risk management under gdpr• understanding the references to risk under the gdpr • understanding...
TRANSCRIPT
Risk Management under GDPR
10 March 2017 – IRMS Public Sector Group Meeting
Scott Sammons CIPP/E, AMIRMS
Information Governance & Transparency
Some learning outcomes for you:
• An understanding of what risk is with regards to Information
Governance
• Understanding the references to risk under the GDPR
• Understanding a risk based approach to GDPR implementation
• An overview of how a robust risk approach can support your
initiatives and grow your maturity.
*disclaimer, this is an approach. This is not the holy grail, Opinions are my own*
2
Information Governance & Transparency
© Essex County Council
A little glimpse of me:
• Information Governance Strategy Lead for Essex County Council
within the ECC Information Governance & Transparency Team
• BCS IAPP Certified (DP & FOI), IAPP Certified (DP), IRMS
Accredited (RM)
• Experience practitioner of Information Governance,
management, risk, security and legislation
• Volunteer at IRMS
• Independent Exam Board member of a DP Practitioner
Certificate
• Certified Practitioner of NLP
3
Information Governance & Transparency
© Essex County Council
Awareness
What makes up a risk framework?
4
Information Governance & Transparency
Identification
Assessment
Mitigation
Monitoring Registers & KRIs
Audit
Physical Controls
‘Soft’ Controls
Risk Assessments
PIAs
Reviews & project controls
Staff Training
© Essex County Council
Information Risk right now
5
Information Governance & Transparency
Data Protection Act 1998
- Principle 7
- Privacy Impact Assessments
ISO27001
– ISMS
Codes of Connection
– IG Toolkit, GovConnect
© Essex County Council
Risk is everywhere under GDPR
6
Information Governance & Transparency
• Security of Processing
• Tasks of the DPO
• Balancing rights against grounds for processing
• Prior Consultation for ‘risky’ processing
• Privacy Impact Assessments
• Breach notification
© Essex County Council
7
Information Governance & Transparency
How do I apply this…
© Essex County Council
8
Information Governance & Transparency
To this…
© Essex County Council
And move from this….
9
Information Governance & Transparency
to that!
© Essex County Council
A risk based implementation
10
Information Governance & Transparency
• Think long term & be honest
• Focus on supporting framework first;
Key roles (DPO)
Privacy Impact Assessments
Policies & Procedures
Risk Management Framework
• Prioritise based on level of work, time
needed, risk rating under GDPR
compliance.
• Key is to have a plan in place and
underway.
© Essex County Council
ECC GDPR Implementation Project
11
Information Governance & Transparency
1. Governance 2. Assurance 3. Third Party
Management 4. Collection & Use
5. Retention &
Destruction
10. Staff Data 9. Training &
Awareness
6. Rights 7. Security 8. Systems &
Technology
• Workstream based delivery structure
• Deliverables to hand over to BAU throughout project
• Looking for quick wins and existing initiatives
• Create an ongoing compliance risk register
• Aligns with existing initiatives and projects
© Essex County Council
The ECC journey
12
Information Governance & Transparency
Data Flow Mapping Previous ICO Audit
Information Asset Owners Information Governance Team
Information Assurance Maturity Model Senior Information Risk Officer
Privacy Impact Assessments Information Champions
Risk based GDPR Implementation Programme
ECC IG Support
© Essex County Council
Grab a pen…
13
Information Governance & Transparency
• Be realistic with what you can achieve by May 2018.
• Establish a risk framework sooner rather than later.
• Agree your risk based approach to GDPR implementation.
• Add risk management to your toolkit of skills.
© Essex County Council
How to get in touch
14
Information Governance & Transparency
• ECC IG Team Email:
• WEISF contact details:
https://weisf.gov.uk or [email protected]
© Essex County Council