Due to an increase in the collection of consumer data, high-profile data breaches have become common. Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy. The webinar covers:  Data protection, a global development  Introduction to the GDPR, ePrivacy & ISO/IEC 27701  GDPR & ISO/IEC 27701mapping  ePrivacy & ISO/IEC 27701 mapping Recorded Webinar: https://youtu.be/oVhIoHAGGwk Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701 Webinars: https://pecb.com/webinars Articles: https://pecb.com/article Whitepapers: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION

2. Agenda
GDPR, ePrivacy & ISO/IEC27701: How do they map?
 Data protection, a global development
 Your speakers
 Introduction to the GDPR, ePrivacy & ISO/IEC27701
 GDPR & ISO/IEC27701mapping
 ePrivacy & ISO/IEC27701 mapping
 Q&A Session

3. A WORLDWIDE
DATA PROTECTION
DEVELOPMENT

4. , Zen GRC, ISO Manager, ISO–Metrics, Lok path,
Certifications:
- Information Security Management
System (ISO 27001:2013)
- Cloud Security Alliance (CSA STAR)
- Privacy Information Management
System (ISO 27701:2019)
- Certified Data Protection Officer
(GDPR)
- PII on Cloud (ISO 27018)
- Technical Reviewer of IT certifications
for DQS
- Information Technology Management
System (ISO 20000-1:2018)
- Certified Project Management
Professional (PMP)
- Quality Management System (ISO
9001:2015)
- ITIL Certified from EXIN
- CMMC Registered Practitioner
- NIST Certified by BSI
- Governance, Risk & Compliance (GRC)
Professional
- Experienced in reviewing multiple GRC tools
like: Archer, ServiceNow, Zen GRC, ISO Manager,
ISO–Metrics, Lok path, MYRA
- Implemented GRC solutions for several clients
- Implemented Risk Management using NIST 800
Framework
- Performed GDPR/ CCPA Assessment
Lead Auditor of ISO 27001, ISO 20000-1, CSA
STAR, ISO 27018 & ISO 27701:2019 Standards
- Certified Instructor of ISO 27001, ISO 20000-1,
CDPO (GDPR) & ISO 27701:2019 Standards
- Performed around 800 Governance, Risk &
Compliance audit for Fortune 100 Companies
including Microsoft, Accenture, Oracle, SAP,
Capgemini
- Provided consulting services to Implement
Information Security Management Systems
- Performed Data Privacy Impact Assessment
(DPIA) and created Data Model / Process Model
to identify the impacted PII.
A PECB Partner Company
Neelov@1stprivacy.com
https://pmgame.net
+001-469-258-8565
Offerings:
PECB Accredited Certification: ISO 9K/ 20K/ 27K, ISO 27701
PECB Accredited Training: ISO 9K/ 20K/ 27K , CDPO
Consulting: ISO Certification Preparation Incl. ISO 27701,
ISO 27018
Other Information Security Framework
GDPR/CCPA/GLBA/ SSPA Assessment
CSA Solution Provider
NIST/ FedRAMP
SOC 1/2/3 (SSAE 18)
PCI DSS
CMMC
SEI/ CMM Assessment
PenTest, NOC/SOC
PM Game
Data Privacy Tool
https://1stprivacy.com
Neelov Kar

