data governance compliance for gdpr - dama-ny.com · •multiple jurisdictions –eu, canada,...
TRANSCRIPT
Monday, June 18, 2018 Information Asset Confidential
1
Data Governance Compliance for GDPR
Sunil Soares
Founder & Managing Partner
www.information-asset.com
(201) 693-2216
Monday, June 18, 2018 Information Asset Confidential
2
• Boutique consulting firm focused on Data
Governance
• End-to-end services for the Data
Governance Lifecycle including Consulting,
Training, Tool Evaluation and Product
Implementation
• More than 50 Data Governance projects
since inception
Information Asset
Monday, June 18, 2018 Information Asset Confidential
3
Founder Profile – Sunil Soares
Sunil SoaresFounder & Managing Partner
Sunil Soares is the Founder & Managing Partner of Information
Asset, a consulting firm that specializes in helping organizations
build out their data governance programs. Prior to this role, Sunil
was the Director of Information Governance at IBM.
• Sunil’s first book The IBM Data Governance Unified Process detailed the fourteen
steps to implement a data governance program.
• Sunil’s second book Selling Information Governance to the Business: Best Practices by
Industry and Job Function has separate chapters for banking, insurance, healthcare,
manufacturing, retail, travel and transportation, government, oil and gas,
telecommunications, and utilities.
• Sunil’s third book Big Data Governance: An Emerging Imperative deals with the
governance of big data.
• Sunil’s fourth book IBM InfoSphere: A Platform for Big Data Governance and Process
Data Governance deals with the governance of Big Data.
• Sunil’s fifth book is on Data Governance Tools.
• Sunil’s sixth book is The Chief Data Officer Handbook for Data Governance.
• Sunil’s seventh book is Data Governance Compliance for BCBS 239 and DFAST.
Monday, June 18, 2018 Information Asset Confidential
9
About the EU General Protection Regulation
• The EU published the General Data Protection Regulation (GDPR) in May 2016
• After a two-year transition period, the GDPR will go into effect on May 25, 2018
• The GDPR applies to the processing of personal data of all data subjects, including customers, employees, and prospects
• Non-compliance with the GDPR may result in huge fines, which can be the higher of €20M or four percent of the organization’s worldwide revenues
Monday, June 18, 2018 Information Asset Confidential
10
Global Data Privacy is Multi-Dimensional
• Multiple subject areas – Customer, Employee, Citizen,
Vendor…
• Emerging data types
– Internet of Things, Biometrics…
• Multiple jurisdictions
– EU, Canada, Australia, U.S….
• Rapidly changing regulations
– GDPR, CASL, HIPAA…
Monday, June 18, 2018 Information Asset Confidential
11
A 16 Step Data Governance Plan for GDPR Compliance
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
Monday, June 18, 2018 Information Asset Confidential
12
Step 1: Develop Policies, Standards and Controls
Data GovernanceMetadata
Management
Data Security
Monday, June 18, 2018 Information Asset Confidential 13
Data Securities Policies, Standards and Controls
Data Security Policy
Data Security Standards
Data Security Processes
Data Security Controls
Support Primary Security Objectives of Organization
Data Breach Notification
Notification to Data Subject, Notification to Authorities
Notify data subjects of a data breach; Notify supervisory
authority within 72 hours of becoming aware of data breach
Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California
California Law, Division 3, Part 4, Title 1.8 Personal Data, 1798.29
Notification of a personal data breach to the Supervisory Authority
General Data Protection Regulation (GDPR) –Article 33
Communication of a personal data breach to the data subject
General Data Protection Regulation (GDPR) –Article 34
Reg
ula
tio
ns
Monday, June 18, 2018 Information Asset Confidential
14
Step 2: Create Data Taxonomy
• Collaborate with data architecture to classify data into
categories and sub-categories
– Customer, employee, prospect, vendor, franchisee
• Example for employees:
Employee
Salary & Benefits
Identity ContactsHealth infor-
mation
Social media
Employee Perfor-mance
Monday, June 18, 2018 Information Asset Confidential
15
Step 3: Confirm Data Owners – Acceptable Use
• Cross functional leadership team
• Champions data governance strategy
• Sets direction and objectives
• Final Approver on “Approved Use” of data
Ensures adoption
Champions compliance
Establish accountability and ownership
Defines, executes and monitors governance
processes and metrics
Integrates acceptable use rules
Ensures adherence of data domains across the
enterprise
Data Stewards
Data Governance Leader
• Head of HR • Data Officer
Data Steward
Forums
Operational
Advisory
Council
Tactical
Board
Strategic
Managing Data Stewards
Legal, Risk, Compliance, Privacy, HR, and
