SlideShare a Scribd company logo

BigID IAPP webinar on data-driven enterprise privacy management

BigID Inc, profile picture
BigID Inc

This document summarizes a presentation on automating GDPR compliance. It discusses how risk assessments and data protection impact assessments can help organizations meet GDPR accountability requirements. Risk assessments can identify what personal data is processed, for how long, and its uses. They should be reviewed by privacy teams and can be automated. Data protection impact assessments may be required for high-risk processing. Maintaining records of risk assessments and data protection impact assessments can aid with data subject rights requests and regulator questions.

Technology
Related topics:
Data Governance InsightsData Mining Insights
1 of 16
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www.iapp.org Thursday, November 2, 2017 Time: 11:00 a.m. - noon EDT 3:00 - 4:00 p.m. UTC Beyond PIAs: A Tutorial on Automating GDPR Compliance
www.iapp.org Welcome and Introductions Host: John Howie, CIPP/US, CIPT Chief Privacy Officer, Consumer BG Huawei Panelists: George Chedzhemov, Director of Client Success BigID 2 Dave Cohen CIPP/E,CIPP/US Knowledge Manager IAPP
www.iapp.org Overview and Context 3
www.iapp.org Laying Groundwork for Compliance with the GDPR 4
www.iapp.org Accountability in GDPR • Art 5 2.: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). –Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; and Integrity and confidentiality • Accountability is met through documentation –Beyond what is called for in Art. 30 Records of Processing Activity –Documentation may be in writing or in electronic form 5
www.iapp.org Data Protection Impact Assessments (DPIAs) • DPIAs can assist with some accountability requirements but most organizations will not perform them routinely –GDPR call for DPIAs to be performed when there is a high risk to the rights and freedoms of natural persons from data processing • Best practice calls for a Risk Assessment (RA) to be performed in all processing activities –Can leverage automation to gather information about processing activities, data, etc. –RA can feed into a DPIA if one is ultimately required 6
www.iapp.org Information gathered in a RA • A RA can be performed by product teams, and can identify: –Personal data elements processed (e.g. name, D.O.B., address, salary, etc.) –The length of time data will be kept for –The uses to which the data will be put –Where the data will be (is already) stored and/or transferred to • RAs should be reviewed by Privacy teams for risk/follow-up –Review can supplement information with legal basis, etc. • Automation to gather/store/process RAs can greatly help 7
www.iapp.org Consent • When Consent is Legal Basis for processing of personal data: –Consent must be a freely given, specific, informed, unambiguous indication of the data subject’s wishes… (Art. 4 (11)) –The “…controller shall be able to demonstrate that the data subject has consented…” (Art. 7 1.) –Additional data subject rights are provided for • Data subjects must be able to easily withdraw consent –Implications for use of data, etc. • Consent is also a valid derogation to enable data transfers outside of EEA 8
www.iapp.org Personal data breach response • Art. 33 and 34 specify requirements to notify supervisory authority and data subjects –Personal data breach is a broad term –Not every breach needs to be reported • RA/DPIA documentation can be used to determine whether or not notification is required, and to whom –Based on risk to data subjects, datasets that may have been compromised, etc. 9
www.iapp.org Data subject rights • RA/DPIA documentation can be aid when data subjects exercise their rights –Good documentation will detail: • What personal data is processed • Where data is stored and transferred to • Whether or not decision-making/profiling is taking place • Consent as legal basis modifies rights –Withdrawal of consent prohibiting further processing, data portability, automated decision making, etc. 10
www.iapp.org Maintenance of records • RAs/DPIAs should be revisited on an as-needed basis, e.g.: –When volume of data changes –Product or service updates or features are added or withdrawn –When technological changes are made (including storage locations) • RAs/DPIAs can be part of your Records of processing activities –Not required, but a best practice of end-to-end documentation • Well maintained records are easy to show to regulators –Stored in central location, accurate, complete, etc. 11
www.iapp.org Questions and Answers Host: John Howie, CIPP/US, CIPT Chief Privacy Officer, Consumer BG Huawei john@thehowies.com Panelists: George Chedzhemov, Director of Client Success BigID gchedzhemov@bigid.c om 12 Dave Cohen CIPP/E,CIPP/US Knowledge Manager IAPP dave@iapp.org
www.iapp.org Thank You to our Sponsor Speakers and Participants 13
www.iapp.org Web Conference Participant Feedback Survey Please take this quick (2 minute) survey to let us know how satisfied you were with this program and to provide us with suggestions for future improvement. Click here: http://www.questionpro.com/t/AL2CRZa13s Thank you in advance! For more information: www.iapp.org 14
www.iapp.org Attention IAPP Certified Privacy Professionals: This IAPP web conference may be applied toward the continuing privacy education (CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM credential worth 1.0 credit hours. IAPP-certified professionals who are the named participant of the registration will automatically receive credit. If another certified professional has participated in the program but is not the named participant then the individual may submit for credit by submitting the continuing education application form here: CPE credit application. Continuing Legal Education Credits: The IAPP provides certificates of attendance to web conference attendees. Certificates must be self-submitted to the appropriate jurisdiction for continuing education credits. Please consult your specific governing body’s rules and regulations to confirm if a web conference is an eligible format for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of programming. 15
www.iapp.org For questions on this or other IAPP Web Conferences or recordings or to obtain a copy of the slide presentation please contact: Dave Cohen, CIPP/E, CIPP/US Knowledge Manager International Association of Privacy Professionals (IAPP) dave@iapp.org 603.427.9221 16

