SlideShare a Scribd company logo

My presentation- Ala about privacy and GDPR

Download as PPTX, PDF
Z
zayadeen2003

The document outlines the General Data Protection Regulation (GDPR), which aims to enhance data protection for individuals within the EU by establishing standardized data protection laws. It details the rights of data subjects, the responsibilities of data controllers and processors, and the principles and requirements for lawful data processing, including the need for consent, transparency, and security measures. The document also discusses the implementation of GDPR compliance measures, penalties for violations, and the auditing process necessary to ensure adherence to the regulation.

Technology
1 of 33
Downloaded 15 times
1
2
3
Most read
4
5
6
7
8
9
10
11
12
Most read
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
My presentation- Ala about privacy and GDPR
AGENDA • INTRODUCTION • WHY GDPR • TERMS AND DEFINITIONS • GDPR PRINCIPLES • GDPR REQUIREMENTS • AUDITING GDPR.
INTRODUCTION The purpose of the General Data Protection Regulation (GDPR) is to modernize data protection and provide greater protection to individuals through the standardization and harmonization of previously fragmented data protection legislations. Is new EU legislation that comes into effect on May 25th 2018
WHAT IS THE PURPOSE OF GDPR? • DATA PROTECTION IS ABOUT PROTECTING PEOPLES PRIVACY. WITH THE CONTINUED GROWTH OF THE INTERNET, MODERN DAY LIVING HAS BECOME MORE DATA DRIVEN RESULTING IN BUSINESS LOOKING FOR NEW WAYS TO LEVERAGE THE POWER OF TECHNOLOGY AND THE INTERNET This data driven world is much more interconnected, making it much harder to limit the harm to individuals if data protection goes wrong. The results of this may leave an individual exposed to identity theft, financial loss or criminal exploitation Companies are given personal information in good faith and are responsible for ensuring that the personal information given to them is protected in a way that will not compromise the individual. How personal information is protected depends on the type of personal information a company collects and how the company will use that information. This means that data protection is contextual and every company will have its own way of meeting its data protection requirements
CHANGES TO THE EXISTING REGULATION What the GDPR brings to the current regulatory framework
CHANGES TO THE EXISTING REGULATION What does the GDPR bring (compared to the existing Data Protection Directive)) Applies to all entities targeting data subjects in the EU, even if they are based out of the EU. Fines ranging between 2 to 4% of the global annual turnover or €10 - 20 million Personal data now includes location data, IP addresses, online and technology identifiers. Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling. Required for processing, where there is no other legal obligation. Report a personal data breach to the Data Protection Authority within 72hrs. Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU. Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law, where there is no adequate decision to perform a transfer. International data transfers One-stop shop Data breach notification Consent Data subjects rights Expanded definitions Sanctions Broader territorial scope
DEFINITIONS What are the key aspects you need to know
IMPORTANT TERMINOLOGY DATASUBJECT An individual who is the subject of the information or data. DATACONTROLLER A person, company or organisation who determines the purposes and means of processing personal data DATAPROCESSOR A person, company or organisation who processes personal data on behalf of the controller 8
PERSONAL IDENTIFIABLE INFORMATION (PII) Any type of information relating directly or indirectly to an identified or identifiable natural person and can lead to the identification of an individual when used alone or combined with other relevant data. Examples are: General Personal Data Name, Surname Gender Date of birth Home Address ID Number Personal email address Biometric data (photograph / video) Behavioral information Financial Information Social Security Numbers Account numbers (bank accounts, credit cards, etc.) Personal Identification Numbers (PINs) Passwords to financial accounts Income information Personal Identifiable Information Sensitive Information Racial or ethnic origin Religious beliefs Health Information Sexual orientation Political views Criminal convictions / Security measures / Offenses Health Information Medical records Physical / mental health information Health plan Health history
DATA PROTECTION ROLES Data subject Data controller Data processor Supervisory authority (SA) / Data Protection Authority (DPA) 1 0
AN INDIVIDUAL’S RIGHTS The GDPR seeks to balance the rights of an individual, or data subject in relation to their personal information with the need a company has to hold and process personal information. The right of Access The right to Object The right to Rectification The right to Erasure Rights in relation to Automated decision- making & Profiling The right to Data Portability The right to Restrict processing 1 1