5. David Parish MSc CMI dip
Expertise and skills:
 Data Privacy and Data Security ,
 Harm reduction Enterprise Risk Management ISO 31000 advocate,
 Governance, Risk, Compliance,
 ISO ITIL Cyber Essentials
 Legal Regulatory strategy development and delivery,
Expérience :
 30 + International National Senior UK Détective , Organised Crime Money Laundering Intelligence
 10 Years Private secutor specialising in Threat Risk and Harm reduction ,Insurance Health and Legal services.,
 Top 50 UK Law firm GDPR AML ISO 270001 and BCP implementation and strategfy
 NHS childrens hospital Covid security and privacy Information Governance recovery stratefies.
 National Insurance Implementation counter fraud and intelligence capability
 Support and DPO as a service Voluntary secutor Charities.
 Director and Associate expert for bespoke Confidentiel solutions privacy and security.,
 Subject Matter Expert at European Police College CEPOL, Organised Crime and Strategic Intelligence
 Technical specialist GDPRACADEMY.org
 Speaker: Various forums on line or in person.
Degrees & Certifications :
 MSc(s), Security and risk management
 CMI Management and Leadership
 ISO/IEC 22001 /27701 Lead Implementer and auditor,
 ISO 22301 Business Continuity Implementation
 Maestricht University Data Protection Officer (DPO),
 IBITQ GDPR Practitioner and Implementer.
 Money Laundering / Serious and Organised Crime Multiple Qualifications.
 Specialist Intelligence expert and Criminal Intelligence Analyst ( IALEIA)
 PMP, PRINCE2,Six Sigma Lean thinking.
Practical realistic

6. Vincent Bureau
www.DPOsolutions.co.
Data Protection Officer as a Service
Expertise and skills
 Personal data & privacy protection,
 Information security & cybersecurity,
 Governance, Risk, Compliance,
 Laws & Treaties, North America, European Union, Caribbean, Africa,
Experience
 15+ Risk, Regulatory & Compliance. 25+ IT & telecom,
 Europe, Canada, Africa, USA,
 Expert for NRC, National Research Council Canada, Expert for IN-SEC-M, cybersecurity cluster,
 Trainer: ÉTS Montreal, Réseau Action TI Québec,
 Speaker: PMI, ISACA, PECB, Printemps numérique de Montréal, Semaine numérique Nantes
France,
 Software & telecom, public and government services, media and entertainment, education,
manufacturing, banking and insurance, retail, travel and hospitality,
Degrees & Certifications
 MSc(s), Public Law, Risk & Project Management, Telecommunications, Marketing,
 ISO/IEC 27701 Lead Implementer,
 CIPP/E - Certified Information Privacy Professional Europe - IAPP,
 CDPSE - Certified Data Privacy Solutions Engineer - ISACA,
 OneTrust Certified Privacy Professional,
 PMP, PRINCE2, MoP, Managing Benefits.

7. General
Data
Protection
Regulation
GDPR

8. ePRIVACY

9. ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27701

10. NIST
PRIVACY
FRAMEWORK

11. ISO27000 SERIES
GDPR
ePRIVACY
COMPLIANCE

12. GDPR and ISO 27701
Overlap

13. ISO 27701 Mapping to GDPR

14. ISO 27701 Mapping to GDPR – Major Areas
Data Protection Officer
• ISO 27701: Cl. 6.3
• Appoint person responsible for
developing, maintaining and monitoring
privacy program. Responsibilities:
be independent reporting directly to
management
be involved in the management of all issues
be expert in data protection legislations
act as contact point for supervisory
authorities
inform top management obligations w.r.t. the
processing of PII
provide advice in respect of privacy impact
assessment
GDPR Article 37 -39
A data protection officer must be formally
identified monitoring large-scale processing
of sensitive personal information.
to inform and advise the controller or the
processor and the employees who carry out
processing of their obligations
to monitor compliance with this Regulation in
relation to the protection of personal data,
including awareness-raising
to provide advice where requested as regards
the data protection impact assessment
to cooperate with the supervisory authority;
to act as the contact point for the supervisory
authority

15. ISO 27701 Mapping to GDPR – Major Areas
Privacy Impact Assessment
• ISO 27701: Cl. 7.2.5 Privacy Impact
Assessment (PIA)
The organization should asses the need for and
implement where appropriate, a privacy impact
assessment whenever new processing of PII or
changes to existing processing of PII is planed.
• This includes: Types of PII Processed, where PII
is stored, and where it can be transferred
• DFD and Data Map can be helpful
GDPR Article 35: Data Protection Impact Assessment
(DPIA)
Where The Company implements new technologies
which will or could result in a high risk to the rights and
freedoms of individuals, the Company has to carry out
a PIA.
This will contain:
Systematic description of processing
Risk assessment
Controller shall carry out a review

