Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 10
• Handling data subject access requests (DSARs).
• The roles of controllers and processors, and the relationships between them.
• Transferring personal data outside the EU and the mechanisms for compliance.
• How to become GDPR compliant using a compliance gap assessment
Marketplace and Quality Assurance Presentation - Vincent Chirchir
mplementing and Auditing GDPR Series (10 of 10)
1. 10/14/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 10
Becoming GDPR
Compliant
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 10/14/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,300 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 10/14/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6
4. 10/14/2020
4
ABOUT RICHARD
CASCARINO, MBA, CIA,
CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of The Complete Guide for
CISA Examination Preparation out
5 October 2020
7
Copyright Richard Cascarino
TODAY’S AGENDA
Page 8
• Handling data subject access requests (DSARs).
• The roles of controllers and processors, and the
relationships between them.
• Transferring personal data outside the EU and the
mechanisms for compliance.
• How to become GDPR compliant using a compliance
gap assessment tool.
7
8
5. 10/14/2020
5
WHAT IS A DSAR?
Page 9
Article 15 of the General Data Protection Regulation (GDPR) grants
Europeans the right to ask for a copy of the personal data
A request from a data subject to be provided with a copy of the
personal data being processed by a Controller and an explanation of
the purposes for which personal data is being used
Specifically when anyone asks to receive a copy of the personal data
you may hold for them
Must come from the individual themselves (or an authorized
agent/parent/guardian)
Could be sent to any department and come from a variety of sources
May be submitted by email or social media and may be addressed to
the “wrong” department or person
Must be forwarded to the DPO
WHY REQUEST?
Page 10
To ensure:
The individual’s personal information is being processed
Who can access that information
The organization’s lawful basis for processing
The names or categories of any third parties that the
information has been shared with
The estimated period for which the personal data will be stored
The criteria used to determine the storage period
How the personal data was obtained
Information about automated decision-making, including
profiling, and the reasoning for and potential consequences of
the automation
9
10
6. 10/14/2020
6
OBLIGATIONS
Page 11
Organizations don’t automatically have to comply with
every DSAR they receive
manifestly unfounded
one that the individual sends to disrupt the organisation, or which
contains unsubstantiated accusations against the organisation
excessive
based on how often you collect personal data
Repetitive
Organizations that reject on those bases must be
capable of demonstrating their justification
Each request to be considered on a case-by-case
basis
YOU MAY NEED
Page 12
Proof of ID (if the requester is an employee or ex employee this
may not be necessary if it is obvious to you who they are)
Proof of relationship/authority (for example if information is
requested about a child or by an agent)
Whether they are interested in specific information (if they request
ALL personal data you cannot restrict this)
To know what their relationship is with your organization
Whether they wish to see CCTV images of them (if relevant) and
request a photograph, description of clothes worn, dates of visits
etc.
Whether they require the information to be provided in writing or
whether they will accept it in an electronic form
11
12
7. 10/14/2020
7
PROCESSING REQUIREMENTS
Page 13
No fee allowed
In most circumstances
A “reasonable fee” when a request is manifestly unfounded,
excessive or repetitive
Access may be refused if excessive, unfounded or repetitive
requests
Refusal includes right to appeal to the organization’s
supervisory authority
Fee must be based on the administrative cost of complying
with the request
If no personal data is held about the individual they
must be informed of this
RESPONSE TIMES
Page 14
Generally organizations required to provide the
requested information within one month
Where requests are complex or numerous,
organizations are permitted to extend the deadline to
three months
Response explaining delay still required within one month
No limit on how a DSAR must be made
Verbally
Electronically
If request is made electronically, the information must be
provided in a commonly used file format
13
14
8. 10/14/2020
8
WHAT TO RELEASE
Page 15
If the information contains personal data relating to other
individuals consideration must be given whether/how to redact this
or judge it to be reasonable to disclose
Such information can be disclosed with the consent of other
parties
Where consent is not feasible consideration must be given to the
privacy impact and/or how your duty of confidentiality to these
other parties should the information be disclosed
Any justification for disclosure of personal relating to other parties
must be documented
CONTROLLERS AND
PROCESSORS
GDPR imposes specific obligations on “Processors”,
“Controllers”, and others with regard to their vendor
relationships and the protection of “Personal Data”
GDPR requires companies to conduct appropriate due
diligence on processors and to have contracts containing
specific provisions relating to data protection
Duty of the processor to notify the controller and the
controller to notify the supervisory authority when the
personal data breach is likely to lead to a high risk to the data
subject’s rights and freedoms
15
16
9. 10/14/2020
9
CONTROLLERS AND
PROCESSORS
“Controller”
the natural or legal person, public authority, agency or any
other body which alone or jointly with others determines the
purposes and means of the processing of personal data.