CORE PRINCIPLES Processing of personal data Integrity and confidentiality Processing data in a secure manner, providing protection against unauthorised actions, loss, damage and destruction. Lawfulness and fairness Applying legitimate grounds for collecting data ensuring there is no negative impact on the data subject. Data Subject rights Informing the data subject about his rights regarding processing his personal data. Purpose limitation Collecting and processing data for specified, explicit and legitimate purpose. Data transfer and Disclosure Applying protection safeguards and measures on data transferred to third parties. Data minimisation GDPR Privacy Principles Collecting and processing data adequately and relatively to what it is necessary in relation to the purposes for which they are processed. Transparency Processing data in a lawful, fair and transparent manner in relation to the data subject. Accuracy Ensuring data is accurate and up to date in relation to the purposes for which they are processed, and erased or rectified accordingly. Accountability Introducing technical and organizational measures to ensure data processing is performed in accordance with the GDPR Storage limitation Keeping data for no longer than is necessary for the purposes for which they are processed.
PROCESSING PERSONAL DATA Consent Contractual necessity Legal obligation Vital interests Public interest Legitimate interests Legitimate bases for processing 1 3 https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
ACTIONS TO BE TAKEN 8 key measures to be taken Although GDPR legislation is, of course, a legal given, its implementation has organisational and IT elements as well. a total of 8 measures to be implemented: 1. DATA PRIVACY POLICY & AWARENESS PROGRAM 5. ADAPTING THE AGREEMENTS BETWEEN CONTROLLERS AND PROCESSORS (THIRD P ARTIES) 6. ADJUSTING COMMUNICATION TO THE ‘ DATA SUBJECTS’ THROUGH ‘PRIVACY NOTICES’ 2. MAINTAINING A REGISTER OF PROCESSING ACTIVITIES & DATA 3. PRIVACY IMPACT ASSESSMENTS (PIAs) ON THE CRITICAL PROCESSES 7. DATA BREACH NOTIFICATION 8. APPOINTMENT OF A DATA PROTECTION OFFICER (DPO) 4. IMPLEMENTING SECURITY MEASURES (PRIVACY BY DESIGN AND DEFAULT)
Assess Capture Store Use Destroy Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Retention Period Right to erasure Portability Third Party copies Appropriate use Consent Manage Consent Restricted International Transfers Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Data breaches Data Minimisation Privacy Notices Privacy Rights Obtain Consent SUMMARY OF GDPR INFORMATION LIFE CYCLE
HOW PENALTIES AND FINES ARE INCURRED  The level of fines will be dependent on the nature, gravity and duration of the infringement and take into account any remediation measures a company has undertaken. Fines can incurred for a range of infringements and are not limited to the list below:  A breach of GDPR Principles  Issues around the individuals rights  Unlawful data processing  Breaches of Sensitive Personal Information  Transferring data to countries without adequate protections  Processing where consent cannot be proven or has been withdrawn 1 6
AUDITING GDPR Auditors will be indispensable in helping enterprises adhere to these rules and maintain compliance 1 7 Auditing GDPR is about assessing the controls put in Place to respond to risk; it should consider the trio of risk across all facets of an enterprise: • People • Processes • Technology People Processes Technology
AUDITING GDPR 1 8 GDPR Article 5 (2) states, “The controller shall be responsible for, and be able to demonstrate compliance” with GDPR by ensuring that personal data are processed in accordance with the following six principles:  Lawfulness, fairness and transparency  Purpose limitations  Data minimization  Accuracy  Storage limitations  Integrity and confidentiality In reality, the controller is accountable for ensuring compliance with the six key principles. Auditors are concerned with validating the level of compliance.
1- LAWFULNESS, FAIRNESS AND TRANSPARENCY 1 9 “GDPR Article 5 states, Data shall be…processed lawfully, fairly and in a transparent manner in relation to the data subject: The regulation requires that all the enterprise’s processes relating to personal data be evidenced, form an inventory of what data are processed on which systems, where they are stored and with whom they are shared. This should provide the necessary summary of processes from which the auditor can work Lawfulness : Auditors must ensure that enterprises have the systems and processes in place to ensure that these rights are not breached.
FAIRNESS AND TRANSPARENCY 2 0 In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance, These rights are exercised through a subject access request (SAR) A GDPR SAR audit will be an audit of processes and the design and effective implementation of controls. Request Validation Response Fairness : In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance
TRANSPARENCY 2 1 “GDPR Article 12 requires that any information the data controller (enterprise) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form, and must be provided in writing within one month, at the latest. Transparency : In addition to auditors reviewing and validating the SAR response log, they also need to consider whether the information provided is indeed concise, complete, accurate and easily understandable.
