Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 9
• Why and how to conduct a data mapping exercise.
• The rights of data subjects.
• Giving and withdrawing consent.
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
Implementing and Auditing GDPR Series (9 of 10)
1. Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 9
Data Mapping and
Data Rights
2. About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
3. ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
4. HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
5. IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
6. The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
7. ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
8. TODAY’S AGENDA
Page 8
• Ending Privacy Shield
• California Act
• Why and how to conduct a data mapping exercise.
• The rights of data subjects.
• Giving and withdrawing consent.
9. WHAT WAS PRIVACY SHIELD
Framework governing the flow of data
between the EU and the US for
commercial purposes.
Companies self-certify to the US
Department of Commerce.
Adhere to 23 principles laying out the
requirements for the use and treatment of
personal data received from the EU
10. WHAT WAS PRIVACY SHIELD
Deemed to provide “adequate” privacy
protection to personal data transferred
outside of EU.
Was relied upon by over 5,000 European
and US companies to conduct over $7
trillion in commercial transactions
11. WHAT WAS PRIVACY SHIELD
for its lax handling of personal data of
users
Transference of personal data by
Facebook, Ireland to Facebook Inc. in the
USA, on the strength of the Standard
Contractual Clauses (SCC), was
challenged by Mr. Schrems (Schrems II)
USA allows the unbridled collection of data,
deemed inconsistent with the legal
framework of the EU
Privacy Shield removed by EU July 16
2020
12. PRIVACY SHIELD CANCELLATION
Took immediate effect with no grace period
Indicated probable greater scrutiny for
alternate data transfer mechanisms like
standard contractual clauses (SCCs) and
binding corporate rules (BCRs)
Currently valid in principle
Enforceable data subject rights and
effective remedies required
13. PRIVACY SHIELD CANCELLATION
Consideration of local laws governing
access by public authorities in third country
required
Many companies now uncertain over how
to conduct business involving transatlantic
data transfers
DPAs must suspend/prohibit transfers if
SCCs are not/cannot be complied with and
required level of protection cannot be
ensured by other means
14. STILL UNCERTAIN
When will Commission release new SCCs?
Will they make any difference?
Would existing adequacy decisions (e.g.
Israel, Canada (PIPEDA), etc.) withstand
challenge?
Impact of BREXIT?
Can EU-US transfers be based on SCCs?
Can EU-US transfers be based on BCRs?
15. NOW NEEDED
Transfer adequacy assessment must be
conducted to determine whether
appropriate safeguards can be ensured,
If appropriate safeguards cannot be
ensured when transferring the data,
companies must suspend or end the
transfer
16. NOW NEEDED
Where transfers are deemed necessary for
important reasons of public interest, the
EDPB emphasizes the need for an
important public interest, as opposed to
only focusing on the nature of the
transferring organization
Companies must analyze agreements to
identify the range of data privacy and
security obligations addressed in the terms
17. CALIFORNIA LEGISLATION
California Consumer Privacy Act Ma
State statute intended to enhance privacy
rights and consumer protection for residents
of California
Took effect on January 1, 2020
Six Statutory rights:
18. STATUTORY RIGHTS
1.To be provided with information on what personal information is
collected about them and the purposes for which that personal
information is used.
2. To be provided with information on what personal information is sold or
disclosed for a business purpose and to whom.
3. To opt out of the sale of their personal information to third parties (or in
the case of minors under age 16, to require an opt in before the sale of
their personal information).
4. To request the deletion of their personal information.
5. Not to be subject to discrimination for exercising any of the above
rights, including being denied goods or services or being charged a
different price, or being subjected to a lower level of quality, of such
goods or services.
6. To seek statutory damages of $100 to $750 for breaches of
unencrypted personal information that arise as a result of a business’
violation of its duty to implement and maintain reasonable
security procedures.