More Related Content

PDF
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID Inc
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
PPTX
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Delphix
 
PDF
Piwik PRO The Real Cost of Data Privacy
Piwik PRO
 
PDF
GDPR: Threat or Opportunity?
Samuel Pouyt
 
PDF
Web Analytics and Privacy
Piwik PRO
 
PDF
Finding Data at Risk for CCPA Compliance
Precisely
 
PDF
GDPR Scotland 2017
Ray Bugg
 
BigID, OneTrust, IAPP Webinar: Bridging the Privacy Office with IT
BigID Inc
 
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Delphix
 
Piwik PRO The Real Cost of Data Privacy
Piwik PRO
 
GDPR: Threat or Opportunity?
Samuel Pouyt
 
Web Analytics and Privacy
Piwik PRO
 
Finding Data at Risk for CCPA Compliance
Precisely
 
GDPR Scotland 2017
Ray Bugg
 

What's hot (16)

PDF
Practical steps to GDPR compliance
Jean-Michel Franco
 
PDF
GDPR Readiness
NGA Human Resources
 
PPTX
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
PPTX
GDPR: Your Journey to Compliance
Cobweb
 
PDF
Guardians of Trust: Building Trust in Data & Analytics
Eryk Budi Pratama
 
PPTX
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
PPTX
India'a Proposed Privacy & Personal Data Protection Law
Priyanka Aash
 
PDF
BigID Data Sheet: Smart Data Labeling and Tagging
BigID Inc
 
PDF
Beyond GDPR Compliance - Role of Internal Audit
Omo Osagiede
 
PDF
GDPR Summit RDS May 2018 - DAMA VP Opening remarks and links to all presentat...
DAMA Ireland
 
PDF
The Data Value Map for GDPR - May 2018 - GDPR summit Dublin
Ken O'Connor
 
PDF
Enacting the Data Subjects Access Rights for GDPR with Data Services and Data...
Jean-Michel Franco
 
PDF
Dama Ireland slides - Data Trust event 9th June 2016
Ken O'Connor
 
PDF
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Chris Doolittle
 
PDF
Privacera Databricks CCPA Webinar Feb 2020
Privacera
 
PPTX
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
Jeff Kelly
 
Practical steps to GDPR compliance
Jean-Michel Franco
 
GDPR Readiness
NGA Human Resources
 
Ensuring GDPR Compliance - A Zymplify Guide
Zymplify
 
GDPR: Your Journey to Compliance
Cobweb
 
Guardians of Trust: Building Trust in Data & Analytics
Eryk Budi Pratama
 
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
India'a Proposed Privacy & Personal Data Protection Law
Priyanka Aash
 
BigID Data Sheet: Smart Data Labeling and Tagging
BigID Inc
 
Beyond GDPR Compliance - Role of Internal Audit
Omo Osagiede
 
GDPR Summit RDS May 2018 - DAMA VP Opening remarks and links to all presentat...
DAMA Ireland
 
The Data Value Map for GDPR - May 2018 - GDPR summit Dublin
Ken O'Connor
 
Enacting the Data Subjects Access Rights for GDPR with Data Services and Data...
Jean-Michel Franco
 
Dama Ireland slides - Data Trust event 9th June 2016
Ken O'Connor
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Chris Doolittle
 
Privacera Databricks CCPA Webinar Feb 2020
Privacera
 
CCPA Compliance for Analytics and Data Science Use Cases with Databricks and ...
Jeff Kelly
 
Ad

Similar to BigID IAPP webinar on data-driven enterprise privacy management (20)

PDF
IAPP certification programs overview
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
GDPR Benefits and a Technical Overview
Ernest Staats
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
GDPR for Dummies
Atif Ghauri
 
PPTX
Associates quick guide to gdpr v 1.0
Aaron Banham
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PPTX
Teradata's approach to addressing GDPR
Paul O'Carroll
 
PPTX
Assessing the impact of security services
Jisc
 
PPT
Privacy audittalkfinal
Alan Hartman
 
PDF
GDPR Are you ready for auditing privacy ?
Patrick Soenen
 
PDF
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
PDF
GDPRforum London
Angry Creative (UK)
 
PDF
Prep your app for gdpr compliance
Asanka Nissanka
 
PDF
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
PDF
Setting the right GDPR priorities
Alberto Canadè
 
PPTX
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
m-hance
 
PPTX
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Aurélie Pols
 
PPT
Tools to help GDPR compliance
CSUC - Consorci de Serveis Universitaris de Catalunya
 
IAPP certification programs overview
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR Benefits and a Technical Overview
Ernest Staats
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
GDPR for Dummies
Atif Ghauri
 
Associates quick guide to gdpr v 1.0
Aaron Banham
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Assessing the impact of security services
Jisc
 
Privacy audittalkfinal
Alan Hartman
 
GDPR Are you ready for auditing privacy ?
Patrick Soenen
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
GDPRforum London
Angry Creative (UK)
 
Prep your app for gdpr compliance
Asanka Nissanka
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Setting the right GDPR priorities
Alberto Canadè
 
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
m-hance
 
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
Aurélie Pols
 
Tools to help GDPR compliance
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Ad

More from BigID Inc (12)

PDF
BigID Consent Governance
BigID Inc
 
PPTX
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
BigID Inc
 
PPTX
BigID & Collibra Joint Deck: Using BigID’s Privacy-centric Data Discovery to...
BigID Inc
 
PDF
BigID DataSheet: Data Access Intelligence
BigID Inc
 
PDF
BigID Data Sheet: LGPD Compliance Automated
BigID Inc
 
PDF
BigID Data Sheet HIPAA Data Security & Privacy
BigID Inc
 
PDF
BigID Datasheet: CCPA Data Rights Automation
BigID Inc
 
PDF
BigID Data Sheet: GDPR Compliance
BigID Inc
 
PDF
BigID Data sheet: Consent Governance & Orchestration
BigID Inc
 
PDF
BigID Data Sheet: Data subject rights
BigID Inc
 
PDF
BigID Data Sheet: Master Your Customer Data Without MDM
BigID Inc
 
PDF
BigID Data Sheet: Enterprise Privacy Management
BigID Inc
 
BigID Consent Governance
BigID Inc
 
Collibra Data Citizen '19 - Bridging Data Privacy with Data Governance
BigID Inc
 
BigID & Collibra Joint Deck: Using BigID’s Privacy-centric Data Discovery to...
BigID Inc
 
BigID DataSheet: Data Access Intelligence
BigID Inc
 
BigID Data Sheet: LGPD Compliance Automated
BigID Inc
 
BigID Data Sheet HIPAA Data Security & Privacy
BigID Inc
 
BigID Datasheet: CCPA Data Rights Automation
BigID Inc
 
BigID Data Sheet: GDPR Compliance
BigID Inc
 
BigID Data sheet: Consent Governance & Orchestration
BigID Inc
 
BigID Data Sheet: Data subject rights
BigID Inc
 
BigID Data Sheet: Master Your Customer Data Without MDM
BigID Inc
 
BigID Data Sheet: Enterprise Privacy Management
BigID Inc
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
KodekX | Application Modernization Development
KodekX
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

BigID IAPP webinar on data-driven enterprise privacy management

  • 1. www.iapp.org Thursday, November 2, 2017 Time: 11:00 a.m. - noon EDT 3:00 - 4:00 p.m. UTC Beyond PIAs: A Tutorial on Automating GDPR Compliance
  • 2. www.iapp.org Welcome and Introductions Host: John Howie, CIPP/US, CIPT Chief Privacy Officer, Consumer BG Huawei Panelists: George Chedzhemov, Director of Client Success BigID 2 Dave Cohen CIPP/E,CIPP/US Knowledge Manager IAPP
  • 5. www.iapp.org Accountability in GDPR • Art 5 2.: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). –Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; and Integrity and confidentiality • Accountability is met through documentation –Beyond what is called for in Art. 30 Records of Processing Activity –Documentation may be in writing or in electronic form 5
  • 6. www.iapp.org Data Protection Impact Assessments (DPIAs) • DPIAs can assist with some accountability requirements but most organizations will not perform them routinely –GDPR call for DPIAs to be performed when there is a high risk to the rights and freedoms of natural persons from data processing • Best practice calls for a Risk Assessment (RA) to be performed in all processing activities –Can leverage automation to gather information about processing activities, data, etc. –RA can feed into a DPIA if one is ultimately required 6
  • 7. www.iapp.org Information gathered in a RA • A RA can be performed by product teams, and can identify: –Personal data elements processed (e.g. name, D.O.B., address, salary, etc.) –The length of time data will be kept for –The uses to which the data will be put –Where the data will be (is already) stored and/or transferred to • RAs should be reviewed by Privacy teams for risk/follow-up –Review can supplement information with legal basis, etc. • Automation to gather/store/process RAs can greatly help 7
  • 8. www.iapp.org Consent • When Consent is Legal Basis for processing of personal data: –Consent must be a freely given, specific, informed, unambiguous indication of the data subject’s wishes… (Art. 4 (11)) –The “…controller shall be able to demonstrate that the data subject has consented…” (Art. 7 1.) –Additional data subject rights are provided for • Data subjects must be able to easily withdraw consent –Implications for use of data, etc. • Consent is also a valid derogation to enable data transfers outside of EEA 8
  • 9. www.iapp.org Personal data breach response • Art. 33 and 34 specify requirements to notify supervisory authority and data subjects –Personal data breach is a broad term –Not every breach needs to be reported • RA/DPIA documentation can be used to determine whether or not notification is required, and to whom –Based on risk to data subjects, datasets that may have been compromised, etc. 9
  • 10. www.iapp.org Data subject rights • RA/DPIA documentation can be aid when data subjects exercise their rights –Good documentation will detail: • What personal data is processed • Where data is stored and transferred to • Whether or not decision-making/profiling is taking place • Consent as legal basis modifies rights –Withdrawal of consent prohibiting further processing, data portability, automated decision making, etc. 10
  • 11. www.iapp.org Maintenance of records • RAs/DPIAs should be revisited on an as-needed basis, e.g.: –When volume of data changes –Product or service updates or features are added or withdrawn –When technological changes are made (including storage locations) • RAs/DPIAs can be part of your Records of processing activities –Not required, but a best practice of end-to-end documentation • Well maintained records are easy to show to regulators –Stored in central location, accurate, complete, etc. 11
  • 12. www.iapp.org Questions and Answers Host: John Howie, CIPP/US, CIPT Chief Privacy Officer, Consumer BG Huawei john@thehowies.com Panelists: George Chedzhemov, Director of Client Success BigID gchedzhemov@bigid.c om 12 Dave Cohen CIPP/E,CIPP/US Knowledge Manager IAPP dave@iapp.org
  • 14. www.iapp.org Web Conference Participant Feedback Survey Please take this quick (2 minute) survey to let us know how satisfied you were with this program and to provide us with suggestions for future improvement. Click here: http://www.questionpro.com/t/AL2CRZa13s Thank you in advance! For more information: www.iapp.org 14
  • 15. www.iapp.org Attention IAPP Certified Privacy Professionals: This IAPP web conference may be applied toward the continuing privacy education (CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM credential worth 1.0 credit hours. IAPP-certified professionals who are the named participant of the registration will automatically receive credit. If another certified professional has participated in the program but is not the named participant then the individual may submit for credit by submitting the continuing education application form here: CPE credit application. Continuing Legal Education Credits: The IAPP provides certificates of attendance to web conference attendees. Certificates must be self-submitted to the appropriate jurisdiction for continuing education credits. Please consult your specific governing body’s rules and regulations to confirm if a web conference is an eligible format for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of programming. 15
  • 16. www.iapp.org For questions on this or other IAPP Web Conferences or recordings or to obtain a copy of the slide presentation please contact: Dave Cohen, CIPP/E, CIPP/US Knowledge Manager International Association of Privacy Professionals (IAPP) dave@iapp.org 603.427.9221 16