Implementing and Auditing GDPR Series (8 of 10)
0 likes174 views
The document is a webinar on the General Data Protection Regulation (GDPR) hosted by AuditNet, highlighting the critical aspects of data privacy, risk management, and data protection impact assessments (DPIAs). It details the roles and responsibilities of data subjects, controllers, and processors, while emphasizing the need for consent and compliance within organizational frameworks. Additionally, it presents tools and methodologies for conducting DPIAs to ensure adherence to GDPR requirements and mitigate data protection risks.
Implementing and Auditing GDPR Series (8 of 10)
- 1. 8/19/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA General Data Protection Regulation (GDPR) Webinar 8 Risk, DPIA and Tools About Jim Kaplan, CIA, CFE President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices) Auditor, Web Site Guru, Internet for Auditors Pioneer IIA Bradford Cadmus Memorial Award Recipient Local Government Auditor’s Lifetime Award Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
- 2. 8/19/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3,200 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you meet the criteria for earning CPE, you will receive a link via email to download your certificate. The official email for CPE will be issued via [email protected] and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated if you did not receive the first mailing. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
- 3. 8/19/2020 3 IMPORTANT INFORMATION REGARDING CPE! • ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via [email protected] and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated after the initial distribution. • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • You must opt-in for our mailing list. If you indicate, you do not want to receive our emails your registration will be cancelled, and you will not be able to attend the Webinar. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC 5 6
- 4. 8/19/2020 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA Page 8 • The security of personal data. • An organizational risk management framework. • Legal requirements for a DPIA. • How to conduct a DPIA with a DPIA tool. 7 8
- 5. 8/19/2020 5 Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. WHO’S DATA Personal data means any information relating to an identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as: • a name • location data • an online identifier • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. PERSONAL DATA 9 10
- 6. 8/19/2020 6 Termed special categories of personal data within GDPR. Sensitive data consists of: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Data concerning health • Sexual orientation/ sex life • Genetic data • Biometric data SENSITIVE DATA • Legitimate interest - processing is necessary for the purposes of the interests pursued by the RSC except where such interests are overridden by the fundamental rights and freedoms of the data subject. • Contract - processing is necessary for the performance of a contract to which the data subject is party. • Consent - when the data subject has given explicit consent to the processing of their personal data for one or more specific purposes. BASIS OF PROCESSING 11 12
- 7. 8/19/2020 7 Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be appropriate Legitimate is not centered around a particular purpose and it is not processing that the individual has specifically agreed to (consent). Legitimate interest is more flexible and could in principle apply to any type of processing for any reasonable purpose This puts the onus on you to balance your legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual taking into account the particular circumstances LEGITIMATE INTEREST You can rely on legitimate interest for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object Purpose test: are you pursuing a legitimate interest? Necessity test: is the processing necessary for that purpose? Balancing test: do the individual’s interests override the legitimate interest? Do not use legitimate interests if: you are using personal data in ways people do not understand if you think some people would object if you explained it to them If processing that could cause harm unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact. LEGITIMATE INTEREST 13 14
- 8. 8/19/2020 8 Where consent is the basis for processing, GDPR requires it to be freely given, specific, informed and unambiguous Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent Explicit consent requires a very clear and specific statement of consent Vague or blanket consent is not enough Name any third parties who will rely on the consent Make it easy for people to withdraw consent and tell them how Keep evidence of consent - who, when, how, and what you told people CONSENT ERM DEFINED: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. 15 16
- 9. 8/19/2020 9 THE ERM FRAMEWORK Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance THE ERM FRAMEWORK ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes 17 18
- 10. 8/19/2020 10 GDPR RELATIONSHIP TO COSO INTEGRATED FRAMEWORK Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. Expands the control framework’s “Financial Reporting” and “Risk Assessment.” INTERNAL AUDIT WITHIN ERM 20 Facilitating the identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidating the reporting on risks Maintaining and developing the ERM framework Championing establishment of ERM Developing risk management strategy for board approval 19 20
- 11. 8/19/2020 11 ERM POLICIES AND PROCEDURES 21 Required Clear, concise & easy to understand Risk management policy Risk management strategy Risk management plan Risk management toolkit (procedures, approach, forms, templates) Risk management technology - streamline processes Supporting policies Supporting plans and strategies Supporting procedures (controls) IA Role Review ERM Strategy, ERM policy, ERM procedures for appropriateness Align Audit Plan to RRM Plan (where possible) Audit of systems and processes to ensure ERM framework is working IA ROLES 22 21 22
- 12. 8/19/2020 12 GDPR GAP ANALYSIS Phase I Information Gathering • Conduct interviews / gather information • Identify risk universe • Define and develop cost of risk data • Conduct gap analysis Phase II Setting the Stage • Develop overall risk management vision • Create risk management scorecard / Gap analysis • Identify key risk projects / activities needed to achieve risk management excellence • Understand cost / benefit of potential risk management strategies Phase III Executive Support • Obtain support of risk management leaders • Present overall objectives and plan to senior management • Develop teams and tools • Get moving • Deliver defined projects • Update progress toward overall vision • Measure performance • Create linkage to next steps • Build feedback loop to ensure continued progress toward goals Phase IV Implementation LEGAL REQUIREMENTS FOR A DPIA A DPIA is a process designed to help you systematically analyze, identify and minimize the data protection risks of a project or plan A Data Protection Impact Assessment (DPIA) within GDPR is a process to help you identify and minimize the data protection risks of a project Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals Should be carried out “prior to the processing” (GDPR Articles 35(1) and 35(10) 23 24
- 13. 8/19/2020 13 GDPR SAYS YOU MUST DO A DPIA If you plan to: use systematic and extensive profiling with significant effects; process special category or criminal offence data on a large scale; or systematically monitor publicly accessible places on a large scale use innovative technology (in combination with any of the criteria from the European guidelines) use profiling or special category data to decide on access to services profile individuals on a large scale process biometric data (in combination with any of the criteria from the European guidelines) GDPR SAYS YOU MUST DO A DPIA If you plan to: process genetic data (in combination with any of the criteria from the European guidelines) match data or combine datasets from different sources collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines) track individuals’ location or behavior (in combination with any of the criteria from the European guidelines) profile children or target marketing or online services at them process data that might endanger the individual’s physical health or safety in the event of a security breach 25 26
- 14. 8/19/2020 14 WHAT’S IN A DPIA Your DPIA must: describe the nature, scope, context and purposes of the processing assess necessity, proportionality and compliance measures identify and assess risks to individuals identify any additional measures to mitigate those risks WHEN TO CONDUCT A DPIA If we plan to carry out any: evaluation or scoring; automated decision-making with significant effects; systematic monitoring; processing of sensitive data or data of a highly personal nature; processing on a large scale; processing of data concerning vulnerable data subjects; innovative technological or organizational solutions; processing that involves preventing data subjects from exercising a right or using a service or contract. 27 28
- 15. 8/19/2020 15 CONDUCTING THE DPIA Data Protection Impact Assessment (DPIA) Fact Sheet https://www.snowflake.com/wp-content/uploads/2020/08/DPIA-Fact- Sheet.pdf Gydeline Simple DPIA Template https://gydeline.com/grc/compliance/regulations/simple-dpia-template/ DPIA Tools OneTrust Vigilant Software Others https://www.g2.com/categories/privacy-impact-assessment-pia ONETRUST OneTrust is the #1 most widely used privacy, security and trust technology. More than 6,000 customers, including half of the Fortune 500, use OneTrust to build integrated programs that comply with the CCPA, GDPR, LGPD, PDPA, ISO27001 and hundreds of the world’s privacy and security laws. The OneTrust platform is powered by the OneTrust Athena™ AI and robotic automation engine https://www.onetrust.com/products/assessment-automation 29 30
- 16. 8/19/2020 16 VIGILANT SOFTWARE Vigilant Software DPIA Tool – Conduct a data protection impact assessment in six simple steps Assess and treat data security risks for every process in your organization. Easily demonstrate measures taken for GDPR (General Data Protection Regulation) compliance, essential to help you meet Article 35 requirements. Avoid unnecessary work with screening questions to determine if a DPIA (data protection impact assessment) is necessary. Export reports, and share findings with stakeholders and third parties. Avoid errors and ensure completeness with a proven tool, aligned with the GDPR and ICO’s (Information Commissioner’s Office) requirements. Review, update and maintain DPIAs year after year. https://www.vigilantsoftware.co.uk/topic/dpia QUESTIONS? Any Questions? Don’t be Shy! 31 32
- 17. 8/19/2020 17 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 34 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:[email protected] www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: [email protected] Web: http://www.rcascarino.com Skype: Richard.Cascarino 33 34