19. APPLIES TO
For profit business entities in CA that:
Gross revenue of 25 million dollar or more
Receives or share more then 50,000
consumers, households, or devices
More than 50% of revenue from the sale of PHI
Exception for HIPAA, CMIA ( California Medical
Information Act), GLBA (Gramm Leach Bliley Act
) statues
20. REQUIREMENTS
Business required to post details on website or
other public means how they’re using or not using
consumer data for rolling 12 months and opt out
instructions
Businesses will have to develop processes and
procedures to accommodate all consumer rights
including data mapping / access reports
21. REQUIREMENTS
Requirements for businesses to reasonably
safeguard consumer data
Significant damage implications for business if fail
to comply (enforced by CA AG)
Consumers have a private right of action but it’s
limited ($100 to $750 per violation)
Fines for business $7500 per violation
22. GDPR AND CCPA
CCPA GDPR
Broad right of access to personal Article 15 addresses fields, but not
information (Sec 100, 110, 130) timeframe
Right to data portability for Only applies if access request is electronic
access to personal responded to information (Sec 100)
electronically, narrower than Article 20
Right to delete personal Very similar to but arguably broader than
information (Sec 105) Article 17, which sets greater limits on its
application
Right to receive an accounting Closest right under GDPR is right of
disclosures (“sale” or “for access under Article 15
business purposes”) of personal
information (Sec 115, 130)*
Right to object to sale of personal Narrower and more specific than Article
information (Sec 120) 21
Right to opt-in for sale of minors’ Narrower and more specific than Article 8
personal information or to authorize
sale after exercising the right to
object (Sec 120)
23. DATA MAPPING
GDPR requires organizations need to map their
data flows to assess privacy risks
Data flow map forms part of Article 30
documentation
An essential first step in completing a DPIA (data
protection impact assessment)
24. DPIA
Article 35: Data protection impact assessment
Controller must seek the advice of the data
protection officer.
Required in situations involving:
Automated processing
Profiling
Creation of legal effects
Significantly affecting the natural person
Processing of large-scale categories of sensitive data
Data that relates to criminal offences or convictions
Monitoring on a large scale
Conduct a post-implementation review when risk
profile changes
25. DPIA,DPO, PRIVACY BY DESIGN
AND DEFAULT
Data Protection Impact Assessment (DPIA)
Is there a
high risk
for the
individual
Assessment of
risks for
individuals
Identification
of the
mitigation
measures
If Remains
consult the
DPA
Data Protection Officer (DPO)
Advises company and its staff on GDPR obligations.
Monitors compliance with GDPR and internal privacy policies (assignment of
responsibilities; awareness-raising; trainings; audits).
Provides advice on DPIA and monitors its performance.
Cooperates with DPAs and acts as a contact point (in case of DPA
consultation).
26. DATA PROTECTION IMPACT
ASSESSMENT PROCESS
1. Description of
Envisaged
Processing
2. Assessment
of Necessity and
Proportionality
3. Measures
Envisaged to
Demonstrate
Compliance
4. Assessment
of the Risks to
Rights and
Freedoms
5. Measures
Envisaged to
Address the
Risks
6.
Documentation
7. Monitoring &
Review
27. DATA MAPPING
The ICO staged approach to an effective
DPIA:
1.Required when there is a change in processing
of personally identifiable information (PII)
2.Determine the information flows throughout the
organization in order to make a proper
assessment of the privacy risks
3.Identify the risks related to privacy and
processing, including the necessity and
proportionality of the change in processing
4.Identify possible privacy solutions to address the
risks that have been identified
28. DATA MAPPING
5.Assess how the data protection principles have
been applied throughout the organization
6.Sign-off and record the DPIA, including details of
which privacy solutions are too be implemented
7.Integrate the result of the DPIA back into the
project plan
8.Conduct a post-implementation review where
risk profile of PII data has changed
29. INFORMATION FLOW
Walk through the information lifecycle to
identify unforeseen or unintended uses of the
data
Ensure the people who will be using the
information are consulted on the practical
implications
Consider the potential future uses of the
information collected, even if it is not
immediately necessary
30. DETERMINE
Workflow inputs and outputs:
How is personal data collected (e.g. form, online, call
center, other)?
Who is accountable for personal data?
What is the location of the systems/filing systems
containing the data?
Who has access to the information?
Is the information disclosed/shared with anyone (e.g
suppliers, third parties)?
Does the system interface with, or transfer information to,
other systems?
32. RIGHTS OF DATA SUBJECTS
Four basic rights:
Subject's right to access to information.