2- ACCURACY 2 2 “GDPR Article 5 states, Personal data shall be… accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay….:  Each data stream may have been replicated by various departments and individuals for different uses. Auditors must recognize the risk posed by shadow IT and unstructured data. Accuracy : Auditors should seek to assess the completeness of the data discovery exercise and the actions that followed. Auditors should:  Review the process undertaken by the business to locate and cleanse the data • Review the rules that are put in place to minimize the instance of shadow IT systems and manage unstructured data • The strategic audit plan should cover data quality. Traditionally, data quality audits have focused on corporate data; with GDPR, these audits now need to cover personal data.
3- PURPOSE LIMITATION 2 3 “GDPR Article 5 states, Personal data…shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Purpose limitations : Auditors should expect that records are flagged with a reference to a defined purpose that will in turn define the basis. Auditors should also expect to see evidence of validation and a link to a records retention and deletion policy.
4- DATA MINIMIZATION 2 4 “GDPR Article 5 states, “Personal data…shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” Data Minimization: The key for the auditor is to assess the processes and associated rules that have been established to validate the data collected. Thus, to comply with GDPR, enterprises must implement data minimization rules and processes at every step of the data life cycle.
5- STORAGE LIMITATION 2 5 “GDPR Article 5 states, “Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” Storage limitation: Auditors should approach with caution and consider retention in terms of other legislation and regulation before GDPR and the enterprise’s needs. GDPR only replaces existing data protection legislation and does not overwrite other existing legislation such as that relating to record retention (e.g., for tax purposes).. The key phrase to consider here is “permits identification.” Auditors should conclude from this that so long as the systems and processes work to anonymize the data at a given point in time then it is acceptable to keep and utilize the data for modeling An enterprise should build into its records retention and deletion policies (both manual and electronic) the rules that ensure compliance with legislation and regulation Enterprises can easily fail to comply with GDPR by failing to safeguard personal data upon disposal of hardware and software
6- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY 2 6 “GDPR Article 5 states, “Personal data must be processed using appropriate technical and organizational security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
2 7 Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise’s annual audit plan
IN A NUTSHELL What are the key points to remember
7 9 7 9 KEY POINTS Data Privacy Impact Assessment (DPIA) Data Transfers to Third Countries / Organisations Awareness & Training Data Protection Officer (DPO) Marketing Data Breach Notification Privacy by Design & by Default Consent prior processing Third Party agreements Data Erasure GDPR Reporting to Supervising Authorities Data Retention & Storage Security Legal involvement Inventory of processing Incident Response & Crisis Management Data Portability Automated processing
PERSONAL DATA REMEMBER MUST BE PROCESSED FOR SPECIFIC PURPOSES ONLY AND NOT FOR ANYTHINGELSE When using personal data, make sure to use it only for the purposes that you told them about or that they agreed to, so that there are no surprises. 2 MUST BE FAIRLYAND LAWFULLY PROCESSED Make sure to handle people's personal data only in ways they would expect, and be open and transparent about how you intend to use the data. 1
PERSONAL DATA REMEMBER 3 MUST BE ADEQUATE, RELEVANT AND NOTEXCESSIVE When collecting personal data, do not collect more data than needed. 4 MUST BE ACCURATE AND UP TODATE Ensure that data you collect about your clients or employees is accurate, for example, the correct spelling of a name. It is also important to check that your records are up to date.
PERSONAL DATA REMEMBER 5 MUST NOT BE KEPT FOR LONGER THAN IS NECESSARY Do not keep personal data for longer than it is needed, and put procedures in place for archiving and destroying personal data when it is no longer needed. 6 MUST BE PROCESSED IN LINE WITH INDIVIDUALS’ RIGHTS  the right to access a copy of the personal data you hold about them  or to have their personal datarectified, blocked, erased or destroyed  or even the right to dataportability  they can object to processing of theirdata  or opt out of directmarketing  they can exercise their right to beforgotten  and claim compensation for damages if their rights are not respected
PERSONAL DATA REMEMBER 7 • MUST BE KEPT SECURE • KEEP PERSONAL DATA SECURE AND CONFIDENTIAL, USING, OF COURSE, IT MEASURES (SUCH AS ENCRYPTION) BUT ALSO ORGANISATIONAL MEASURES TO ENSURE YOUR PEOPLE AND SUPPLIERS DO NOT BREACH THIS CONFIDENTIALITY. 8 MUST NOT BE TRANSFERRED TO OTHER COUNTRIES WITHOUT ADEQUATE PROTECTION Before sending personal data to another country, make sure that adequate measures are put in place.

