• HOME
  • ETHICS & COMPLIANCE
    • E&C- Organisation, Tone, Culture
    • E&C - ABC, COI & AML
    • E&C - Antitrust & Competition Law
    • E&C - Fraud and Theft
    • E&C - Trade Controls & Sanctions
    • E&C - Data Privacy
    • E&C- Business & Country Risk
  • CYBER-SECURITY
  • KENYA
    • Multi-Party Politics in Kenya
    • Kenya: A History Since Independence
    • Other Writings on Kenya
    • Kenya Photographs
  • KENYA BLOG
  • BLOG
  • BIOGRAPHY
    • IT-Related Articles
  • CONTACT

Data Privacy

For most businesses, the risks associated with failing appropriately to protect the information they hold on employees, customer, business partners or the general public is a rapidly growing risk. Treated somewhat casually in the 2000s, even after laws were on national statute books, the 2018 EU-wide GDPR regulation and a series of high-profile hacks and data breaches have led to a rapid upturn in efforts to strengthen understanding and protection of personal and sensitive personal data.
Information, People and Process

My personal areas of experience and expertise include:

* Identifying personal / sensitive personal data
* Obtaining tracking and managing consent
* Staff training
* Incident reporting and investigation
* SARs

* Breach notification
Picture
Picture
                In IT Systems

Many of the controls required for privacy are the same as those required for SOX, fraud protection etc., but seem surprisingly  difficult to sustain in practice:

* Understanding where personal data is
* Identity management
* Access controls and Segregation of Duties
* Anonymisation
* Encryption (at risk and in transit)
* Logging and monitoring

Picture
Picture
What is new with the GDPR

Key changes brought by the GDPR, which has mandatory EU-wide effect in April 2018 (and to which countries can add legislation if they choose) include:

* Territorial scope clarified.
* For big orgs or processing SPD, DPOs required
* SARs
within a month
* Stronger right of access.

* Right to deletion/be forgotten
* Data portability (to different controller)
* Lawful right to process rules strengthened - consent; contract; legal obligation; vital interests of subject; public interest; “legitimate interests” of company
* Consent requires positive indication of agreement, must be easy to withdraw.
* 72 hour Breach notification
* PIAs for projects mandatory in some areas
* Fines max. 20m or 4% of turnover.
* Applies to both processors and controllers. Clouds not exempt.
The actual GDP regulations:
regulation_oj_en.pdf
File Size: 981 kb
File Type: pdf
Download File

Copyright © 2023
  • HOME
  • ETHICS & COMPLIANCE
    • E&C- Organisation, Tone, Culture
    • E&C - ABC, COI & AML
    • E&C - Antitrust & Competition Law
    • E&C - Fraud and Theft
    • E&C - Trade Controls & Sanctions
    • E&C - Data Privacy
    • E&C- Business & Country Risk
  • CYBER-SECURITY
  • KENYA
    • Multi-Party Politics in Kenya
    • Kenya: A History Since Independence
    • Other Writings on Kenya
    • Kenya Photographs
  • KENYA BLOG
  • BLOG
  • BIOGRAPHY
    • IT-Related Articles
  • CONTACT