Info Security advisors
Business SME’s
Technical SME’s
• General Counsel
• Executive Data Owners
• CISO
• Marketing Officer
• Privacy Officer
Monday, June 18, 2018 Information Asset Confidential
16
Step 4: Identify Critical Datasets & Critical Data Elements
• GDPR Article 4 defines ‘personal data’ as any information relating to an identified or identifiable natural person… by reference to an identifier such as name, identification number, location data, an online identifier…
• GDPR Article 9 restricts the processing of data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership…
• Data Governance must work with Legal and Privacy to define ‘personal data’ for the GDPR
• Example: an item code ‘Halal’ may be covered by Article 9 because it may point to a data subject’s religion
Monday, June 18, 2018 Information Asset Confidential
17
Step 5 & 6 Data Collection & Acceptable Standards
• GDPR Article 6 – Lawfulness of Processing
• GDPR Article 7 – Conditions for Consent
• Data Governance must establish controls so that Legal
and Privacy sign off on data collection for any new
project during the design phase
• Example: creating an Enterprise Consent Repository
with MDM
Monday, June 18, 2018 Information Asset Confidential
18
Step 7: Establish Data Masking Standards
• GDPR Recital 26 & Article 11 state that the principles of data protection should not apply to anonymous information
• GDPR Article 32 deals with the security of personal data
• Example: anonymizing salary benefits data for data science and analytics
19Monday, June 18, 2018 Information Asset Confidential
8. Data Protection Impact Assessments
(GDPR Article 35)• May be required in cases such as where there are new data
types or special categories of data such as race or ethnic origin
• Establish controls to determine whether an assessment is
required when collecting or using new types of data or starting
a new project
9. Vendor Risk Assessments
(GDPR Article 28 - Processor)• Data governance must ensure that legal and compliance sign-
off on Vendor Risk Assessments prior to sharing any personal
data with vendors
• If the vendor shares any personal data with downstream
processors, then legal and compliance need to sign-off on
vendor risk assessments with the downstream processors as
well
Steps 8 & 9: Risk Assessments
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
25Monday, June 18, 2018 Information Asset Confidential
Data Quality (GDPR Article 16 – Right to
rectification)
• FTC FIPPS requires that Information collectors
should ensure that the data they collect is accurate
and secure
• Create data standards, data quality
dashboards or glossaries
• Remediate Data Issues
Step 10: Data Quality
2
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
Monday, June 18, 2018 Information Asset Confidential
26
Step 11 : Stitch Data Lineage
• GDPR Article 30 requires organizations to maintain a record of processing activities
• This record must include – a description of the categories and the categories of recipients of personal
data, including those in third countries or international organizations; – transfers of personal data to a third country or an international
organization
• The recordkeeping requirements also extend to so-called processors who process data on behalf of an organization
• Critical Step →Mapping of personal data elements to applications
Monday, June 18, 2018 Information Asset Confidential
27
Step 12 : Govern Analytical Models
• GDPR Article 22 deals with Automated individual decision-making
• Under many privacy laws, Automated Processing is required to be disclosed and results are
subject to data subject access
• “Disparate Treatment” versus “Disparate Impact”
• Example :
– predictive models may highlight that employees who live closer to work may stay longer in
their jobs but the models may discriminate against minority candidates in certain zip
codes
Monday, June 18, 2018 Information Asset Confidential
28
Step 13: Manage End User Computing
• User Computing (EUC) applications are outside the control
of the IT department
• EUCs include Microsoft Excel spreadsheets, Microsoft Access
databases and SharePoint repositories
• EUCs may contain personal data that is still subject to GDPR
compliance including data masking requirements
• Example: reclaiming control over user managed personal data
with self –service tools
Monday, June 18, 2018 Information Asset Confidential
29
Step 14: Govern the Lifecycle of Information
• GDPR Article 17 deals with Right to Erasure or the
‘Right to be Forgotten’
• Manage information throughout its lifecycle (ILM), from
creation through disposal, including compliance with
legal, regulatory, and privacy requirements
• Manage retention schedules
• Example: How do you forget a data subject if you do
not know where their information resides in the first
place?