“Processor”
a natural or legal person, public authority, agency or any other
body which processes personal data on behalf of the controller
CONTROLLERS AND
PROCESSORS
When the processing of personal data of EU data subjects is
done by a controller or processor that is not present in the
EU, the GDPR applies in activities related to offering goods
or services to EU citizens (free and paying services) and
behavior monitoring of EU data subjects
A non-EU company which processes the data of EU citizens
needs to appoint a representative in the EU
17
18
10. 10/14/2020
10
CONTROLLERS AND
PROCESSORS
The GDPR concerns all companies which process personal
data of citizens (‘data subjects’) who reside in the EU,
regardless of where these companies (the ‘data processors’
and ‘data controllers’) are located
When the processing of personal data of EU data subjects is
done by a controller or processor that is not present in the
EU, the GDPR applies in activities related to offering goods
or services to EU citizens (free and paying services) and
behavior monitoring of EU data subjects
Controller
Alone or jointly with others determines the purposes and
means of processing personal data.
Processor
Processes personal data on behalf of the controller.
Both controllers and processors regulated directly under
GDPR.
Controllers have more responsibilities, for example:
Providing notices to data subjects, responding to exercise of
subject rights, appointing representative in EEA, notifying
supervisory authorities and data subjects of data breaches,
maintaining records of processing.
39
CONTROLLER VS. PROCESSOR
19
20
11. 10/14/2020
11
CONTROLLER AND
PROCESSOR
Tasks and responsibilities of Controller, Processor
and Data Protection Officer:
Records of processing activities and Logging
Personal data breach handling (Incident
handling
Data protection impact assessment and Prior
consultation
Security of processing and Data protection by
design and by Default
THE DATA PROCESSOR
Someone who processes personal data
on behalf of the data controller
Examples include external payroll providers
The obligation to comply with the Act
is on the controller who must make sure
that the processor processes data fairly
and lawfully- under GDPR Data Processor has
some direct obligations
21
22
12. 10/14/2020
12
PRIVACY SHIELD (USA ONLY)
The decision on the EU-U.S. Privacy Shield was adopted by the
European Commission on 12 July, 2016 Removed 2020
Commercial sector
Strong obligations on companies and robust enforcement
U.S Government access
Clear safeguards and transparency obligations
Redress
Directly with the company
With the data protection authority
Privacy shield panel
Monitoring
Annual joint review mechanism between US Department of
commerce and EU Commission
TRANSFERRING PERSONAL
DATA OUTSIDE THE EU
Article 2(g): “recipient” shall mean a natural or legal person, public authority,
agency or any other body to whom data are disclosed, whether a third party
or not; however, authorities which may receive data in the framework of a
particular inquiry shall not be regarded as recipients
Generally - (GDPR) restricts transfers of personal data to countries
outside the EEA. These restrictions apply to all transfers, no matter the
size of transfer or how often you carry them out
Article 44: General principle for transfers
Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
a. Transfers on the basis of adequacy;
b. Transfers subject to the appropriate safeguards
c. Binding corporate rules apply.
23
24
13. 10/14/2020
13
ADEQUACY
Transfers on the basis of adequacy
A transfer may take place where there is an adequate level of
protection
The adequacy criteria:
– the rule of law;
– respect for human rights and fundamental freedoms;
– relevant legislation, both general and sectoral, including:
concerning public security
defense
national security
criminal law
SUBJECT TO APPROPRIATE
SAFEGUARDS
Legally binding agreement between public authorities or
bodies
Standard data protection clauses in the form of template
transfer clauses adopted by the Commission
Standard data protection clauses in the form of template
transfer clauses adopted by a supervisory authority and
approved by the Commission
25
26
14. 10/14/2020
14
SUBJECT TO APPROPRIATE
SAFEGUARDS
Compliance with an approved code of conduct approved by a
supervisory authority
Certification under an approved certification mechanism as provided
for in the GDPR
Contractual clauses agreed authorized by the competent
supervisory authority
Provisions inserted in to administrative arrangements between
public authorities or bodies authorized by the competent supervisory
authority
DEROGATIONS (EXEMPTIONS)
Necessary for the establishment, exercise or defense of legal
claims
Necessary to protect the vital interests of the data subject or
other persons, where the data subject is physically or legally
incapable of giving consent
Made from a register which under UK or EU law is intended to
provide information to the public (and which is open to
consultation by either the public in general or those able to
show a legitimate interest in inspecting the register)
27
28
15. 10/14/2020
15
DEROGATIONS (EXEMPTIONS)
Made with the individual’s informed consent
Necessary for the performance of a contract between the
individual and the organization or for pre-contractual steps
taken at the individual’s request
Necessary for the performance of a contract made in the
interests of the individual between the controller and another
person
Necessary for important reasons of public interest
BINDING CORPORATE RULES
Binding Corporate Rules (BCRs) are designed to allow
multinational companies to transfer personal data from the
European Economic Area (EEA) to their affiliates located
outside of the EEA
Applicants must demonstrate that their BCRs put in place
adequate safeguards for protecting personal data throughout
the organization
Existing model BCRs are Data Protection Directive (DPD)-
related
29
30
16. 10/14/2020
16
BECOMING GDPR
COMPLIANT
Page 31
Step one – Understand the GDPR legal framework. ...
Step two – create a Data Register. ...
Step three – classify your data. ...
Step four – Start with your top priority. ...
Step five – assess and document additional risks and processes
...
Step six – revise and repeat.
THE PROCESS
Planning and Mobilization
Setup the team, finalize the scope
Determine what resources are needed
Identify process owners and stakeholders, establish
consultation plan
Perform the Assessment
Consult stakeholders, analyze risks and legal gaps, create risk
map
Determine necessary controls and remediation measures to
address legal gaps and risks
Create risk management plan, get sign off
Implement the control framework
Deploy risk management controls
Address legal gaps through remediation measures
Monitor and evaluate on a regular basis
31
32
17. 10/14/2020
17
BECOMING GDPR
COMPLIANT
Page 33
Prepare for your GDPR project
Create a project plan to implement GDPR.
Include the right stakeholders in your GDPR project
Conduct a readiness assessment to find out what tasks you
need to perform
Define your Personal Data Policy and other top-
level documents
BECOMING GDPR
COMPLIANT
Page 34
Create an inventory of processing activities
List your processing activities and how these map to legitimate
purposes defined in GDPR
Be sure your company has published the necessary privacy
notices for data subjects
Define an approach to manage data subject rights
33
34
18. 10/14/2020
18
BECOMING GDPR
COMPLIANT
Page 35
Implement a Data Protection Impact Assessment
(DPIA)
Conduct a DPIA when initiating a new project, or when
implementing a change to your information systems or a
product
Secure personal data transfers
Analyze what personal data is being transferred outside of
your company, and when
Take necessary legal and security measures to adequately
protect personal data when personal data is transferred
outside of the company
BECOMING GDPR
COMPLIANT
Page 36
Amend third-party contracts
Amend third-party contracts that include processing of
personal data to become compliant with the GDPR
Ensure the security of personal and sensitive data
Implement the necessary organizational and technical
measures to protect the personal data of data subjects
Consider privacy and protection when designing new systems
and processes
Define how to handle data breaches.
Set up the processes to identify and handle personal data
breaches
Prepare for notifications to the Supervisory Authority and data
subjects, if required, in the case of a personal data breach
35
36
19. 10/14/2020
19
AUTOMATED PERFORMANCE TOOLS
One Trust
Maintain Ongoing, Scalable Records to Demonstrate Global Privacy
Compliance
Integrate Privacy by Design into Existing Processes
Sharing Project Assessments Externally
CENTRL's Privacy360
Automate the full assessment process
Use standard assessment templates or upload proprietary ones
Track issues and manage process to remediation
Reporting and analytics
Vigilant Software
Identify data security risks and determine the likelihood of their
occurrence and impact.
Easily review and update DPIAs when changes in processing activities
occur.
Share DPIA findings with stakeholders and data processors.
Demonstrate that appropriate measures have been taken to comply with
the requirements of the GDPR.
ONETRUST
OneTrust is the #1 most widely used privacy, security and trust
technology. More than 6,000 customers, including half of the Fortune
500, use OneTrust to build integrated programs that comply with the
CCPA, GDPR, LGPD, PDPA, ISO27001 and hundreds of the world’s
privacy and security laws. The OneTrust platform is powered by the
OneTrust Athena™ AI and robotic automation engine
https://www.onetrust.com/products/assessment-automation
37
38
20. 10/14/2020
20
PRIVACY 360
As the compliance process continues, the Data Protection
Officer faces specific challenges that are preventing the
company from going forth with the envisioned data privacy
model
Privacy 360 is a reporting module and a perfect solution for
the Data Protection Officer’s challenges. It gives a DPO an
overview of all data and locations where personal
information is stored about the specific data subject
https://dataprivacymanager.net/solutions/privacy-360/
VIGILANT SOFTWARE
Vigilant Software
DPIA Tool – Conduct a data protection impact assessment in six
simple steps
Assess and treat data security risks for every process in your
organization.
Easily demonstrate measures taken for GDPR (General Data
Protection Regulation) compliance, essential to help you meet Article
35 requirements.
Avoid unnecessary work with screening questions to determine if a
DPIA (data protection impact assessment) is necessary.
Export reports, and share findings with stakeholders and third parties.
Avoid errors and ensure completeness with a proven tool, aligned with
the GDPR and ICO’s (Information Commissioner’s Office)
requirements.
Review, update and maintain DPIAs year after year.
https://www.vigilantsoftware.co.uk/topic/dpia
39
40
21. 10/14/2020
21
QUESTIONS?
Any Questions?
Don’t be Shy!
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
41
42
22. 10/14/2020
22
THANK YOU!
Page 43
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
43