More Related Content

PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PDF
Privacy and Data Security
WilmerHale
 
PDF
Data Processing - data privacy and sensitive data
OpenAIRE
 
PDF
Data protection regulations in Nigeria
Mercy Akinseinde
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPTX
Data protection ppt
grahamwell
 
PDF
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
PDF
Practical steps to GDPR compliance
Jean-Michel Franco
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Privacy and Data Security
WilmerHale
 
Data Processing - data privacy and sensitive data
OpenAIRE
 
Data protection regulations in Nigeria
Mercy Akinseinde
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data protection ppt
grahamwell
 
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
Practical steps to GDPR compliance
Jean-Michel Franco
 

What's hot (20)

PPTX
Privacy & Data Protection
sp_krishna
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PDF
Personal data protection bill
Mathew Chacko
 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
PDF
Data Protection and Privacy
Vertex Holdings
 
PPTX
Information privacy and Security
AnuMarySunny
 
PPT
Data Classification Presentation
Derroylo
 
PPTX
Data protection and privacy
himanshu jain
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PPT
Data protection in_india
Altacit Global
 
PPTX
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
PPTX
Pdpa presentation
Alan Teh
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PPTX
GDPR Presentation slides
Naomi Holmes
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
PPTX
The Data Protection Act
SaimaRafiq
 
PDF
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
PPTX
GDPR Presentation
CILIP Ireland
 
PPTX
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Privacy & Data Protection
sp_krishna
 
Presentation on GDPR
DipanjanDey12
 
Personal data protection bill
Mathew Chacko
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Data Protection and Privacy
Vertex Holdings
 
Information privacy and Security
AnuMarySunny
 
Data Classification Presentation
Derroylo
 
Data protection and privacy
himanshu jain
 
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR Introduction and overview
Jane Lambert
 
Data protection in_india
Altacit Global
 
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Pdpa presentation
Alan Teh
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
GDPR Presentation slides
Naomi Holmes
 
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
The Data Protection Act
SaimaRafiq
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Eryk Budi Pratama
 
GDPR Presentation
CILIP Ireland
 
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Ad

Similar to My presentation- Ala about privacy and GDPR (20)

PDF
GDPR Demystified
SPIN Chennai
 
PPTX
Prepare Your Firm for GDPR
MyComplianceOffice
 
PPT
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
PPTX
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
PDF
Happy clients happy compliance
IRIS
 
PDF
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
PPTX
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPTX
De groote de man Ingrid de Poorter
BigDataExpo
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
GDPR Data Life Cycle
Jatin Kochhar
 
PPTX
Payslip gdpr deck nov 2017
Aoife Flynn
 
PPTX
What is the General Data Protection Regulation (GDPR)?
TAG Alliances
 
PPTX
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PDF
mHealth Israel_EU General Data Protection Regulation_Simon Marks
Levi Shapiro
 
PPTX
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
GDPR Demystified
SPIN Chennai
 
Prepare Your Firm for GDPR
MyComplianceOffice
 
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Happy clients happy compliance
IRIS
 
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
De groote de man Ingrid de Poorter
BigDataExpo
 
Introduction to GDPR
Priyab Satoshi
 
GDPR Data Life Cycle
Jatin Kochhar
 
Payslip gdpr deck nov 2017
Aoife Flynn
 
What is the General Data Protection Regulation (GDPR)?
TAG Alliances
 
GDPR: 3 Months On | Guest Speaker: Data Protection Commissioners
BrightPay Payroll and Auto Enrolment Software
 
Gdpr presentation
Sudarsan Reddy
 
Practical Guide to GDPR 2017
Dryden Geary
 
Guide to-the-general-data-protection-regulation
N N
 
mHealth Israel_EU General Data Protection Regulation_Simon Marks
Levi Shapiro
 
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Ad

More from zayadeen2003 (10)

PPTX
Alternative-Energy-Info-Day-Accenture.pptx
zayadeen2003
 
PPTX
20201119225332cobit.pptxcobit introductio
zayadeen2003
 
PPT
ch02_2.ppt principles of information ser.
zayadeen2003
 
PPTX
Phishing_Exercise_Presentation about phishing
zayadeen2003
 
PPTX
Product Roadmap Infographics by Slidesgo.pptx
zayadeen2003
 
PPTX
secure-controls-framework-sales-presentation.pptx
zayadeen2003
 
PPTX
General Services Template of the board.pptx
zayadeen2003
 
PPTX
Privacy session PSUT.pptx about privacy in
zayadeen2003
 
PPTX
Board-toolkit-Introduction-to-cyber-security-for-board-members-briefing-pack....
zayadeen2003
 
PPTX
PIMS-DOC-05-4-Privacy-Awareness-Presentation.pptx
zayadeen2003
 
Alternative-Energy-Info-Day-Accenture.pptx
zayadeen2003
 
20201119225332cobit.pptxcobit introductio
zayadeen2003
 
ch02_2.ppt principles of information ser.
zayadeen2003
 
Phishing_Exercise_Presentation about phishing
zayadeen2003
 
Product Roadmap Infographics by Slidesgo.pptx
zayadeen2003
 
secure-controls-framework-sales-presentation.pptx
zayadeen2003
 
General Services Template of the board.pptx
zayadeen2003
 
Privacy session PSUT.pptx about privacy in
zayadeen2003
 
Board-toolkit-Introduction-to-cyber-security-for-board-members-briefing-pack....
zayadeen2003
 
PIMS-DOC-05-4-Privacy-Awareness-Presentation.pptx
zayadeen2003
 

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Teaching material agriculture food technology
LiaRayya
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 

My presentation- Ala about privacy and GDPR

  • 2. AGENDA • INTRODUCTION • WHY GDPR • TERMS AND DEFINITIONS • GDPR PRINCIPLES • GDPR REQUIREMENTS • AUDITING GDPR.
  • 3. INTRODUCTION The purpose of the General Data Protection Regulation (GDPR) is to modernize data protection and provide greater protection to individuals through the standardization and harmonization of previously fragmented data protection legislations. Is new EU legislation that comes into effect on May 25th 2018
  • 4. WHAT IS THE PURPOSE OF GDPR? • DATA PROTECTION IS ABOUT PROTECTING PEOPLES PRIVACY. WITH THE CONTINUED GROWTH OF THE INTERNET, MODERN DAY LIVING HAS BECOME MORE DATA DRIVEN RESULTING IN BUSINESS LOOKING FOR NEW WAYS TO LEVERAGE THE POWER OF TECHNOLOGY AND THE INTERNET This data driven world is much more interconnected, making it much harder to limit the harm to individuals if data protection goes wrong. The results of this may leave an individual exposed to identity theft, financial loss or criminal exploitation Companies are given personal information in good faith and are responsible for ensuring that the personal information given to them is protected in a way that will not compromise the individual. How personal information is protected depends on the type of personal information a company collects and how the company will use that information. This means that data protection is contextual and every company will have its own way of meeting its data protection requirements
  • 5. CHANGES TO THE EXISTING REGULATION What the GDPR brings to the current regulatory framework
  • 6. CHANGES TO THE EXISTING REGULATION What does the GDPR bring (compared to the existing Data Protection Directive)) Applies to all entities targeting data subjects in the EU, even if they are based out of the EU. Fines ranging between 2 to 4% of the global annual turnover or €10 - 20 million Personal data now includes location data, IP addresses, online and technology identifiers. Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling. Required for processing, where there is no other legal obligation. Report a personal data breach to the Data Protection Authority within 72hrs. Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU. Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law, where there is no adequate decision to perform a transfer. International data transfers One-stop shop Data breach notification Consent Data subjects rights Expanded definitions Sanctions Broader territorial scope
  • 7. DEFINITIONS What are the key aspects you need to know
  • 8. IMPORTANT TERMINOLOGY DATASUBJECT An individual who is the subject of the information or data. DATACONTROLLER A person, company or organisation who determines the purposes and means of processing personal data DATAPROCESSOR A person, company or organisation who processes personal data on behalf of the controller 8
  • 9. PERSONAL IDENTIFIABLE INFORMATION (PII) Any type of information relating directly or indirectly to an identified or identifiable natural person and can lead to the identification of an individual when used alone or combined with other relevant data. Examples are: General Personal Data Name, Surname Gender Date of birth Home Address ID Number Personal email address Biometric data (photograph / video) Behavioral information Financial Information Social Security Numbers Account numbers (bank accounts, credit cards, etc.) Personal Identification Numbers (PINs) Passwords to financial accounts Income information Personal Identifiable Information Sensitive Information Racial or ethnic origin Religious beliefs Health Information Sexual orientation Political views Criminal convictions / Security measures / Offenses Health Information Medical records Physical / mental health information Health plan Health history
  • 10. DATA PROTECTION ROLES Data subject Data controller Data processor Supervisory authority (SA) / Data Protection Authority (DPA) 1 0
  • 11. AN INDIVIDUAL’S RIGHTS The GDPR seeks to balance the rights of an individual, or data subject in relation to their personal information with the need a company has to hold and process personal information. The right of Access The right to Object The right to Rectification The right to Erasure Rights in relation to Automated decision- making & Profiling The right to Data Portability The right to Restrict processing 1 1
  • 12. CORE PRINCIPLES Processing of personal data Integrity and confidentiality Processing data in a secure manner, providing protection against unauthorised actions, loss, damage and destruction. Lawfulness and fairness Applying legitimate grounds for collecting data ensuring there is no negative impact on the data subject. Data Subject rights Informing the data subject about his rights regarding processing his personal data. Purpose limitation Collecting and processing data for specified, explicit and legitimate purpose. Data transfer and Disclosure Applying protection safeguards and measures on data transferred to third parties. Data minimisation GDPR Privacy Principles Collecting and processing data adequately and relatively to what it is necessary in relation to the purposes for which they are processed. Transparency Processing data in a lawful, fair and transparent manner in relation to the data subject. Accuracy Ensuring data is accurate and up to date in relation to the purposes for which they are processed, and erased or rectified accordingly. Accountability Introducing technical and organizational measures to ensure data processing is performed in accordance with the GDPR Storage limitation Keeping data for no longer than is necessary for the purposes for which they are processed.
