Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater. Learning Outcomes: This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training. It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role. Webinar 9 • Why and how to conduct a data mapping exercise. • The rights of data subjects. • Giving and withdrawing consent.

1. Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 9
Data Mapping and
Data Rights

2. About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2

3. ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3

4. HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.

5. IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.

6. The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC

7. ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7

8. TODAY’S AGENDA
Page 8
• Ending Privacy Shield
• California Act
• Why and how to conduct a data mapping exercise.
• The rights of data subjects.
• Giving and withdrawing consent.

9. WHAT WAS PRIVACY SHIELD
 Framework governing the flow of data
between the EU and the US for
commercial purposes.
 Companies self-certify to the US
Department of Commerce.
 Adhere to 23 principles laying out the
requirements for the use and treatment of
personal data received from the EU

10. WHAT WAS PRIVACY SHIELD
 Deemed to provide “adequate” privacy
protection to personal data transferred
outside of EU.
 Was relied upon by over 5,000 European
and US companies to conduct over $7
trillion in commercial transactions

11. WHAT WAS PRIVACY SHIELD
 for its lax handling of personal data of
users
 Transference of personal data by
Facebook, Ireland to Facebook Inc. in the
USA, on the strength of the Standard
Contractual Clauses (SCC), was
challenged by Mr. Schrems (Schrems II)
 USA allows the unbridled collection of data,
deemed inconsistent with the legal
framework of the EU
 Privacy Shield removed by EU July 16
2020

12. PRIVACY SHIELD CANCELLATION
 Took immediate effect with no grace period
 Indicated probable greater scrutiny for
alternate data transfer mechanisms like
standard contractual clauses (SCCs) and
binding corporate rules (BCRs)
 Currently valid in principle
 Enforceable data subject rights and
effective remedies required

13. PRIVACY SHIELD CANCELLATION
 Consideration of local laws governing
access by public authorities in third country
required
 Many companies now uncertain over how
to conduct business involving transatlantic
data transfers
 DPAs must suspend/prohibit transfers if
SCCs are not/cannot be complied with and
required level of protection cannot be
ensured by other means

14. STILL UNCERTAIN
 When will Commission release new SCCs?
Will they make any difference?
 Would existing adequacy decisions (e.g.
Israel, Canada (PIPEDA), etc.) withstand
challenge?
 Impact of BREXIT?
 Can EU-US transfers be based on SCCs?
 Can EU-US transfers be based on BCRs?

15. NOW NEEDED
 Transfer adequacy assessment must be
conducted to determine whether
appropriate safeguards can be ensured,
 If appropriate safeguards cannot be
ensured when transferring the data,
companies must suspend or end the
transfer

16. NOW NEEDED
 Where transfers are deemed necessary for
important reasons of public interest, the
EDPB emphasizes the need for an
important public interest, as opposed to
only focusing on the nature of the
transferring organization
 Companies must analyze agreements to
identify the range of data privacy and
security obligations addressed in the terms

17. CALIFORNIA LEGISLATION
 California Consumer Privacy Act Ma
 State statute intended to enhance privacy
rights and consumer protection for residents
of California
 Took effect on January 1, 2020
Six Statutory rights:

18. STATUTORY RIGHTS
1.To be provided with information on what personal information is
collected about them and the purposes for which that personal
information is used.
2. To be provided with information on what personal information is sold or
disclosed for a business purpose and to whom.
3. To opt out of the sale of their personal information to third parties (or in
the case of minors under age 16, to require an opt in before the sale of
their personal information).
4. To request the deletion of their personal information.
5. Not to be subject to discrimination for exercising any of the above
rights, including being denied goods or services or being charged a
different price, or being subjected to a lower level of quality, of such
goods or services.
6. To seek statutory damages of $100 to $750 for breaches of
unencrypted personal information that arise as a result of a business’
violation of its duty to implement and maintain reasonable
security procedures.


