1. The Road Ahead: Practical Implications & Best Practices
PRIVACY & DATA PROTECTION
Phani Krishna, CISA, CISM, CISSP, CAIIB...Head of IT Audit,
Essentra Plc.
Disclaimer: The views, opinions, findings, and conclusions or recommendations expressed in this presentation are strictly those of the presenter and are for information purposes only.
They do not necessarily reflect the views of Essentra or the other organizations served by the presenter. Essentra or the other organizations served, take no responsibility for any errors
or omissions in, or for the correctness of, the information contained in this presentation.
‘Privacy’, a noun: “A
state in which one is
not observed or
disturbed by other
people” or “The state
of being free from
public attention”
2. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
3. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
4. Privacy & Data Protection
Data/
Information
Privacy
Security
Legal
Compliance
‘Privacy’ of a natural living
person is the state of not
being observed or
disturbed without their
explicit consent to do so.
5. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
7. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
8. Data protection Law & Regulation
Forrester’s 2016 Data Protection Heat Map- Countries are continuing to move toward the Europe standard for data protection
(from 1 June 2017)
Failure to report
leakage, damage or
loss of personal data
Disclosure of
personal
information in
breach of a
lawful contract
or without
consent
Serious or
repeated
breach of the
Australian
Privacy
Principles
Privacy Directives /
EU GDPR
Privacy Shield
Industry specific
such as HIPAA /
Privacy act 1974
• 1980 OECD guidelines on the Protection of Privacy and Trans
border flows of Personal Data (updated 2013) Only recommended
to member countries
• Global Privacy Enforcement Network (GPEN)
9. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
10. Privacy objectives of General Data Protection Regulation (GDPR)
1 Protect the Privacy rights
2 Uniform regulation across EU
3 Define(widen) the scope of PII
4 Uniform cross boarder data transfers
5 Address the online data privacy concerns
6 Facilitate the economic activities with uniform privacy requirements
7 Harmonize the regulatory oversight
11. Rights of Data Subjects
Data
Subject -
Right to
privacy
Know the
Why? How?
Where? Till
when? etc.
Request
information
through a
defined
method
Request to
rectify/
modify
Object
transfer or
processing
Right to be
forgotten
Data
portability
without
hindrance
where
feasible
Object the
automated
decision
making
including
profiling
12. Organizational Requirements
• Legitimate, specified & explicit consentCollection
• Adequate, relevant and limitedData
• Lawful, transparent & fairProcess
• Accurate & up to dateQuality
• As consented & necessaryRetention
• Protect - State of the ArtSecure
• Controllers & Processors – Civil & Criminal LiabilitiesAccountability
• Detect, Contain & Notify – Administrative FinesBreach
• One stop Data Protection Authority for EU businessOne Stop
13. What are we planning to cover?
Introduction to Privacy & Data Protection
PII definition and Scope
Data protection Law & Regulation
ASIA (India)
EMEA (EU)
Americas (USA)
Practical Implications of Privacy & GDPR
Objectives
Rights of Data subjects
Organizational Requirements
Best Practices for GDPR compliance
Assessment
Framework & Controls
Compliance
16. GDPR Compliance Best practices
E
N
T
E
R
P
R
I
S
E
G
R
C
F
R
A
M
E
W
O
R
K
Assessment
Framework & Controls
Privacy by design – Data Minimization
Data Quality & Rights Management
Data Protection Officer
Encryption & IT Security best practices
Cross Border Data transfer
Certification
Logging & Monitoring