  • 13. PROCESSING PERSONAL DATA Consent Contractual necessity Legal obligation Vital interests Public interest Legitimate interests Legitimate bases for processing 1 3 https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
  • 14. ACTIONS TO BE TAKEN 8 key measures to be taken Although GDPR legislation is, of course, a legal given, its implementation has organisational and IT elements as well. a total of 8 measures to be implemented: 1. DATA PRIVACY POLICY & AWARENESS PROGRAM 5. ADAPTING THE AGREEMENTS BETWEEN CONTROLLERS AND PROCESSORS (THIRD P ARTIES) 6. ADJUSTING COMMUNICATION TO THE ‘ DATA SUBJECTS’ THROUGH ‘PRIVACY NOTICES’ 2. MAINTAINING A REGISTER OF PROCESSING ACTIVITIES & DATA 3. PRIVACY IMPACT ASSESSMENTS (PIAs) ON THE CRITICAL PROCESSES 7. DATA BREACH NOTIFICATION 8. APPOINTMENT OF A DATA PROTECTION OFFICER (DPO) 4. IMPLEMENTING SECURITY MEASURES (PRIVACY BY DESIGN AND DEFAULT)
  • 15. Assess Capture Store Use Destroy Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Retention Period Right to erasure Portability Third Party copies Appropriate use Consent Manage Consent Restricted International Transfers Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Data breaches Data Minimisation Privacy Notices Privacy Rights Obtain Consent SUMMARY OF GDPR INFORMATION LIFE CYCLE
  • 16. HOW PENALTIES AND FINES ARE INCURRED  The level of fines will be dependent on the nature, gravity and duration of the infringement and take into account any remediation measures a company has undertaken. Fines can incurred for a range of infringements and are not limited to the list below:  A breach of GDPR Principles  Issues around the individuals rights  Unlawful data processing  Breaches of Sensitive Personal Information  Transferring data to countries without adequate protections  Processing where consent cannot be proven or has been withdrawn 1 6
  • 17. AUDITING GDPR Auditors will be indispensable in helping enterprises adhere to these rules and maintain compliance 1 7 Auditing GDPR is about assessing the controls put in Place to respond to risk; it should consider the trio of risk across all facets of an enterprise: • People • Processes • Technology People Processes Technology
  • 18. AUDITING GDPR 1 8 GDPR Article 5 (2) states, “The controller shall be responsible for, and be able to demonstrate compliance” with GDPR by ensuring that personal data are processed in accordance with the following six principles:  Lawfulness, fairness and transparency  Purpose limitations  Data minimization  Accuracy  Storage limitations  Integrity and confidentiality In reality, the controller is accountable for ensuring compliance with the six key principles. Auditors are concerned with validating the level of compliance.
  • 19. 1- LAWFULNESS, FAIRNESS AND TRANSPARENCY 1 9 “GDPR Article 5 states, Data shall be…processed lawfully, fairly and in a transparent manner in relation to the data subject: The regulation requires that all the enterprise’s processes relating to personal data be evidenced, form an inventory of what data are processed on which systems, where they are stored and with whom they are shared. This should provide the necessary summary of processes from which the auditor can work Lawfulness : Auditors must ensure that enterprises have the systems and processes in place to ensure that these rights are not breached.
  • 20. FAIRNESS AND TRANSPARENCY 2 0 In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance, These rights are exercised through a subject access request (SAR) A GDPR SAR audit will be an audit of processes and the design and effective implementation of controls. Request Validation Response Fairness : In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance
  • 21. TRANSPARENCY 2 1 “GDPR Article 12 requires that any information the data controller (enterprise) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form, and must be provided in writing within one month, at the latest. Transparency : In addition to auditors reviewing and validating the SAR response log, they also need to consider whether the information provided is indeed concise, complete, accurate and easily understandable.
  • 22. 2- ACCURACY 2 2 “GDPR Article 5 states, Personal data shall be… accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay….:  Each data stream may have been replicated by various departments and individuals for different uses. Auditors must recognize the risk posed by shadow IT and unstructured data. Accuracy : Auditors should seek to assess the completeness of the data discovery exercise and the actions that followed. Auditors should:  Review the process undertaken by the business to locate and cleanse the data • Review the rules that are put in place to minimize the instance of shadow IT systems and manage unstructured data • The strategic audit plan should cover data quality. Traditionally, data quality audits have focused on corporate data; with GDPR, these audits now need to cover personal data.
  • 23. 3- PURPOSE LIMITATION 2 3 “GDPR Article 5 states, Personal data…shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Purpose limitations : Auditors should expect that records are flagged with a reference to a defined purpose that will in turn define the basis. Auditors should also expect to see evidence of validation and a link to a records retention and deletion policy.
  • 24. 4- DATA MINIMIZATION 2 4 “GDPR Article 5 states, “Personal data…shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” Data Minimization: The key for the auditor is to assess the processes and associated rules that have been established to validate the data collected. Thus, to comply with GDPR, enterprises must implement data minimization rules and processes at every step of the data life cycle.
  • 25. 5- STORAGE LIMITATION 2 5 “GDPR Article 5 states, “Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” Storage limitation: Auditors should approach with caution and consider retention in terms of other legislation and regulation before GDPR and the enterprise’s needs. GDPR only replaces existing data protection legislation and does not overwrite other existing legislation such as that relating to record retention (e.g., for tax purposes).. The key phrase to consider here is “permits identification.” Auditors should conclude from this that so long as the systems and processes work to anonymize the data at a given point in time then it is acceptable to keep and utilize the data for modeling An enterprise should build into its records retention and deletion policies (both manual and electronic) the rules that ensure compliance with legislation and regulation Enterprises can easily fail to comply with GDPR by failing to safeguard personal data upon disposal of hardware and software
  • 26. 6- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY 2 6 “GDPR Article 5 states, “Personal data must be processed using appropriate technical and organizational security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  • 27. 2 7 Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise’s annual audit plan
  • 28. IN A NUTSHELL What are the key points to remember
  • 29. 7 9 7 9 KEY POINTS Data Privacy Impact Assessment (DPIA) Data Transfers to Third Countries / Organisations Awareness & Training Data Protection Officer (DPO) Marketing Data Breach Notification Privacy by Design & by Default Consent prior processing Third Party agreements Data Erasure GDPR Reporting to Supervising Authorities Data Retention & Storage Security Legal involvement Inventory of processing Incident Response & Crisis Management Data Portability Automated processing
  • 30. PERSONAL DATA REMEMBER MUST BE PROCESSED FOR SPECIFIC PURPOSES ONLY AND NOT FOR ANYTHINGELSE When using personal data, make sure to use it only for the purposes that you told them about or that they agreed to, so that there are no surprises. 2 MUST BE FAIRLYAND LAWFULLY PROCESSED Make sure to handle people's personal data only in ways they would expect, and be open and transparent about how you intend to use the data. 1
  • 31. PERSONAL DATA REMEMBER 3 MUST BE ADEQUATE, RELEVANT AND NOTEXCESSIVE When collecting personal data, do not collect more data than needed. 4 MUST BE ACCURATE AND UP TODATE Ensure that data you collect about your clients or employees is accurate, for example, the correct spelling of a name. It is also important to check that your records are up to date.
  • 32. PERSONAL DATA REMEMBER 5 MUST NOT BE KEPT FOR LONGER THAN IS NECESSARY Do not keep personal data for longer than it is needed, and put procedures in place for archiving and destroying personal data when it is no longer needed. 6 MUST BE PROCESSED IN LINE WITH INDIVIDUALS’ RIGHTS  the right to access a copy of the personal data you hold about them  or to have their personal datarectified, blocked, erased or destroyed  or even the right to dataportability  they can object to processing of theirdata  or opt out of directmarketing  they can exercise their right to beforgotten  and claim compensation for damages if their rights are not respected
  • 33. PERSONAL DATA REMEMBER 7 • MUST BE KEPT SECURE • KEEP PERSONAL DATA SECURE AND CONFIDENTIAL, USING, OF COURSE, IT MEASURES (SUCH AS ENCRYPTION) BUT ALSO ORGANISATIONAL MEASURES TO ENSURE YOUR PEOPLE AND SUPPLIERS DO NOT BREACH THIS CONFIDENTIALITY. 8 MUST NOT BE TRANSFERRED TO OTHER COUNTRIES WITHOUT ADEQUATE PROTECTION Before sending personal data to another country, make sure that adequate measures are put in place.