16. ISO 27701 Mapping to GDPR – Major Areas Privacy by
Design & Default
• ISO 27701: Cl. 6.11.2.1 & 7.4
• Cl 6.11.2.1: Secure Development Policy
PII Protection/ privacy principles
(ISO 29100)/ PII Protection
Checkpoint / By default minimize
processing of PII
• Cl. 7.4: Privacy by Design/ Default
Limit collection (disabling option by
default)
Limit Processing (Disable
disclosure, storage and access)
Accuracy and quality
PII Minimization
De-identification/ deletion after
processing
Temp Files/ Retention/ Disposal/
transmission
GDPR Article 25
At the time of the determination of the
means for processing and at the time of the
processing itself, implement appropriate
technical and organisational measures, such
as pseudonymisation and data minimisation
The controller shall implement appropriate
technical and organizational measures for
ensuring that, by default, only personal data
which are necessary for each specific
purpose of the processing are processed
the amount of personal data
collected,
the extent of their processing,
the period of their storage
and their accessibility
FYI: Executive Order 14028 of US President, May 17 2021 - Zero Trust Architecture

17. ISO 27701 Mapping to GDPR – Major Areas
Breach Notification
• ISO 27701: Cl. 6.13.1.5
Record should be maintained for regulatory and
forensic purpose:
- Description, time period, consequences, Reporter,
to whom reported, steps taken to resolve, loss/
disclosure or alteration of PII
- In some jurisdiction, applicable legislation and/or
regulations - notify appropriate regulatory
authorities
GDPR Article 33 & 34
Does the company have procedures in place to
enable it to report a breach to the regulator within 72
hours of becoming aware of it?
The breach must be investigated and details
provided to the regulator about the nature of the
breach, likely consequences and mitigations being
taken to address it.
This investigation may require assistance from
processors, so operational processes should factor
this in.
Controller shall provide:
- Responsibilities of Controller and Processor
- Contact details of DPO
- DPIA

18. ISO 27701 Mapping to GDPR – Major Areas
Lawful Basis
• ISO 27701: Cl. 7.2.2
• The organization should determine,
document and comply with the relevant
lawful basis for the processing of PII for
the identified purpose. Legal basis:
Consent from PII Principals
Performance of a contract
Compliance with legal obligation
Protection of vital interest of PII
Principals
Public interest
Legitimate interest of the PII controller
GDPR Article 6
Data subject has given consent
Performance of a contract
Processing required for legal
obligation
Processing required to protect the vital
interest of Data Subject
Processing required for public interest
Processing required for legitimate
interest of controller

19. ISO 27701 Mapping to GDPR – Major Areas
International Transfer
• ISO 27701: Cl. 7.5.2 PII Transfer
The organization should specify and document
the countries and international organizations to
which PII can be possibly transferred
GDPR Chapter V, Article 44- 48
(a) A country which ensures adequacy level of
protection
(b) Transfers subject to appropriate safeguards
(c) If it is within the Company group, are Binding
Corporate Rules in place?
(d) Standard contractual clauses as approved by
the European Commission
Other possibilities:
(a) With the consent of the data subject.
(b) The transfer is necessary to carry out a contract
with the data subject
(c) The transfer is in the public interest
(d) The transfer is necessary to establish, exercise
or defend legal rights
(e) The transfer is necessary to protect the vital
interests of a person where the data subject is
physically or legally incapable of giving
consent.
COMMISSION IMPLEMENTING DECISION (EU) 2021/914
of 4 June 2021
on standard contractual clauses for the transfer of personal data to third
countries pursuant to Regulation (EU) 2016/679 of the European
Parliament and of the Council