19. APPLIES TO
 For profit business entities in CA that:
 Gross revenue of 25 million dollar or more
 Receives or share more then 50,000
consumers, households, or devices
 More than 50% of revenue from the sale of PHI
Exception for HIPAA, CMIA ( California Medical
Information Act), GLBA (Gramm Leach Bliley Act
) statues

20. REQUIREMENTS
 Business required to post details on website or
other public means how they’re using or not using
consumer data for rolling 12 months and opt out
instructions
 Businesses will have to develop processes and
procedures to accommodate all consumer rights
including data mapping / access reports

21. REQUIREMENTS
 Requirements for businesses to reasonably
safeguard consumer data
 Significant damage implications for business if fail
to comply (enforced by CA AG)
 Consumers have a private right of action but it’s
limited ($100 to $750 per violation)
 Fines for business $7500 per violation

22. GDPR AND CCPA
CCPA GDPR
Broad right of access to personal Article 15 addresses fields, but not
information (Sec 100, 110, 130) timeframe
Right to data portability for Only applies if access request is electronic
access to personal responded to information (Sec 100)
electronically, narrower than Article 20
Right to delete personal Very similar to but arguably broader than
information (Sec 105) Article 17, which sets greater limits on its
application
Right to receive an accounting Closest right under GDPR is right of
disclosures (“sale” or “for access under Article 15
business purposes”) of personal
information (Sec 115, 130)*
Right to object to sale of personal Narrower and more specific than Article
information (Sec 120) 21
Right to opt-in for sale of minors’ Narrower and more specific than Article 8
personal information or to authorize
sale after exercising the right to
object (Sec 120)

23. DATA MAPPING
 GDPR requires organizations need to map their
data flows to assess privacy risks
 Data flow map forms part of Article 30
documentation
 An essential first step in completing a DPIA (data
protection impact assessment)

24. DPIA
Article 35: Data protection impact assessment
 Controller must seek the advice of the data
protection officer.
 Required in situations involving:
 Automated processing
 Profiling
 Creation of legal effects
 Significantly affecting the natural person
 Processing of large-scale categories of sensitive data
 Data that relates to criminal offences or convictions
 Monitoring on a large scale
 Conduct a post-implementation review when risk
profile changes

25. DPIA,DPO, PRIVACY BY DESIGN
AND DEFAULT
 Data Protection Impact Assessment (DPIA)
Is there a
high risk
for the
individual
Assessment of
risks for
individuals
Identification
of the
mitigation
measures
If Remains
consult the
DPA
 Data Protection Officer (DPO)
 Advises company and its staff on GDPR obligations.
 Monitors compliance with GDPR and internal privacy policies (assignment of
responsibilities; awareness-raising; trainings; audits).
 Provides advice on DPIA and monitors its performance.
 Cooperates with DPAs and acts as a contact point (in case of DPA
consultation).

26. DATA PROTECTION IMPACT
ASSESSMENT PROCESS
1. Description of
Envisaged
Processing
2. Assessment
of Necessity and
Proportionality
3. Measures
Envisaged to
Demonstrate
Compliance
4. Assessment
of the Risks to
Rights and
Freedoms
5. Measures
Envisaged to
Address the
Risks
6.
Documentation
7. Monitoring &
Review

27. DATA MAPPING
 The ICO staged approach to an effective
DPIA:
1.Required when there is a change in processing
of personally identifiable information (PII)
2.Determine the information flows throughout the
organization in order to make a proper
assessment of the privacy risks
3.Identify the risks related to privacy and
processing, including the necessity and
proportionality of the change in processing
4.Identify possible privacy solutions to address the
risks that have been identified

28. DATA MAPPING
5.Assess how the data protection principles have
been applied throughout the organization
6.Sign-off and record the DPIA, including details of
which privacy solutions are too be implemented
7.Integrate the result of the DPIA back into the
project plan
8.Conduct a post-implementation review where
risk profile of PII data has changed

29. INFORMATION FLOW
 Walk through the information lifecycle to
identify unforeseen or unintended uses of the
data
 Ensure the people who will be using the
information are consulted on the practical
implications
 Consider the potential future uses of the
information collected, even if it is not
immediately necessary

30. DETERMINE
 Workflow inputs and outputs:
 How is personal data collected (e.g. form, online, call
center, other)?
 Who is accountable for personal data?
 What is the location of the systems/filing systems
containing the data?
 Who has access to the information?
 Is the information disclosed/shared with anyone (e.g
suppliers, third parties)?
 Does the system interface with, or transfer information to,
other systems?

31. HOW?
 Inspect existing documents
 Facilitation workshops
 Questionnaires
 Observation
 Whiteboard –freeform diagrams
 Template drawings (Visio, mind map tools)
 Post-it notes

32. RIGHTS OF DATA SUBJECTS
 Four basic rights:
 Subject's right to access to information.
 Right of correction, technically known as the
right to rectification
 Right to be forgotten (erasure)
 Rights in the scope of consent (if that's the
legal ground for processing)

33. INDIVIDUAL’S RIGHTS
 Existing rights:
1. Notice right (transparency requirement).
2. Right of access.
3. Right to rectification.
4. Right to restriction.
5. Right to object.
6. Right to erasure (“right to be forgotten”).
7. Right not to be subject to automated decision-making.

34. ENHANCED PERSONAL PRIVACY
RIGHTS
The General Data Protection
Regulation (GDPR) imposes new rules
on organizations that offer goods and
services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
Right to data portability
Data breach notification
requirements.

35. ENHANCED PERSONAL PRIVACY
RIGHTS
Right to be informed
Right to erasure
Right to data portability
Right to restriction
Right to rectification
Right of access
 Including additional processing details
Right to object
Right to prevent automated processing, including
profiling

36. SECURITY AND DATA BREACH
NOTIFICATIONS
Controller Notification of
data breach
Processor
Notification of
data breach
DPA Data subjects
Within
72hrs
if “high risk”
without undue delay

37. SUBJECT ACCESS
REQUESTS
Under Data Protection, a person has always had the
right to request access to all of the information held
about them
This is called a Subject Access Request (SAR)
Subject Access Requests must be completed within
one month free of charge
Holding an accurate inventory of information will be a
key enabler for completing SAR efficiently
Data has to be provided in a standard format
The person must also be informed of further
information, including the relevant Retention Periods
for the data held and their right to have inaccuracies
corrected

38. DATA SUBJECT ACCESS
REQUEST
 By submitting a DSAR (data subject access request) to an organization,
individuals are entitled to receive:
 Confirmation that their personal information is being processed;
 Access to that information;
 The organization’s lawful basis for processing;
 The names or categories of any third parties that the information has
been shared with;
 The estimated period for which the personal data will be stored (or, if
this hasn’t yet been decided, the criteria used to determine that
period);
 Any relevant information about how the personal data was obtained;
and
 Information about automated decision-making, including profiling,
and the reasoning for and potential consequences of the automation.

39. HANDLING ACCESS RIGHT
REQUESTS
AKA:
Verifiable Consumer Requests
Verify and Authenticate all Requestors Identities
Collect, Manage and Review Internal Data to Fulfill
Subject Access Requests
Track, Review and Approve Subject Access Request
Forms
Ticket and Assign Subject Access Requests
Encrypt and Securely Deliver Information

40. ACCESS REQUEST
CHALLENGES
 Compliance with applicable laws/regulations
 Intake and log requests by type (i.e., access, deletion, etc.)
 Verify identity of individual requestors
 Assess which requests must be responded to
 Identify requestors’ data within company systems
 Effectively collaborate with stakeholders to respond to requests
 Track requests to ensure timeframes met
 Communicate resolution of requests to individuals
 Automate processes to ensure accuracy and timeliness
 Maintain an audit trail to demonstrate compliance
 Report on processes and outcomes

41. LAWFUL BASIS FOR
PROCESSING: CONSENT
 Consent must be
 freely given,
 specific,
 informed and
 unambiguous
 Consent is revocable at any time (but not retroactively!)
 Cannot be combined with another basis for processing
 Minors (<16; member countries may set lower limit) cannot consent
 Processor/Controller must be able to demonstrate consent was
obtained
 Official guidance on consent can be found at:
 http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=623051

42. GIVING AND WITHDRAWING
CONSENT
 Consent requires clear affirmative action
 “Consent should be given by a clear affirmative act…
such as by a written statement, including by
electronic means, or an oral statement.”
 Under the GDPR you may share information
without consent if, in your judgement, there is
a lawful reason to do so, such as where safety
may be at risk

43. WITHDRAWAL
 Article 7(3) of the GDPR prescribes that the controller
must ensure that consent can be withdrawn by the
data subject as easy as giving consent and at any
given time
 The GDPR does not say that giving and withdrawing
consent must always be done through the same action
 When consent is obtained via electronic means
through only one mouse-click, swipe, or keystroke,
data subjects must, in practice, be able to withdraw
that consent equally as easily
 Withdrawal of consent must be possible free of charge
or without lowering service levels

44. WHEN WITHDRAWN
 All data processing operations that were based on
consent and took place before the withdrawal of
consent - and in accordance with the GDPR - remain
lawful, however, the controller must stop the
processing actions concerned
 Controllers have an obligation to delete data that was
processed on the basis of consent once that consent
is withdrawn
 Withdrawal of consent does not mean a controller
must erase data that are processed for a purpose that
is based on the performance of the contract with the
data subject

45. QUESTIONS?
Any Questions?
Don’t be Shy!

46. AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week

47. THANK YOU!
Page 47
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino