A FRAMEWORK FOR DATA CONTROLLERS

DATA PRIVACY

THE SPEAKER:

Desmond Israel

Enterprise Privacy & Security Practitioner

LLB, BSC, CASP, QCS(VM), CCNSP, CCSC

REPRESENTING:

TEKI AKUETTEH FALCONER (MRS)

EXECUTIVE DIRECTOR

DATA PROTECTION COMMISSION, GHANA

EXPERIENCE:

3 Years in Data Privacy

10 Years in IT Security

12 Years in IT Business Development

8 Years in Public Speaking [IT Subject-Matter Expert]

BIO

The Data Protection Compliance Reporting Framework sets out data

controllers’ compliance reporting mechanism to the Data Protection

Commission.

Regulatory Compliance Reporting Framework (CRF)

Part of the Commission’s overall approach to ensuring compliance in

accordance with the Data Protection Act, 2012 (Act 843).

Purpose: Safeguard and enhance data protection through effective and timely

regulation of data controllers.

How: Yearly reporting and auditing mechanism

INTRODUCTION

This compliance reporting tool has 3 main

components;

Data Protection Compliance Guide

Compliance Reporting Mechanisms & Auditing

Processes

Compliance Fee Structure

INTRODUCTION

What does the

compliance

guide entails?

It is expected that data controllers should meet

these requirements for compliance.

It is aimed at those who have responsibilities for

data protection, in an organisation (e.g. data

supervisor)

It helps managers and administrators to

understand the full range of data protection

issues when processing personal data.

Compliance Guide

1# General Management

1. Policy on data protection.

2. Access to personal data, training and

guidance.

3. Contractual and other arrangements

relating to third party processing of

personal data.

4. Privacy impact assessment.

Compliance Guide

2# Lawfulness of Processing

Full extent of the processing, which is authorised by law

and/ or regulations.

Proof of lawful processing.

3# Transparency of processing

Awareness of data subjects.

Practical or technical difficulties in meeting the requirement.

Reasons for not meeting the requirement if any.

Compliance Guide

4# Quality of personal data

Assessment to ensure that personal data is

‘adequate, relevant and not excessive’ in the context

of each particular purpose.

Practical or technical difficulties in meeting the

requirements.

5# Retention and reasons for retention

Compliance Guide

6# Security safeguards of personal data

Security policy that covers all aspects of the processing of personal

data.

Evidence of implementation Security controls or procedures in

accordance with such policy.

Measures to ensure the integrity of the personal data and of its

processing.

Considerations taken into account during the development,

purchase or acquisition of hardware and software.

Confidentiality

Data sharing and cross-border data transfers.

Compliance Guide

7# Rights of Data Subjects

Policies and procedures that guarantee the rights of the

Data Subjects such as being informed of the nature of the

processing of personal data, receipt confirmation as to

whether or not personal data about them is being processed,

correction of personal data, etc.

Practical or technical difficulties in meeting such

requirements.

Compliance Guide

8# Notification policy and procedures

Policies and procedures on notification of security

compromises.

Security Compromises registered.

Notifications filed in accordance with the law.

9# Registration

Registration Status and number.

Compliance Guide

10# Training & Education

The levels of awareness of data protection within

the organisation.

Staff awareness of their data protection

responsibilities - including the need for

confidentiality.

Data protection training programme for staff.

Compliance Guide

11# Co-ordination and Compliance

Evidence of appointment of data protection

supervisor and/or compliance person.

Staff awareness of their role.

Mechanisms in place for formal review by the

supervisor of activities within the

organisation.

Compliance Guide

Reporting compliance

and a look at the audit

process

It is envisaged that this process

may take between one (1) month

and three (3) months depending on

the capacity of the Data Controller.

Auditing & Reporting

The process will entail the following:

Filing of the externally audited compliance report online.

Payment of appropriate fees.

Assessment of the report by the Commission through further checks

by staff or third party consultants on her behalf.

Issuing of the Commission’s interim report to the Data Controller.

Giving of timelines to ensure full compliance.

Follow-up enforcement actions.

Publication of the Commission’s final report and compliance status

(Full Compliance; Partial Compliance, Poor Compliance, Non-

Compliance).

Auditing & Reporting

Filing of Compliance

/ Payment of Fees

Assessment

Issue of

Interim

Report

Timelines for

Compliance

Filing of updated report

Follow-up enforcement

actions

Publication Compliance

Status

Compliance Cycle

Auditing & Reporting

Compliance Fees &

other matters

CATEGORY Number of personal records

Category A Above 1,000,001

Category B 500,001 – 1,000,000

Category C 100,001 – 500,000

Category D 80,001 – 100,000

Category E 70,001 - 80,000

Category F 60,001-70,000

Category G 50,001-60,000

Category H 40,001-50,000

Category I 30,001-40,000

Category J 20,001-30,000

Category K 5,001-20,000

Category L 1-5000

Compliance & Fee Structure

COBiT 4.1 Control Objectives Key Areas DP Audit Compliance Guide

Deliver & Support DS11 Domain: Manage Data

DS11.1

Business Requirements for data management

Input for design

Minimizing errors and omission

Error-handling procedures

REQ.01 :General Management

REQ.09 :Registration

REQ.02 :Lawfulness of Processing

DS11.2

Storage & Retention Arrangements

Document preparation

Segregation of duties

REQ.05 :Retention and reasons for retention

REQ11 :Co-ordination and Compliance

DS11.3

Media Library Management Systems

Completeness and accuracy REQ.04 :Quality of personal data

DS11.4

Disposal

Detection, reporting & correction REQ.07 :Rights of Data Subjects

REQ.08 :Notification policy and procedures

DS11.5

Backup and restoration

Legal requirements

Retrieval & reconstruction mechanism

REQ.03 :Transparency of processing & Awareness of data subjects.

DS11.6

Security requirements for Data Management

Data Input by authorized staff REQ.6 :Security safeguards of personal data

REQ.11 :Co-ordination and Compliance

REQ.10 :Training & Education

CoBiT 4.1 Aligned

Miscellaneous

My Ten rules for data protection

compliance as a practitioner

1. Consent

2. Sensitive data

3. Individual rights

4. Review files

5. Disposal of records

6. Accuracy

7. Security

8. Disclosing data

9. Worldwide transfer

10. Third party processors

Merits of Data Protection Registration

Legal Compliance

Avoiding Fines

Better Business Management

Customer Security

Challenges of Data Protection

Registration:

Strict Maintenance of Data

The Cost

Training

Data Protection Procedures

1 2

3

QUESTIONS &

ANSWERS