20. ISO 27701 Mapping to GDPR – Major Areas
Policies & Procedures
• ISO 27701:
Secure Development Policy (Privacy by
Design/ Privacy by Default)
Secure System Engineering Principles
(Privacy by Design/ Privacy by Default)
Data Retention Policy (PII)
PII Compliance Policy
Guidelines for PII Sharing, transfer and
disclosure
DPIA Procedure
Consent Procedure
Security Incident Response Procedure (PII
breach)
GDPR
General Data Protection Policy
Data Subject Access Rights
Procedure
Data Retention Policy
Data Breach Escalation and
Checklist
Employee Privacy Policy and
Notice
Processing customer data policy
Guidance on privacy notices

21. Personal Experience

22. Some Interesting Concept
Anonymization vs Pseudonymization
Data Controller vs Data Processor
Data Subject Access Request (DSAR)
“Don’t Sell My Information” on the website – Requirement of CCPA
Backup Policy for PII
Erasing Temp Files
Shall not re-issue deactivated or expired user IDs
Supervisory Authority of Member Countries
ISO 27701/GDPR

23. What is the relationship
between Privacy and Electronic
Communications Regulations
(PECR) and the GDPR?

24. • PECR sits alongside Data privacy legislation including the GDPR, and provides
specific rules in relation to privacy and electronic communications.
• Direct Marketing is invariably and consistently where companies fail to take a
joined up approach in recognising that :-
• Privacy Legislation and Marketing should COMPLEMENT rather than
COMPETE,
• You may comply with PECR but fail to comply with privacy and vice versa.
What is the relationship between Privacy and Electronic
Communications Regulations (PECR) and the GDPR?
INTERLINKED

25. • The key difference is that the GDPR relates to the processing of personal
data,
• PECR relate specifically to electronic marketing and has specific rules on:
marketing calls, emails, texts and faxes. cookies.
• PECR comes first but you MUST adhere to the GDPR and other global
Privacy requirements when processing personal data .
• The rules for B2B is different to B2C and this is where the majority of the
conflict and enforcement activity by regulators occurs.
What is the relationship between Privacy and Electronic
Communications Regulations (PECR) and the GDPR?
DIFFERENCE

26. Electronic Communications What are they ( Silence)
• PECR do not define ‘electronic
communications’.
• The rules apply in different ways using
specific concepts and definitions.
• The marketing rules apply to specified types
of marketing messages, and some other
rules apply to service
providers or communications providers.
• The basic concept of an electronic
communication underpins the regulations,
Put simply, electronic communications mean
any information sent between particular parties
over a phone line or internet connection.
This includes phone calls, faxes, text messages,
video messages, emails and internet
messaging.
It does not include generally available
information such as the content of web pages
or broadcast programming.

27. • Key requirements in relation to marketing are:
• Ensuring there is a law
• Lawful basis for both direct marketing and using analytical cookies; Having an
appropriate opt-out;
• the Unsubscribe.
• Having an appropriate privacy notice.
• The preferences
Similarities the GDPR and the PECR

28. Comply with this and you are usually OK but.

29. All processing of personal data must:
• Be carried out according to specific principles (the “HOW”)
• (Art. 5.1)
• Be documented (Art. 5.2)
• And
• Have one or more lawful grounds (the “WHY”)
• (Arts.6 & 9)
… the foundations of the data protection regime
Lawful Processing

30. To comply with Art 5 6 and 32
GDPR you Must have this.

31. Article 6 (1 ) (a) Consent V Article 6(1) (f) Legitimate Interest
June 2021 UK Regulator
We have fined Papa John’s (GB) Limited £10,000 for
sending nuisance texts and emails to customers.
Papa John’s relied on the ‘soft opt in’ exemption for
marketing consent.
However, we found that customers who had placed a
telephone order were not provided with
a privacy notice at point of contact
nor given the option to opt out.
The ‘soft opt in’ exemption allows organisations to send
electronic marketing messages to customers whose
details have been obtained for similar services.
However, you: ✅ Must give customers a clear chance to
opt out – both when you first collect their details, and in
every message you send.
❌Must not use the soft opt in for prospective customers
or new contacts (eg from bought-in lists).
❌Must not use the soft opt in for non-commercial
promotions (eg charity fundraising or political
campaigning).
Consent
8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc.) (EU Exit)
Regulations 2019 clarifies that, for PECR:
"‘consent' by a user or subscriber corresponds to the
data subject’s consent in the GDPR (as defined in
section 3(10) of the Data Protection Act 2018)."
Recital 32 of the GDPR also specifically bans pre-
ticked boxes – silence or inactivity does not
constitute consent.
Why it happens?

32. The Silence of Regulation
Consent
What does ‘consent’ mean?
PECR requires that users or subscribers consent to
cookies being placed or used on their device. There
is no definition of consent given in PECR or in the
ePrivacy Directive; instead, the GDPR definition of
consent applies. This is in Article 4(11) of the GDPR
and states:
"‘consent’ of the data subject means any freely
given, specific, informed and unambiguous
indication of the data subject's wishes by which he
or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of
personal data relating to him or her."
PECR
Regulation 8(2) of the Data Protection, Privacy
and Electronic Communications (Amendments
etc.) (EU Exit) Regulations 2019 clarifies that,
for PECR:
"‘consent' by a user or subscriber corresponds
to the data subject’s consent in the GDPR (as
defined in section 3(10) of the Data Protection
Act 2018)."
Recital 32 of the GDPR also specifically bans
pre-ticked boxes – silence or inactivity does
not constitute consent.

33. Silence Again
• What does ‘clear and comprehensive information’ mean?
• PECR does not define what ‘clear and comprehensive information’ means. However,
Article 5(3) of the ePrivacy Directive says that clear and comprehensive information
should be provided ‘in accordance with’ data protection law.
• This relates to the GDPR’s transparency requirements and the right to be informed. It
means that when you set cookies you must provide the same kind of information to
users and subscribers as you would do when processing their personal data (and, in
some cases, your use of cookies will involve the processing of personal data
anyway).

34. 1. The Privacy and Electronic Communications Regulations (PECR) give people specific
privacy rights in relation to electronic communications. There are specific rules on:
1. marketing calls, emails, texts and faxes;
2. cookies (and similar technologies);
3. keeping communications services secure; and
4. customer privacy as regards traffic and location data, itemised billing, line identification,
and directory listings.
4. The ‘soft opt -in’ exemption provided by Regulation 22(3) PECR means that
organisations can send marketing messages by text and e-mail to individuals whose
details have been obtained in the course or negotiation of a sale and in respect of
similar products and services. The organisation must also give the person a simple
opportunity to refuse or opt out of the marketing, both when first collecting the details
and in every message after that.
5. The ICO has the power under PECR to impose a monetary penalty on a data controller
of up to £500,000.
The Areas the Regulators Look At

35. We Now Have Three Considerations
PECR
 For network and service providers, the
GDPR does not apply where the PECR
already provide rules. In practice, this
means providers need comply only with the
PECR’s requirements relating to:
• Security and security breaches;
• Traffic data;
• Location data;
• Itemised billing; and
• Line identification services.
NIS ( a brief mention )
While PECR says you don’t have to comply
with some areas of privacy.
You then have to consider
Some service providers, such as Internet
service providers, might, however, be obliged
to comply with the NIS Regulations (Network
and Information Systems Regulations
2018) as well, so should check their
compliance obligations carefully.

36. Incorrect Reconfirmation the Confusion goes on and on
In Practice
If you are not sure you meet all conditions for the soft opt-
in, obtain consent before sending any marketing
communications
consent is always better than the soft opt-in in terms of
transparency and accountability.
In either case, individuals must be able to easily opt out at
any time, and must be informed of that right.
You must also clearly state, that their data will be used for
marketing purposes before you start sending any direct
marketing.
Key compliance points Marketing for commercial
purposes?
Market by email and/or text only? Existing commercial
relationship? (the person has purchased, or is in the
process of purchasing, a product/service) Soft opt-in
Consent
The mistakes and COVID
“CRM integrations with leading providers, we empower
firms to leverage data to create personalised experiences.
It also ensures that all data maps back to the CRM in real-
time, keeping valuable source data fresh and accurate.”
Cleansing or reaffirming consent.
Bought in lists or scraped from Linkedin or other social
media platforms.
The COVID updates from companies
Did you know these companies had your data in the first
place ?????

