Data Privacy
For most businesses, the risks associated with failing appropriately to protect the information they hold on employees, customer, business partners or the general public is a rapidly growing risk. Treated somewhat casually in the 2000s, even after laws were on national statute books, the 2018 EU-wide GDPR regulation and a series of high-profile hacks and data breaches have led to a rapid upturn in efforts to strengthen understanding and protection of personal and sensitive personal data.
Information, People and Process
My personal areas of experience and expertise include: * Identifying personal / sensitive personal data * Obtaining tracking and managing consent * Staff training * Incident reporting and investigation * SARs * Breach notification |
In IT Systems
Many of the controls required for privacy are the same as those required for SOX, fraud protection etc., but seem surprisingly difficult to sustain in practice: * Understanding where personal data is * Identity management * Access controls and Segregation of Duties * Anonymisation * Encryption (at risk and in transit) * Logging and monitoring |
What is new with the GDPR
Key changes brought by the GDPR, which has mandatory EU-wide effect in April 2018 (and to which countries can add legislation if they choose) include: * Territorial scope clarified. * For big orgs or processing SPD, DPOs required * SARs within a month * Stronger right of access. * Right to deletion/be forgotten * Data portability (to different controller) * Lawful right to process rules strengthened - consent; contract; legal obligation; vital interests of subject; public interest; “legitimate interests” of company * Consent requires positive indication of agreement, must be easy to withdraw. * 72 hour Breach notification * PIAs for projects mandatory in some areas * Fines max. 20m or 4% of turnover. * Applies to both processors and controllers. Clouds not exempt. The actual GDP regulations:
|