisions of the Act (...
EquiGov Institute
 
PPTX
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
PPTX
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
EquiGov Institute
 
PPTX
Monitoring and evaluation presentation equi gov
EquiGov Institute
 
PPTX
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
PPTX
Freedom of Information and Data Protection
EquiGov Institute
 
PPTX
Monitoring And Evaluation Presentation
EquiGov Institute
 
PPTX
Foia DP Presentation
EquiGov Institute
 
Freedom of Information - Implementation and Statutory Provisions of the Act (...
EquiGov Institute
 
Operational impact of gdpr finance industries in the caribbean
EquiGov Institute
 
Introduction to the Freedom of Information and Data Protection Act Trinidad a...
EquiGov Institute
 
Monitoring and evaluation presentation equi gov
EquiGov Institute
 
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
Freedom of Information and Data Protection
EquiGov Institute
 
Monitoring And Evaluation Presentation
EquiGov Institute
 
Foia DP Presentation
EquiGov Institute
 
Ad

Recently uploaded (20)

PDF
Tariff Surcharge and Price Increase Decision
Joshua Gao
 
PDF
North America’s GSE Market Share Outlook Through 2029.pdf
Amrut47
 
PDF
Followers to Fees - Social media for Speakers
Corey Perlman, Social Media Speaker and Consultant
 
PPTX
Chapter 3 Distributive Negotiation: Claiming Value
badranomar1990
 
PDF
What are the steps to buy GitHub accounts safely?
d14405913
 
PDF
Bihar Idea festival - Pitch deck-your story.pdf
roharamuk
 
DOCX
UNIT 2 BC.docx- cv - RESOLUTION -MINUTES-NOTICE - BUSINESS LETTER DRAFTING
MANJU N
 
PPTX
The Ultimate Guide to Customer Journey Mapping
RUPAL AGARWAL
 
PPTX
Final PPT on DAJGUA, EV Charging, Meter Devoloution, CGRF, Annual Accounts & ...
directord
 
PDF
askOdin - An Introduction to AI-Powered Investment Judgment
YekSoon LOK
 
PDF
NewBase 24 July 2025 Energy News issue - 1805 by Khaled Al Awadi._compressed...
Khaled Al Awadi
 
PDF
NewBase 29 July 2025 Energy News issue - 1807 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
PPTX
Struggling to Land a Social Media Marketing Job Here’s How to Navigate the In...
RahulSharma280537
 
PPTX
Appreciations - July 25.pptxffsdjjjjjjjjjjjj
anushavnayak
 
PPTX
Social Media Marketing for Business Growth
vidhi622006
 
PPTX
Financial Management for business management .pptx
Hasibullah Ahmadi
 
PDF
Withum Webinar - OBBBA: Tax Insights for Food and Consumer Brands
Withum
 
PDF
William Trowell - A Construction Project Manager
William Trowell
 
DOCX
unit 1 BC.docx - INTRODUCTION TO BUSINESS COMMUICATION
MANJU N
 
DOCX
India's Emerging Global Leadership in Sustainable Energy Production The Rise ...
Insolation Energy
 
Tariff Surcharge and Price Increase Decision
Joshua Gao
 
North America’s GSE Market Share Outlook Through 2029.pdf
Amrut47
 
Followers to Fees - Social media for Speakers
Corey Perlman, Social Media Speaker and Consultant
 
Chapter 3 Distributive Negotiation: Claiming Value
badranomar1990
 
What are the steps to buy GitHub accounts safely?
d14405913
 
Bihar Idea festival - Pitch deck-your story.pdf
roharamuk
 
UNIT 2 BC.docx- cv - RESOLUTION -MINUTES-NOTICE - BUSINESS LETTER DRAFTING
MANJU N
 
The Ultimate Guide to Customer Journey Mapping
RUPAL AGARWAL
 
Final PPT on DAJGUA, EV Charging, Meter Devoloution, CGRF, Annual Accounts & ...
directord
 
askOdin - An Introduction to AI-Powered Investment Judgment
YekSoon LOK
 
NewBase 24 July 2025 Energy News issue - 1805 by Khaled Al Awadi._compressed...
Khaled Al Awadi
 
NewBase 29 July 2025 Energy News issue - 1807 by Khaled Al Awadi_compressed.pdf
Khaled Al Awadi
 
Struggling to Land a Social Media Marketing Job Here’s How to Navigate the In...
RahulSharma280537
 
Appreciations - July 25.pptxffsdjjjjjjjjjjjj
anushavnayak
 
Social Media Marketing for Business Growth
vidhi622006
 
Financial Management for business management .pptx
Hasibullah Ahmadi
 
Withum Webinar - OBBBA: Tax Insights for Food and Consumer Brands
Withum
 
William Trowell - A Construction Project Manager
William Trowell
 
unit 1 BC.docx - INTRODUCTION TO BUSINESS COMMUICATION
MANJU N
 
India's Emerging Global Leadership in Sustainable Energy Production The Rise ...
Insolation Energy
 

Data protection: Steps Organisations can take to ensure compliance

  • 1. 1 DATA PROTECTION STEPS CAN YOUR ORGANISATION TAKE TO ENSURE COMPLIANCE Presented by Rishi Maharaj Executive Director EquiGov Institute
  • 2. "It takes 20 years to build a reputation and five minutes to ruin it." -- —Warren Buffett
  • 4. Data is the new Oil. Data is just like crude. It’s valuable, but if unrefined it cannot really be used. – Clive Humby, We have for the first time an economy based on a key resource [Information] that is not only renewable, but self-generating. Running out of it is not a problem, but drowning in it is.
  • 5. Our personal digital footprint, an ineradicable record of every electronic interaction, just keeps increasing. Your email traffic, internet search history, geotagged images on our smartphone and social media sites, retail purchases, loyalty program transactions, invoice payments, toll road payments and medical records all add to the unique tread that makes up the footprint. People’s day-to-day movements are often so predictable that even anonymised location data can be linked back to identified individuals with relative ease when it is correlated with other outside information. Apparently our movement patterns are so repetitive and predictable that as few as 4 data points that include date and time are enough to identify an individual.
  • 9. • Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions. • Data protection is commonly defined as the law designed to protect your personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system
  • 18. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Monitor Audit 1 2 3 4 5 6 7 9 108
  • 19. Appoint a Point Person or Team KYD Know Your Data Compliance Requirements Analyse Your Risk Policy Process 2 3 4 5 6 7 9 1081 Buy in from the Top Training and Awareness Monitor Audit
  • 20. Top management should:  convey to all staff of their support to cultivate a personal data privacy respectful culture and commitment to the implementation of PMP through staff meetings or internal circulars;  appoint a Point Privacy Officer;  endorse the programme controls and the whole PMP;  allocate adequate resources (including finance and manpower) to implement PMP;  actively participate in the assessment and review of PMP;  report to the Board on the programme regularly.
  • 21. Buy In from the Top KYD Know Your Data Compliance Requirements Analyse Your Risk Policy Process 1 3 4 5 6 7 9 1082 Appoint a Point Person or Team Training and Awareness Monitor Audit
  • 22. • Depending on your organization’s size, or on the sort of data it collects/stores, some regulations will require a formal DPO, but even if this is not mandatory, doing so will make creating a solid Data Privacy Strategy much easier. • On more practical terms, having a person in charge of your Data Privacy Efforts will make sure the next steps (creating a data inventory, mapping requirements, analysing risks, creating both policies and procedures, monitoring compliance)
  • 23. Buy In from the Top Appoint a Point Person or Team Compliance Requirements Analyse Your Risk Policy Process 1 2 4 5 6 7 9 1083 KYD Know Your Data Training and Awareness Monitor Audit
  • 24. • It is not possible to protect that which you do not know. • Once you have the approval for your new Data Privacy Strategy, someone (or even a whole team) should be assigned the task of creating a data inventory. • This should include every piece of information stored or processed by your company, both electronically and/or hard copies. • The idea is understanding what sort of data is
  • 25.  WHY … is personal data processed?  WHOSE … personal data is processed?  WHAT … personal data is processed?  WHEN … is personal data processed?  WHERE … is personal data processed?
  • 26. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Analyse Your Risk Policy Process 1 2 3 5 6 7 9 1084 Legal Compliance Requirements Training and Awareness Monitor Audit
  • 27. Now that you know your data, it is time to understand its privacy requirements. Requirements will be dependent on what sort of data your company is storing/processing and your line of business. For example, since May 2018, the General Data Protection Regulation (GDPR) is mandatory for any organization (including the ones located outside of the EU) that offer goods or services to, or monitor the behavior of, EU data subjects.
  • 28. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Policy Process 1 2 3 4 6 7 9 1085 Analyse your Risk Training and Awareness Monitor Audit
  • 29. • A risk-based approach is your safest bet for making sure every data privacy vulnerability, threat source, and their joint impact is properly understood so it can be adequately treated. • Privacy risk is defined as the “potential loss of control over personal information • Impact assessment is an important part of any PMP to ensure that the privacy policies and practices of organisations are and remain compliant with
  • 30. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Process 1 2 3 4 5 7 9 1086 Policy Training and Awareness Monitor Audit
  • 31. • The principles in a personal data protection policy sets the tone and provides guidance for the organisation’s treatment of personal data. • Organisations should develop and communicate a personal data protection policy for both its internal stakeholders (e.g. staff) and external parties (e.g. customers). This will provide clarity to internal stakeholders on the responsibilities and processes on handling personal data in their day-to-day work.
  • 32. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy 1 2 3 4 5 6 9 1087 Process Training and Awareness Monitor Audit
  • 33. • Process will help with any day-to-day tasks. • Some common procedures such as the necessary steps for customer consent, retention of records, secure data disposal, international data transfer, and complaints, amongst others. • One way to translate data protection policies to business processes is by adopting a Privacy by Design (PbD) approach in which organisations consider the protection of personal data from the earliest possible design stage of any project, and throughout the project’s operational lifecycle. This can be as simple as putting data protection considerations in the
  • 34. • Establish a process for data breach incidents • Personal data breaches can occur due to various reasons such as malicious activity, human error or computer system error. Organisations should develop and implement a personal data breach management process to address breach incidents. The plan may include the following set of activities –  C- Containing the breach  A – Assessing the risk  R – Reporting the incident
  • 35. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process 1 2 3 4 5 6 7 9 108 Training and Awareness Monitor Audit
  • 36. • A sound PMP requires all members of an organisation to be aware of, and be ready to act on personal data protection obligations. Organisation should provide employees with up- to-date training and education tailored to specific needs. The organisation should also document its training processes and measure participation and effectiveness. • It is not possible do have significant corporate cultural change without educating every involved party. For instance, while normal employees should at least understand the basic requirements for working with private data, some specialized functions, including IT staff, Security team, Legal, Auditors, and even the Point Person, may require advanced training, especially if they are expected to
  • 37. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Audit 1 2 3 4 5 6 7 108 Monitor 9
  • 38. • The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised. Organisations may consider the following factors before determining whether the programme controls should be revised: • What are the latest threats and risks? • Are the programme controls addressing new threats and reflecting the latest complaint or audit findings? • Are new services being offered that involve increased collection, use or disclosure of personal data?
  • 39. Buy In from the Top Appoint a Point Person or Team KYD Know Your Data Legal Compliance Requirements Analyse Your Risk Policy Process Training and Awareness Monitor 1 2 3 4 5 6 7 98 10 Audit
  • 40. • The aims of Data Protection Audits address the wider aspects of data protection including: • Mechanisms for ensuring that information is obtained and processed fairly, lawfully and on a proper basis • Quality Assurance - ensuring that information is accurate, complete and up-to-date, adequate, relevant and not excessive • Retention - appropriate weeding and deletion of information • Documentation on authorised use of systems, e.g. codes of practice, guidelines etc. • Compliance with individual’s rights, such as subject access
  • 41. We are a Boutique Consulting and Training Firm Specialising in Data Protection, Governance & Monitoring and Evaluation.
  • 43. • Privacy Impact Risk Assessment and Policy Development Privacy impact assessments, Data Flow Mapping, Policy development and training based on chosen privacy framework, organizational culture and applicable regulations. • FREEDOM OF INFORMATION Advising on formal FOI request, review of current case law and assessment of your current FOI program to ensure that efficiencies are achieved and legislated requirements are being met. • WHISTLE BLOWING Development/review of whistleblowing policy for your organisation, evaluation of current capability and identify any weaknesses, formulation the right strategy to help people speak up before they speak out.