37. COOKIES TRACKING
THE INTERNET OF
THINGS OR THE
INFOACLYPSE

38. The We Use Cookies Accept or select Preferences > What do
you do?
What are they
• Generally there are two types of
cookies
1. That makes the Web page you are
visiting work . Technical Cookies.
2. The one that helps the marketing
and all associated data privacy
issues of concern.
• It should be transparent and easily
understood .
Why does it matter
• Smart phones are the must have item.
• All the apps webpages on your phone are
collecting cookies.
• The cookies that are valuable are the ones you
don’t know about .
• The Non Technical or Analytical.
• The preferences options are not in plain
language and are technical.
• The retention periods are often set by the
software NOT the Business

39. An Example of the Requirement v the Reality
ICO Guidance Website
You must make users aware of the
cookies being placed on their
devices
No description of what
cookies are being placed.
Your methods of providing this
information, and the capability for
users to refuse, are to be as user-
friendly as possible.
No mechanism to allow
users to refuse.

40. • The information has to cover:
• These requirements also apply to
cookies set by any third parties
whose technologies your online
service incorporates –
• This would include cookies, pixels
and web beacons, JavaScript and
any other means of storing or
accessing information on the
device including those from other
services such as online
advertising networks or social
media platforms.
ICO Guidance Website
The cookies you
intend to use.
Brief
description but
no depth.
The purposes for
which you intend
to use them.
The
description
does cover
this.

41. Pre GDPR Law firm
web site
• Currently have 9 session cookies that are
applied to the homepage.
• The cookies highlighted in Red are “non-
technical” cookies.
• The issue is, unless the cookie is an integral
function that needs to be installed for the
website to work, consent/transparency is
required.
• There are 14 stored cookies applied.
• Those in red are “non-technical” cookies which
require consent/affirmation
• The other issue highlighted is that the cookie
we apply to use our website “cookiepolicy”
• RETENTION date set at 9,999 days (27 years).

42. Schrems and NOYB Privacy Advocates
• Most sites 'do not comply'
• To combat this, the group has created an automated system, which it says can find
violations and auto-generate a complaint under GDPR.
• It claims "most banners do not comply with the requirements of the GDPR".
• Fines can be up to €20m (£17.5m) or 4% of a company's global revenue, whichever is
higher.
• Of the 500 pages in its first batch of complaints, 81% had no "reject" option on the
first page, but rather hidden in a sub-page, it said. Another 73% used "deceptive
colours and contrasts" to lead users into clicking "accept", and 90% provided no easy
way to withdraw consent, it said.
• Google fined £91m over ad-tracking cookies
• Tech Tent: The end of ad tracking?
• Noyb says it is first issuing draft complaints to 10,000 of the most-visited websites
across Europe, along with instructions on how to change settings.

43. Website Evidence Collector
The tool collects evidence of personal data processing, such as cookies, or requests to
third parties. The collection parameters are configured ahead of the inspection and
then collection is carried out automatically. The collected evidence, structured in a
human- and machine-readable format (YAML and HTML), allows website controllers,
data protection officers and end users to understand better which information is
transferred and stored during a visit of a website, i.e. the consecutive loading of a
number of web pages without giving consent or logging in.
https://edps.europa.eu/edps-inspection-software_en
Website Checkers

44. Privacy v PECR
How to check or assist there are some tools for web page
compliance

45. My thoughts:
Together Everyone Achieves More
( TEAM) In reducing The harm
ESSENTIALS THE ISO PRINCIPLES
• Leadership
• Ownership
• Understanding
• Assisted implementation
• Training
• Information sharing
• Keep It simple .
• You cannot succeed by yourself.

46. THANK YOU
?
info@crsriskybusiness.co.uk David Parish
vincent.bureau@dposolutions.co Vincent Bureau
neelov.kar@gmail.com Neelov Kar