EU General Data Protection Regulation (GDPR)

Wale Omolere –February , 2017

Topic • GDPR Assessment Readiness

• How to Conduct Gap Analysis • How to Develop GDPR Questions • Response to Questions and Recommendations • Data Mapping Analysis • Data Management Lifecycle• Data Governance

GDRP Roadmap

Assessment Develop Plan

Build Consensus

Implement Program

Assess Readiness

Gather Key Requirements

Analyse Information

Conduct Gap Analysis

Document Report

Communicate Report

Assess Business Impact

Peer Review Information

(with Management

team)

Peer Review Information (with SMEs)

GDPR Regulation

What is Gap Analysis?Gap analysis is technique that businesses use to determine what steps need to be taken in order to move from its current state to its desired, future state.

CI want to be here

CI is here

Time

Gap Analysis G

DPR

Co

mpl

ianc

e Gap

Calculating the “Gap”Questions 1. Where are we now?2. Where do we want to be?3. How will we get there?4. When will we get there?

The point between where you are NOW and where you want to BE is known as the gap. Calculating the "gap" is known as gap analysis and is starts with information gathering –by asking the right questions

Conducting Gap Analysis (Activities) Goal Gain understanding of Careers Insight current

compliance postureTask No Task Name Activities (input) Output1 Gap analysis • Review regulatory

requirements• Prepare and send

GDPR Assessment Questionnaires

• Review responses to completed GDPR assessment questionnaire (OPTIONAL ) conduct staff interviews/calls

Gap analysis report

Gap Analysis Exercise Steps No.

Activities

1 Pre Assessment Phase • Meeting with key stakeholders / SME’s • Walk-through of engagement activities, and agree roles.• Confirm regulatory requirements have been provided• Review existing Data Protection Policy (if available)• Review existing Information Security Policy Documents (if

available)• Provide questions to support information gathering in advance

of on-site workshop & Gap Analysis.

GDPR Assessment Questionnaires 1-1

# Article Title Questions Conditions (Y/N)

4 Definition of personal data Do you know perfectly well your information assets?Do you know the location and the flow of personal data into your organisation

No No

6 Lawfulness of processing When processing data for a purpose other than it was originally collected, do you assess whether it is compatible with the original purpose and identify appropriate safeguards?

No

7 Conditions for consent Do you obtain consent from data subjects prior to processing their data?Do you stop processing personal data when a data subject withdraws consent?

No No

15 Right of access by the data subject

Do you enable individuals to get access to personal data you hold about them?

No

17 Right to erasure (“right to be forgotten")

Do you erase personal data when requested by data subjects (where required by law)?Do operating procedures provide guidance for analysing and responding to requests for erasure?

No

No

33 Notification of a personal data breach to the supervisory authority

Have you identified activities related to processing special categories of personal data and documented the legal basis for processing (e.g., consent, contract, vital interests, legitimate activities, etc.)?

No

GDPR Assessment Questionnaires 1-2

# Article Title Questions Conditions (Y/N)

20 Right to data portability Do you provide personal data in a structured and commonly used machine-readable format when requested?Do operating procedures provide guidance for analysing and responding to requests for data portability?

No

No

32 Security of processing Have you conducted (or reviewed) an audit of access to personal data to determine if existing procedures are appropriate based on the purpose for which the data was collected and the nature of access?

No

32 Security of processing Do you have in place technical security and organisational measure to protect confidentiality, integrity and availability of personal data?

No

33 Notification of a personal data breach to the supervisory authority

Do operating procedures provide guidance for identifying, escalating, and responding to data breaches, including notification to supervisory authorities, controllers, and data subjects?Do you maintain records related to personal data breaches?

No No

34 Communication of a personal data breach to the data subject

Do you Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol

No

Gap Analysis Report Article GAP RISK LEVEL

SUBJECT MATTER OWNERS RECOMMENDED ACTIONS

4No information on how data is received and where they are stored VERY HIGH Business

Conduct a comprehensive data mapping analysis –depict data origin, path and storage

6No record of policies/procedures for primary / secondary uses of personal data VERY HIGH Business

Develop personal Data Usage Policy –HandleConduct PIAs/DPIAs for change to existing programs, systems, or processes Establish legal basis (if any) for processing personal data

7No procedures to respond to requests to opt-out of, restrict or object to processing VERY HIGH Business

Develop marketing communications plan (workflow) for opt-in & out customer Develop data handling policy

15No procedures to respond to requests for access to personal data VERY HIGH Business

Develop data handling procedure and /plan –this should include how CI will handle requests for customer (Data Subject)

17No procedures to respond to requests to be forgotten or for erasure of data HIGH Business

Develop an operating procedure for analysing and responding to request for erasure or correction od data

32

Personal data is not adequately protected from unauthorised access No technical security controls / measures in place HIGH Business

Perform Data Privacy Impact Assessment(DPIA) Implement security measures to protect confidentiality, integrity & availability of customer data

33No procedure for detecting, reporting and investigating personal data breach HIGH Business Develop data breach incident response plan

Data Flow Mapping Data flow maps are recognised method of tracing or tracking the flow of data through a process or physically through a network

What to show on a data flow mapThe data flow map should show where device, systems, applications etc. handling personal data exist on the CI network

Objectives of data flow map • To create a picture of CI’s data’s origins, paths, exit points and

storage locations• To indicate where PII information exists in CI’s network,

infrastructure, servers and devices • To present an overview of CI’s data and improve data lifecycle

management.

Data Flow Mapping ActivitiesSteps No.

Activities

1 Data discovery exercise • Hold scoping workshop with IT team, Data protection and

Information security represented at decision maker level in CI.

• Review existing practices to see what kind of data have already been or are routinely collected in CI. Also determine whether the sources of all these data are available and reliable, e.g. is there a source indicated for the data, it the source a primary source, etc.?

• Walkthrough of existing Data Flow Diagram • Discuss extent of current personal data holding knowledge and

usage for business purposes.• Identify contacts for more accurate information on data holding

and change process (as needed)• Combine all of the above steps into one document. This is your

data flow map

Overview Data Management Lifecycle

Data Collection

Data Usage &

Data Handling

Data Transfer &

Access

Data Retention & Destruction

Data Security

Article Nos.

Areas

4,5,6,9 Data Collection

4,9,12 Data Usage

13,14,15,44

Data Transfer &Access

5 Data Retention & Destruction

9,23,32 Data Security

Data Mapping Activities Areas Lifecycle Categories Data Collection • Source

• Means of Collection Data Usage • Purpose of Processing

• Meaning of processing• Location of Data

Data Transfers & Access

• Internal transfers / Access / Interfaces• External Transfers / Access / Interfaces • International Data Transfers / Access / Interfaces

Data Retention & Destruction

• Destruction / Archive Retention

Data Security • Technical & Organisational Security Consideration

Data Lifecycle MappingKey data lifecycle categories

Key elements of Information captured

1. Data Collection Source of data • Where the personal information originates

prior to being entered into the CI system. For example, data may be generated from a web form /link on FB, LinkedIn, Google etc.

Means of collection • How the personal information was collected,

obtained or generated for the purposes of the system / process. For example, direct input by CI candidate, email received and data manually input to system by user, or automated feeds from linked systems or databases.)

Data Lifecycle MappingKey data lifecycle categories

Key elements of Information captured

2. Data Usage & Data Handling • Purpose of processing the personal information

• Key manual data handling or automated data processing activities

• Handling of hard copy documents or files containing personal information

3. Data Transfers and Access & Disclosure (if applicable)

• Internal, external and onward transfers, access or disclosures to personal information

• Disclosures to service providers, vendors, and relevant parties

• Assess locations for the purposes of identifying cross border data transfers

Data Lifecycle MappingKey data lifecycle categories

Key elements of Information captured

4. Data Retention & Destruction • Data retention and destruction processes around how personal information is archived or destroyed

• Retention periods prior to destruction• Responsibilities of external vendors for the

archiving / destruction of personal information transferred

5. Security • Scope to include specific technical and organizational security considerations which have been applied. For example, access controls and restrictions, use of passwords / encryption

Data Lifecycle QuestionnaireKey data lifecycle categories

Questions

1. Data Collection • Describe where the data originate from prior to being used in relation to the process / activity

• Describe how the data was collected, obtained or generated relating to the process / activity

2. Data Usage & Data Handling • State the reason for which the data is collected and used / process

• Describe how the data is used /processed for the purpose of the process /activity

• Describe where the data is stored as part of the process / activity including the country in which the data is physically located or hosted

3. Data Transfer & Access • Provide details of any internal transfers or interfaces in relation to the process / activity (including situations where access is given to such data)

• Provide details of any internal transfers or interfaces in relation to the process / activity for example sharing of personal data with external service providers

• Provide details of any cross border transfer of data in relation to the process / activity for internal or external purpose

Data Lifecycle QuestionnaireKey data lifecycle categories

Questions

4. Data Retention & Destruction • Describe how data is retained / archive or destroyed in relations to the Process /Activity. Where possible state retention period prior to destruction

5. Data Security • Describe any specific technical & physical security measures which are applied to data in relation to the process or activity. For example, this may include passwords / encryption when sharing files

Data Origin, Path, Process & Storage

CI Candidate Input System Output Database

• Facebook• Referrals• Telephone order• Mail-based order• Google search• LinkedIn

• Career insight website

• eWorkexperience website

• CRM (Saleforce)

• Personal data

• Credit card information

• Enterprise data warehouse

• Sql database• Oracle

database

• Inventory & order processing

Data Flow Mapping

GDPR relates to Data Governance

Principles of data collection•Fairly and lawfully•Receiving consent•Relevance•Proportionality•Types of data

Permission applies to:

• Specific data• Specific purpose• Notify of changes

Retain• Duration

• Types of dataSecure

• People• Process

• Technology• Data loss

Management of:•Access•Right to rectify data•Data destruction policy•Data transfers•Applicable rules•Right to be forgotten

ProcessRetain & SecureManageCollect

Reference https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/https://ico.org.uk/media/1546/data-controllers-and-data-processors-dp-guidance.pdfhttp://www.datagovernance.com/wpcontent/uploads/2014/11/dgi_framework.pdfhttps://www.dropbox.com/home/GDPR?preview=Distinction+btw+DPA1998+and+GDPR.docx