30Monday, June 18, 2018 Information Asset Confidential
Create Data Sharing Agreements
(GDPR Article 28 – Processor, GDPR Article 46 –
Transfers subject to appropriate safeguards)
“Data contracts” between divisions of the same company,
legal entities or platform/application stakeholders
• Can be associated with “model contracts”,
“intercompany data transfer agreements”, “Data User
Agreements” to comply EU Data Protection
Directive / GDPR, or HIPAA
Step 15: Data Sharing Agreements
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
31Monday, June 18, 2018 Information Asset Confidential
• Documents what data is being shared and how the
data can be used:
─ List of attributes being shared
─ Acceptable use standards for data being
shared
─ Responsibility for data quality
─ Restrictions on how data may be shared with
downstream consumers, or bring re-identified
or combined with other data sets
─ Data Movement Agreement are more
technically focused
─ Ties physical data elements to a consuming
system
─ One or more DMA can be tied to a DSA
Step 15: Data Sharing Agreements (cont’d)
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
Monday, June 18, 2018 Information Asset Confidential
32
Step 16: Enforce Compliance with GDPR Controls
GDPR
Article
(Sample)
GDPR Description GDPR Controls
Article 6 Lawfulness of processing • Sign-offs by legal and compliance during the design phase of
any new project that requires the processing of personal data
Article 7 Conditions for consent • Obtain informed consent of data subjects
Article 9 Processing of special
categories of personal data,
such as race and ethnic
origin
• Identification of special data categories as CDEs
• Sign-off by legal and compliance on usage of special
categories of data during the design phase of a project
Article 11 Processing which does not
require identification
• Data masking
Article 30 Records of processing
activities
• Data lineage for sensitive data within the enterprise and
extending to processors and sub-processors
Monday, June 18, 2018 Information Asset Confidential
34
Employee Data Privacy Deep Dive
Emergence of Big Data Analytics on Employee Data
Laws and Regulations Impact Ability to Collect and Use Information
Unique Privacy and Protection Challenges for Employee Data
Managing Through Data Governance
Monday, June 18, 2018 Information Asset Confidential
35
Employers have a lot of Information
It’s Growing, and is Easier to Obtain
Changing PolicyBYOD, Telecommuting, Social Media for work…
Business Data
HR Data
Benefits Data
Compliance Data
Email & Chat
Physical Access / Real Estate
Information Security
Web Logs
Personal Data
Social Media
Wearables
GPS Location
Cafeteria transactions
And there’s more…
Technology
So many, many more…
Monday, June 18, 2018 Information Asset Confidential
36
There is Value in Mining Employee Data
And Not Just for HR and Talent
Who are my top talent?
What indicates if candidate will be successfulat my company?
Will employees having Fitbits reduce my health care costs?
What life events should trigger compliance reporting
What work spaces lead to most successful
collaboration?
Who is most likely to exfiltrateconfidential information?
Can we catch fraud before it occurs?
Cyber Security
?
Which employees maybe at risk for leaving the company?
HR & TALENT
Monday, June 18, 2018 Information Asset Confidential
37
Companies are Investing in Analytics
Participants reported
that creating or
maturing their people analytics function
is a strategic priority
Since 2014, the
Increase in the
number of employers using wearable technology as part of their HR
strategies
43%
The proportion of CRE organizations that
expect to be “data driven”
will double to form 2014 to 2017
$CYBER
SECURITY86%
30%
of organizations had
endured at least one insider attack in
the previous year
56%
OTHER FUNCTIONS
4.6% Increase nationwide from 2015 to 2016 in
“Statistician” roles
Citations: Trends in People Analytics, PWC, 2015; 2015 survey by HR technology consulting firm Sierra-Cedar Inc.; Forrester study on behalf of JLL, June 2014; Annual cybercrime survey jointly conducted by CSO Magazine, the U.S. Secret
Service, PricewaterhouseCoopers, and the Software Engineering Institute CERT program; Bureau of Labor Statistics for “Statist icians” (SOC 15-2041), August 2016
Monday, June 18, 2018 Information Asset Confidential
38
What Legal Guardrails are There?
Anti-Discrimination lawsproducts that flag health or mental illness or perceived health or
mental illness issues
Workplace MonitoringThree sets of laws - privacy, secrecy of correspondence,
employment laws
EU Data PrivacyThe use of big data/predictive analytics is highly restricted
under EU Member State law
Was it compatible with original purpose?
Private Activities / Concerted Activities Using information collected from outside the workplace (such
as on social media)
Restrictions imposed by the NLRB relating to concerted
activity
Social Media PasswordsIn the US, Employers may not request or obtain employee’s
passwords to social media sites
Least Intrusive MethodMust demonstrate that collection and use is the least privacy
intrusive method of accomplishing purpose
Right to AccessEmployees have the right to access personal information that is
held about them
Even predictive model outcomes
Monday, June 18, 2018 Information Asset Confidential
39
Fair Information Principals
Virtually every privacy law in the world is based
on the Fair Information Principles
Any program needs to take these into
consideration
✓Notice
✓Choice
✓Use Limitation
✓Access / Correction
✓Integrity / Accuracy / Quality
✓Minimization / Retention
✓Security
✓Monitoring and Enforcement
Monday, June 18, 2018 Information Asset Confidential
40
Ethical Considerations
Is this the type of organization we want to be?
Is this activity consistent with our core values as a company?
How would our employees feel if they learned about this activity?
How would our customers feel if they learned about this activity?
Would we be comfortable if this were on the front page of the newspaper?
Monday, June 18, 2018 Information Asset Confidential
41
Just “Mask” the Data … But How?
Data Masking
Hiding original data with random
characters or data. Two approaches to
data masking:
• Mask sensitive data elements
• Mask the identifiers
De-identification
Severing of a data set from the identifiers
but may include preserving identifying
information which could be re-linked in
certain situations
Anonymization
Removing or scrambling all
“identifiers” – where a person can never
be re-identified
If it can re-identified, then it may not
meet regulatory requirements
What are the identifiers?
Sensitive data is often needed for
analysis (comp., date of birth, etc.)
Can’t be combined with other data sets
– even if not sensitive
Monday, June 18, 2018 Information Asset Confidential
42
What are the Employee Identifiers ?
< Page Left Intentionally Blank Prior To Session for Exercise >
Monday, June 18, 2018 Information Asset Confidential
43
What are Employee Identifiers ?
Name (first, middle, last)
SSN/ TIN(other government ID’s)
Home Street Address
Home/Cell Phone Number
Personal Email address
Employee #
“Work” Address
Business email address
Business (Internal) Phone Number
Seat #
Business/Job Title
“Cost Center”
Manager &…
Location &…
Worker Type &…
… others…?
(Largely Unique)
IP addresses
(Intended 1:1)
System ID
.
. . .
.
.
.
.
.
.
.
.
.
.
.
.
Typical Identifiers Business Identifiers
Monday, June 18, 2018 Information Asset Confidential
44
What are Employee Identifiers
Typical Identifiers
(Intended 1:1)
Name (first, middle, last)
SSN/ TIN(other government ID’s)
Home Street Address
Home/Cell Phone Number
Personal Email address
IP addresses
Business Identifiers
(Intended 1:1) (Largely Unique) (Data Combinations)
Manager &…
Location &…
Worker Type &…
… others…?
Business/Job Title
“Cost Center”
Employee #
Business (Internal) Phone Number
“Work” Address
Seat #
Business email address
System ID
Monday, June 18, 2018 Information Asset Confidential
45
One Size Does Not Fit All Business Needs
Requires an understanding of your data and the public “decoder ring” (eg Employee Directory)
Combining data sets can make data more identifiable
May need to take a different approach for a “special” populations
Full identification may not be reasonably achieved - risk based approach based upon other security protocols
May change to focus on dissemination versus access
Technology is emerging that can help
Monday, June 18, 2018 Information Asset Confidential
46
Managing Through Data Governance
Goal of Privacy
for Supporting Employee “Big Data” Efforts
Data Governance
Provides a mechanism to document, govern and
monitor:
• Legal/ Regulatory requirements
✓ Notice
✓ Consent
✓ Use Limitation
✓ Access & Correction
• Ethical Considerations
Provide clear direction to people using the data!
• Enable businesses to gather high quality
insights
• Ensure compliance with privacy laws
• Limit the invasion of privacy (or the
perception of invasion of privacy)
• Protect the data
Monday, June 18, 2018 Information Asset Confidential
47
Suggested Next Steps Towards GDPR Compliance
• Define ‘personal data’ for GDPR with respect to
your organization
• Map personal data elements to applications
• Above all, drive alignment between Legal,
Compliance, Privacy and Enterprise Data
Management to re-use existing data governance
program to support GDPR compliance
Monday, June 18, 2018 Information Asset Confidential
49
No Single Vendor Supports all of GDPR Compliance
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
Monday, June 18, 2018 Information Asset Confidential
50
Data Governance Policies, Standards, Controls, Regulations, Citations, Jurisdictions & Business Terms
Jurisdiction
Regulation
Standard
Control
Business Term
Citation
Policy
Monday, June 18, 2018 Information Asset Confidential
51
Data Lineage includes data sharing agreements and data lineage out of Workday
52Monday, June 18, 2018 Information Asset Confidential
Identify Critical Data ElementsTerm Detail Page
Monday, June 18, 2018 Information Asset Confidential
54
IT Creates Security Policies
Pessimistic
Access by Tag
Policy.
Enables
access with
Tag Policy.
Monday, June 18, 2018 Information Asset Confidential
55
IT Discovers Hidden Sensitive Data
Explicit and
Derived
lineage
Show all data
sets that have
sensitive data
Monday, June 18, 2018 Information Asset Confidential
56
IT Protects Sensitive Data: Waterline Data
Tag based
access
controls
Masking & filtering
by Waterline
discovered tags
Monday, June 18, 2018 Information Asset Confidential
58
Fair Information Practice Principles (FIPPs)
Principal Guideline
1. Collection Limitation Principle There should be limits to the collection of personal data, and any such
data should be obtained by lawful and fair means and, where appropriate,
with knowledge or consent of the data subject.
2. Data Quality Principle Personal data should be relevant to the purposes of which they are to be
used and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
3. Purpose Specification Principle The purposes for which the personal data are collected should be
specified not later than at the time of data collection, and the subsequent
use limited to the fulfillment of those purposes or such others as are not
incompatible with the purposes and as are specified on each occasion of
change of purpose.
4. Use Limitation Principle Personal data should not be disclosed, made available, or otherwise used
for purposes other than those specified, except with the consent of the
data subject or by authority of law.
The eight fair information principles (From the OECD Guidelines on the Protection of
Privacy) are listed below:
Monday, June 18, 2018 Information Asset Confidential
59
Fair Information Practice Principles (FIPPs)
Principle Guideline
5. Security Safeguards
Principle
Personal data should be protected by reasonable security safeguards against such
risk as loss or unauthorized access, destruction, use, modification, or disclosure
of data.
6. Openness Principle There should be a general policy of openness about developments, practices, and
policies respect to personal data. Means should be readily available of
establishing the existence and nature of personal data, and the main purpose of
their use, as well as the identity and usual residence of data.
7. Individual
Participation Principle
An Individual should have the right:
• To obtain from a data controller, or otherwise, confirmation of whether or not the data
controller has data relating to him:
• To have communicated to him, data relating to him within a reasonable time; at a charge, if
any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to
him.
• To be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be
able to challenge such denial ; and
• To challenge data relating to him and , if the challenge is successful, to have the data erased,
rectified, completed or amended.
8. Accounting Principle A data controller should be accountable for complying with measures that give
effect to the principles stated above.
Monday, June 18, 2018 Information Asset Confidential
60
PRC Cyber Security Law
• China In November 2016, the People’s Republic of China
passed the Cybersecurity Law, which takes effect in June
2017. The law has been formulated to ensure network
security, preserve cyberspace sovereignty and national
security, and to protect the lawful rights and interests of
citizens, legal persons, and other organizations. Companies
operating in China must store any “personal information and
other important data” gathered in-country on servers
physically located within mainland China and must employ
only technology deemed “secure.”13 Data should not be
stored outside the PRC. Any data that needs to be transferred
for any business purposes will require governmental
permission. Failure to comply with the PRC Cybersecurity
Law may result in fines for companies and personally
responsible individuals, as well as revoked business licenses,
website shutdowns, and other civil and criminal punishments.
Organizations should continue to keep an eye out for
additional guidance published by Chinese authorities to
alleviate the existing uncertainty.
•
Map taken from https://www.cnil.fr/en/data-protection-around-the-world
Monday, June 18, 2018 Information Asset Confidential
61
Russian Federation Data Localization Law
• Russian Federation In September 2015, Russia’s Data
Protection Authority, Roskomnadzor, implemented Federal
Law 242-FZ (Law 242), a personal data localization law that
covers data operators of Russian companies and foreign
companies with a presence in Russia that collect personal
data about Russian citizens. These operators must initially
“record, systematize, accumulate, store, amend, update,
retrieve, and extract” data using databases physically located
in Russia. Personal data of Russian nationals can still be
transferred to foreign databases, but only after having first
been processed in Russia and subject to compliance with
Russian crossborder transfer rules. Although penalties for
noncompliance have not been finalized, they most likely will
range from potential fines to, in extreme cases,
Roskomnadzor’s recommendation to block access to a
foreign company’s online services (e.g., Roskomnadzor’s
proposed block of LinkedIn® as a result of that company’s
failure to transfer Russian user data to data servers physically
located in Russia) Map taken from https://www.cnil.fr/en/data-protection-around-the-world
Monday, June 18, 2018 Information Asset Confidential
62
Australia’s Privacy Act
Australia’s Privacy Act of 1988 regulates the
handling of personal information about individuals.
There are 13 Australian Privacy Principles (APPs),
which regulate the collection, use, storage, and
disclosure of “personal information” as well as
ensure that individuals can access and correct their
information. In 2012, Australia introduced the
Privacy Amendment (Enhancing Privacy Protection)
Act, which gives power to the Office of the
Australian Information Commissioner (OAIC), an
independent statutory agency, to monitor
compliance with privacy policies and the handling of
personal information.
Map taken from https://www.cnil.fr/en/data-protection-around-the-world
Monday, June 18, 2018 Information Asset Confidential
63
Singapore’s Personal Data Protection Act
Singapore’s Personal Data Protection Act 2012 was
assented to by the President, Tony Tan Keng Yam,
on November 20, 2012. The act was created to aid in
the governance of the collection, use, and disclosure
of personal data by organizations as well as to
establish a Do Not Call Register. The purpose of the
act, while providing governance, also recognizes the
rights of individuals to protect their personal data
and the need of organizations to collect, use, or
disclose personal data for appropriate practices. The
act is administered by the Personal Data Protection
Commission, which also promotes awareness across
the country for data protection, serves as an advisor,
and represents the government internationally on
data protection matters.22 Section 26 of Part VI of
the Personal Data Protection Act states that
organizations shall not transfer any personal data to
a country or territory outside Singapore unless the
commission allows an exemption. Map taken from https://www.cnil.fr/en/data-protection-around-the-world
Monday, June 18, 2018 Information Asset Confidential
64
Enforce Compliance for Data Sovereignty
Regulation
Example Description Controls
Australia
Privacy Act,
Principle 8
Cross-border disclosure
of personal information
Sign-offs by legal and compliance during the design phase
of any new project that requires the processing of
personal data
Singapore
PDPA, Second
Schedule
Conditions for consent Collection, processing, keeping, use, and disclosure of
personal data
Obtain informed consent of data subjects
HIPAA Privacy
Rule’s
deidentification
standard
Processing which does
not require identification
Data masking