Right of correction, technically known as the
right to rectification
Right to be forgotten (erasure)
Rights in the scope of consent (if that's the
legal ground for processing)
33. INDIVIDUAL’S RIGHTS
Existing rights:
1. Notice right (transparency requirement).
2. Right of access.
3. Right to rectification.
4. Right to restriction.
5. Right to object.
6. Right to erasure (“right to be forgotten”).
7. Right not to be subject to automated decision-making.
34. ENHANCED PERSONAL PRIVACY
RIGHTS
The General Data Protection
Regulation (GDPR) imposes new rules
on organizations that offer goods and
services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
Right to data portability
Data breach notification
requirements.
35. ENHANCED PERSONAL PRIVACY
RIGHTS
Right to be informed
Right to erasure
Right to data portability
Right to restriction
Right to rectification
Right of access
Including additional processing details
Right to object
Right to prevent automated processing, including
profiling
36. SECURITY AND DATA BREACH
NOTIFICATIONS
Controller Notification of
data breach
Processor
Notification of
data breach
DPA Data subjects
Within
72hrs
if “high risk”
without undue delay
37. SUBJECT ACCESS
REQUESTS
Under Data Protection, a person has always had the
right to request access to all of the information held
about them
This is called a Subject Access Request (SAR)
Subject Access Requests must be completed within
one month free of charge
Holding an accurate inventory of information will be a
key enabler for completing SAR efficiently
Data has to be provided in a standard format
The person must also be informed of further
information, including the relevant Retention Periods
for the data held and their right to have inaccuracies
corrected
38. DATA SUBJECT ACCESS
REQUEST
By submitting a DSAR (data subject access request) to an organization,
individuals are entitled to receive:
Confirmation that their personal information is being processed;
Access to that information;
The organization’s lawful basis for processing;
The names or categories of any third parties that the information has
been shared with;
The estimated period for which the personal data will be stored (or, if
this hasn’t yet been decided, the criteria used to determine that
period);
Any relevant information about how the personal data was obtained;
and
Information about automated decision-making, including profiling,
and the reasoning for and potential consequences of the automation.
39. HANDLING ACCESS RIGHT
REQUESTS
AKA:
Verifiable Consumer Requests
Verify and Authenticate all Requestors Identities
Collect, Manage and Review Internal Data to Fulfill
Subject Access Requests
Track, Review and Approve Subject Access Request
Forms
Ticket and Assign Subject Access Requests
Encrypt and Securely Deliver Information
40. ACCESS REQUEST
CHALLENGES
Compliance with applicable laws/regulations
Intake and log requests by type (i.e., access, deletion, etc.)
Verify identity of individual requestors
Assess which requests must be responded to
Identify requestors’ data within company systems
Effectively collaborate with stakeholders to respond to requests
Track requests to ensure timeframes met
Communicate resolution of requests to individuals
Automate processes to ensure accuracy and timeliness
Maintain an audit trail to demonstrate compliance
Report on processes and outcomes
41. LAWFUL BASIS FOR
PROCESSING: CONSENT
Consent must be
freely given,
specific,
informed and
unambiguous
Consent is revocable at any time (but not retroactively!)
Cannot be combined with another basis for processing
Minors (<16; member countries may set lower limit) cannot consent
Processor/Controller must be able to demonstrate consent was
obtained
Official guidance on consent can be found at:
http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=623051
42. GIVING AND WITHDRAWING
CONSENT
Consent requires clear affirmative action
“Consent should be given by a clear affirmative act…
such as by a written statement, including by
electronic means, or an oral statement.”
Under the GDPR you may share information
without consent if, in your judgement, there is
a lawful reason to do so, such as where safety
may be at risk
43. WITHDRAWAL
Article 7(3) of the GDPR prescribes that the controller
must ensure that consent can be withdrawn by the
data subject as easy as giving consent and at any
given time
The GDPR does not say that giving and withdrawing
consent must always be done through the same action
When consent is obtained via electronic means
through only one mouse-click, swipe, or keystroke,
data subjects must, in practice, be able to withdraw
that consent equally as easily
Withdrawal of consent must be possible free of charge
or without lowering service levels
44. WHEN WITHDRAWN
All data processing operations that were based on
consent and took place before the withdrawal of
consent - and in accordance with the GDPR - remain
lawful, however, the controller must stop the
processing actions concerned
Controllers have an obligation to delete data that was
processed on the basis of consent once that consent
is withdrawn
Withdrawal of consent does not mean a controller
must erase data that are processed for a purpose that
is based on the performance of the contract with the
data subject
46. AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
47. THANK YOU!
Page 47
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino