Gdpr and ISMS Quick Map Framework EL
1 like122 views
The document outlines a framework for aligning GDPR compliance with ISO 27001 standards, emphasizing key principles such as data minimization, breach notification, and the role of the Data Protection Officer (DPO). It provides a quick start mapping strategy to facilitate documentation, governance, and monitoring practices necessary for GDPR adherence. Additionally, it highlights domains such as the right to erase, accountability, and security measures required for effective data protection.
Gdpr and ISMS Quick Map Framework EL
- 1. GDPR and ISMS Quick Map Framework DRAFT:EUGENELEEWORK@GMAIL.COM
- 2. Topic •Principle •Lesson of GDPR •Data Protection Officer (DPO) •Quick Start Mapping • How-To: Quick leverage ISO27001 ISMS in order
- 3. Principle 1. Documented Policy 2. Minimize data collected 3. Do not retain data beyond purpose 4. Data Subject ownership to their Data 5. Breach notification Must* notify data authorities within 72 hours once a personal data breach discovered Notify individual (data subjects) if high risk to their rights 6. Proven Records while legal requesting 2/8/2018eugeneleework@gmail.com 3
- 4. Lesson of GDPR • Key Elements of GDPR • Risk Assessment (DPIA) • Documenting IT Procedures • Data classification and Minima Data Lifetime • Monitoring and Automation • Extraterritoriality • New law extend outside the EU, even there is no a physical presence in the EU • Especially e-commerce and cloud-based companies 2/8/2018eugeneleework@gmail.com 4
- 5. Data Protection Officer (DPO) • Responsible for • As Contactor (depends on condition) • Creating access controls • Reducing risk • Ensuring compliance • Responding to requests • Reporting breaches within 72 hours • Creating a strong data security policy 2/8/2018eugeneleework@gmail.com 5
- 6. Quick Start Mapping – Core Element • Data classification • Define Information levels • Metadata • When was collected,Why was collected and its Purpose • Governance • GDPR security policies (personal data) • Role and Privilege to which system (Authorization and Permission) • ACL Policy,Who can access on limiting file • Monitoring • Unusual access patterns against files containing personal data 2/8/2018eugeneleework@gmail.com 6
- 7. Quick Start Mapping – Doc. Plan. • Documentation Strategy for GDPR • Identify which control item fit and relates to GDPR • Editing, Adding, Modify relates document or regulation • Draft GDPR policy by referring back existing or edited document • Example, 1. Privacy and Personal Data Protection 2. Draft the content table 3. Referring table back to existing controls (regulation, rules) 2/8/2018eugeneleework@gmail.com 7
- 8. Key Scope GDPR ISO27001 Guidance and Strategy Protection Policy 4、5、6 A.5 and its referral policy Classification Data classification A.8.1、A.8.2 Metadata HR、minimize data collected CRM Project A.7、A.8、A.14、A.15 Governance ACL on systems HRMS、System which stored personal information A.6.1、A.8.1、A.8.3、A.9、 A.10、A11、A12、A.18.1.3、 A.18.1.4 Monitoring Proven Logs on systems、 Monitor system、SysLog 6、10 A.8.3、A.9、A.11.1、A.12.4、 A.16 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 8
- 9. Key Scope GDPR ISO27001 New Role DPO A.6.1 ExtraTerritoriality (EU to US, Privacy Shield) Articles 3 HRMS, Saelsforce,CRM A.7、A13.2、A.18 Privacy Shield Framework Violations of basic principles related to data security Articles 5 5、6、7 A.5、A.6、A.7、A.13、 A.16、A.18 Violations of the core Privacy by Design concepts Articles 7 5、6、7 A.5、A.6、A.7、A.13、 A.16、A.18 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 9
- 10. Domain or Scope GDPR ISO27001 • Right to Erasure and to- be-forgotten • Able to discover and target specific data when ever intend to remove it • Data subject can request to erase the data held by companies at any time • Data processors have to erase all whenever asked Articles 17 HRMS, Saelsforce, CRM 6.1.2 A.7、A.8、A.12.3、 A.14.1.1、A.16 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 10
- 11. Domain or Scope GDPR ISO27001 Data Protection by Design and By Default Accountability and Automation Articles 25 6.1.2、6.1.3、7.5.3、9.1 A.6.1.5、A.7、A.8、 A.12.3、A.14.1.1、A.16 Not having records in order 2% of global revenue for Records of Processing Activities Organizational measures to process personal data Articles 30 6、7、8 A.8、A.12.3、A.16、 A.18 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 11
- 12. Domain or Scope GDPR ISO27001 Security of Processing Least privilege access, Accountability by data subject (the owner = individuals) Able to provide measurement reports on policies, processes Articles 32 8.2、8.3 A.9、A.10、A.11、A.13、 A.16、A.15 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 12
- 13. Domain or Scope GDPR ISO27001 Notification of personal data breach to the supervisory authority Prevent and alert on data breach activity Incidence response plan Articles 33 A.16、A.18.1.4 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 13
- 14. Domain or Scope GDPR ISO27001 Not notifying the supervising authority and data subject about a breach Articles 34 A.16、A.18.1.4 Not conducting impact assessments Data Protection Impact Assessment Quantify data protection risk profiles Articles 35 6.1.2 A.6.1.3、A.8.2.1 Quick Start Mapping – cont. 2/8/2018eugeneleework@gmail.com 14
- 15. ThankYou