This is an example training in the context of IS/DPP, information security, data protection and privacy.
It is a training directed to procurement officers and outsourcing managers.
The generic idea is that procurement officers and outsourcing managers support the inventory and overview of the company or group on third party relationships. By a well implemented governance through procurement officers and outsourcing managers it should be easier to upkeep the overview through the existing processes of managing (most) third party relationships, thus increasing ownership and awareness of information security and privacy.
2. 2- Classification: internal - Page
“Level-up”
In addition to the baseline training for all staff
Applicable to specific staff, in this case: procurement officers
Why?
- Procurement officers (help) manage the relationship with external
parties in the organisation. They are the center of competence and
(single) point of contact on the matter.
- Therefore project manager are well-placed champions for IS/DPP.
- The business (as usual) should be able to attract, contract, and
follow-up the external relationshiop, which should (a) working with
untrustworthy counterparties, and (b) allow enforcement of
compliance.
3. 3- Classification: internal - Page
YOUR MISSION, should you choose to accept it…
Support in and as the Business-As-Usual the organisational aspect of
IS/DPP by
acting as center of competence
with regard to relationship
management of external parties
– selecting counterparties
– contract negotiations
– follow up
screening & vetting candidates
documenting commitment
guiding (and triggering) follow-up
5. 5- Classification: internal - Page
Masters of the Process
Select
• RFI, RFP, BaFO
• Questionnaires and Questions
Contract
• Negotiations (need-to-have v nice-to-have)
• Risk Acceptance (as the case may be)
• Execution (and retention)
Follow-up
• Informal: “wine and dine”, relationship management, …
• Formal: questionnaires, audit, …
• Special: rights of data subjects (e.g. rectification, block)
6. 6- Classification: internal - Page
External Parties
6
COMPANY
proc.
group
Vendor
SP
Client
Client
Client
Client
Client
Client
Client
Vendor
Service
Provider
Sub-
processor
1. Confidentiality
2. Personal Data: DP schedule
Enforcement
7. 7- Classification: internal - Page
Personal Data Protection: Different Levels
Internal
Processor in a “safe
country”
Processor in an “unsafe
country”
8. 8- Classification: internal - Page
Internal (FYI)
Concentric circle controls
1 Perimeter control: controlled access to the buildings
e.g. zoning on a risk basis, security alarms, locked doors, surveillance
cameras, security guards (day/night), enterance controls (badge,
biometrics,…), identified and guided visitors,
2 Network control: controlled access to the network
e.g. firewalls, virus scans (incl. malware, spyware, …),
3 Server access control: zoning on a risk basis, monitoring (high-level
permanent/sample or exception based periodic),
4 Secure data deletion: shredders, instructions, waste baskets, …
5 Data loss prevention
DP training for legal and quality
24 November 2014
Slide 8
Summary Content
Equipment access control deny unauthorised persons access to data-processing equipment used for processing
personal data
Data media control prevent the unauthorised reading, copying, modification or removal of data media
Storage control prevent the unauthorised input of data and the unauthorised inspection, modification or
deletion of stored personal data
User control prevent the use of automated data-processing systems by unauthorised persons using
data communication equipment
Data access control ensure that persons authorised to use an automated data-processing system only have
access to the data covered by their access authorisation
Communication control ensure that it is possible to verify and establish to which bodies personal data have been
or may be transmitted or made available using data communication equipment
Input control ensure that it is subsequently possible to verify and establish which personal data have
been input into automated data-processing systems and when and by whom the data
were input
Transport control prevent the unauthorised reading, copying, modification or deletion of personal data
during transfers of personal data or during transportation of data media
Recovery ensure that installed systems may, in case of interruption, be restored
Reliability & Integrity ensure that the functions of the system perform, that the appearance of faults in the
functions is reported and that stored data cannot be corrupted by means of a
Insert policy overview / visualisation
9. 9- Classification: internal - Page
Gradations of topo-risk
Argentina
Australia
Canada
Faeroe Islands
Guersney
Isle of Man
Israel
Jersey
Switzerland
Uruguay
(USA)
Norway
Lichtenstein
Iceland
No adequate level of protection
- Contractual clauses
- Other
10. 10- Classification: internal - Page
Processor in a “safe”
country
Part of the selection process
Binding clauses
Follow-up
Sufficient guarantees on measures wrt the data processing operation
- Processors only acts on instruction of the controller
- Legal requirements of internal measures must bind the processor
Ensure compliance with measures wrt the data processing operation
OR NOT, if you have a template
11. 11- Classification: internal - Page
Processor in an “unsafe”
country
Reference is made to the legitimacy topic.
Controller adduces adequate safeguards with respect to the protection of the privacy
and fundamental rights and freedoms of individuals and as regards the exercise of
the corresponding rights which are authorized under applicable (national) law.
Same as other processors
Binding clauses
Specific basis for legitimacy
Balance
test
Legal
requirement
Implied
consent
Explicit
consentlimitedSCC
13. 13- Classification: internal - Page
Environment
Physical
Human
Device
Application
Repository
Carrier
Layers & Dimensions
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
We are going to give this
person access to
- our premises?
- our network?
- our devices?
- our applications?
- our data?
- …
14. 14- Classification: internal - Page
Input: Risk Assessment (Privacy Impact Assessment)
Data set and data flow description
Risk mitigating / sharing measures (as foreseen)
Technical measures (+ point of contact)
Organisational measures
documented (a.o. who can/should have access?)
communication/training/awareness [plan]
Residual risk acceptance (if any, may come after negotiations)
Risk assessment (different versions)
Before “outsourcing” (legacy = absent)
After “outsourcing”
15. 15- Classification: internal - Page
Document: Data Sets (first 3 criteria)
Source of the data Objective / Subjective
Data Subject / Generated ourselves / 3rd party / …
Purpose for the
data
Credit review, AML screening, profiling, contact in execution
of agreement, marketing, segmentation, …
Data subject Customer, cardholder, prospect,
candidate, staff member, contact at
supplier, contact at corporate customer,…
Data fields Free fields: Name, address, free comment, meeting report,
…
Dropdown lists: Country, Title, Status,…
Special categories
of data
Financial data, card data (PCI), …
Relating to race, ethnic origin, (political, philosophical,
religious) beliefs, trade union membership, sexual life
Health data / Judicial data (related to litigation, criminal
sanctions, presumptions of criminal facts,…)
(Estimated) volume By number of data subjects, by number of data fields per
data subject, …
16. 16- Classification: internal - Page
Document: Risks
Data Classification Give the full data classification per data set.
Risks identified What risks were identified in terms of the different layers of
information security and data protection?
Qualitative measure
of the risk
Likelihood x impact
Quantitative
measure of the risk
(if possible) more detailed calculations based on statistical
models (e.g. monte carlo)
Validation by CISO The CISO has to validate all information risk assessments.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
assessments.
17. 17- Classification: internal - Page
Document: Risk Approach
Risk Mitigating
Measures
For every risk identified, the mitigating measures:
technically and/or organisationally (incl. first line controls).
Risk Sharing
Measures
For every risk identified, if applied, the risk sharing
measures: agreements, insurances, etc;
Residual Risk For every risk identified, the residual risk (incl. assessment
in terms of likelihood and impact).
Comparison to 1st
Risk Assessment
Preferably visually (matrix)
Validation by CISO The CISO has to validate all information risk approaches.
Validation by DPO
(for personal data)
The DPO has to validate all personal data related risk
approaches.
Residual Risk
Acceptance (if any)
The decision by the ExCo or, as the case may be, a
steering committee to which the project follow-up was
delegated.
New risk acceptance or measures, if and when
the risk assessment has shown change in risk profile.
Escalate via CISO or DPO
18. 18- Classification: internal - Page
Document: Data Flows
Data set transferred (see data set for further detail)
Source of the data In principle the repository you are
responsible for as Information Asset Owner
Recipient of the data Within company / between GROUP companies /
Third Party (processing on COMPANY’s behalf) / Third
Party (processing on own behalf)
Purpose for use by the
recipient
To allow alignment with the original purpose and fitness
of the data set
Operational
description of transfer
Automatic or manual intervention, format (xls, xml,
CODA, …), channel, frequency of the transfer, …
Security of the transfer Measures taken to ensure the secure transfer, both
technical (e.g. encryption) and organisational (e.g.
double channel for transfer of package and key)
Assurance by recipient To keep the data secure and confidential, not to use the
data for other purposes than described, not to further
transfer the data, to update the data at request of IAO,…
Validation Validation by CISO (always) and DPO (personal data)
22. 22- Classification: internal - Page
Data exporter
Different capacities
possible: controller
or processor.
Data importer
Different capacities
possible: controller
or (sub-)processor.
So:
Controller
Controller
Processor
Controller
Processor
Adde the geographic aspect
Data Export – Data Import
24. 24- Classification: internal - Page
Principles of Follow-Up
Period risk-based review of the relations.
Risk
Time
Informal
Audit
Assurance
Questionnaire
Relationship
management
On Site Visit
Approaches
26. 26- Classification: internal - Page
Especially Relevant Policy Documents
• Outsourcing Policy
• Third Party Assessment Procedure
• Third Party Contracting Procedure
• Third Party Follow-up Procedure
• Secure Information Exchange Procedure
• Secure Development Policy
• JLT Procedure
• Joiner Checklist template
• Leaver Checklist template
• Transfer = Leaver + Joiner
(Sharepoint)
(Folder)
x:HROnboarding Docs
x:HROnboarding
x:HRLeavers
27. 27- Classification: internal - Page
Especially Relevant Policy Documents
• Outsourcing Documents
• IS/DPP questionnaire
• Bodyshopping template
• IS/DPP Contract Schedule (basic)
• EU Standard Contractual Clauses
• Controller-to-Controller
• Controller-to-Processor
• Templates for specific situations (project “NDAs”, etc.)
(Sharepoint)
(Folder)
28. 28- Classification: internal - Page
Relevent Points of Contact
Input for the assessment Project manager
Information Asset Owner (see Inventory)
Sounding board and
support on contracting
Legal (name)
Sparring partner for follow-
up
Information Asset Owner (see Inventory)
Review of IS/DPP
questionnaire answers
CISO (name)
DPO (personal data) (name)
Source: Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
http://eur-lex.europa.eu/Notice.do?val=485881:cs&lang=en&list=485860:cs,485859:cs,485881:cs,485858:cs,485857:cs,485856:cs,485855:cs,485880:cs,485879:cs,&pos=3&page=1&nbl=9&pgs=10&hwords=&checktexte=checkbox&visu=#texte
(a) deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control);
(b) prevent the unauthorised reading, copying, modification or removal of data media (data media control);
(c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);
(d) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);
(e) ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation (data access control);
(f) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment (communication control);
(g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control);
(h) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (transport control);
(i) ensure that installed systems may, in case of interruption, be restored (recovery);
(j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored data cannot be corrupted by means of a malfunctioning of the system (integrity).
When personal data is transferred to another country, the controller must ensure an adequate level of protection for personal data or take appropriate compensating measures.
An adequate level of protection is considered to be ensured when:
- the recipient country is an EU member State, Norway, Liechtenstein or Iceland
- the recipient country is a country on which the EU Commission has decided that it provides an adequate level of protection in the context of the Personal Data Protection Directive the agreement with the recipient contains standard contractual clauses on which the EU Commission has decided that they offer sufficient safeguards (More information hereon can be found on the website of the Article 29 Working Party : http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm)
- the agreement with the recipient contains contractual clauses where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights which are authorized under applicable (national) law
Only when it is not reasonably possible to ensure an adequate level of protection, the controller has to take reasonable measures to inform the data subject and ensure that
the data subject has given his consent unambiguously to the proposed transfer; or
the transfer is necessary for the performance of a contract between the data subject and the controller; or
the transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject's request; or
the transfer is necessary for the conclusion of a contract concluded in the interest of the data subject between the controller and a third party; or
the transfer is necessary for the performance of a contract concluded in the interest of the data subject between the controller and a third party; or
the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
the transfer is necessary in order to protect the vital interests of the data subject; or
the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
Article 17, 2-4 EU Directive 1995/46
The controller(s) must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1 of Article 17, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in rule 5.2 shall be in writing or in another equivalent form.
Only when it is not reasonably possible to ensure an adequate level of protection, the controller has to take reasonable measures to inform the data subject and ensure that
the data subject has given his consent unambiguously to the proposed transfer; or
the transfer is necessary for the performance of a contract between the data subject and the controller; or
the transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject's request; or
the transfer is necessary for the conclusion of a contract concluded in the interest of the data subject between the controller and a third party; or
the transfer is necessary for the performance of a contract concluded in the interest of the data subject between the controller and a third party; or
the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
the transfer is necessary in order to protect the vital interests of the data subject; or
the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.