View
5
Download
0
Category
Preview:
Citation preview
General Data Protection Regulation (GDPR)Are you ready?
Jennifer Ryan - Data Protection OfficerSara McAneney – IT Security Officer9th November 2017
There are no magic wands!
A snapshot of GDPR
Principles
Lawful Processing
Purpose Limitation
Transparency
Consent
Retention
Minimisation
Sensitive personal data
Children’s data
New & Enhanced Rights
Transparency & Notification
Access
Erasure
Rectification
Portability
Profiling
Automated decisions
Responsibilities
Data Processors
Data Transfers
Data Breach Reports
Data Protection by Design
DPIAs
DPO
Penalties
“Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that.”
GDPR – Who owns it?
‒ There are many elements to GDPR and it can seem overwhelming however, with a collaborative approach compliance is achievable.
‒ GDPR preparation requires effort across your entire organisation.
‒ Put your governance committees in place and engage and influence the right people in IT, Legal, Risk, Records Management, DPO, Faculties & Support Services.
TCD Data Protection Working Party
Dean of Research
College Solicitor
IT Security Officer
Data Protection Officer
College Secretary
Nominee from Library and Information Policy Committee
Nominee from the School of Law
Director of Student Services
Director of HR
Director of Academic Registry
Director of Alumni & Development
Librarian
Director of Commercial Revenue
President of the Graduate Students’ Union
Trinity College Dublin, The University of Dublin
DPO
Trinity College Dublin, The University of Dublin
GDPR - Appoint your DPO
– Refer to the Data Protection Commissioner and Article 29 Working Party guidance.
– DPO skillset should align with your priorities but they must be able to see the bigger picture.
– A combined understanding of data protection from a legal, risk and technical and security perspective.
– Give them access to the resources they need.
Trinity College Dublin, The University of Dublin
GDPR – Get to know your data What do we
collect, maintain, store, share,
retain, delete?
Why ?
Where is it?Who else has it?
How long do we keep it?
Trinity College Dublin, The University of Dublin
GDPR – Get to know your data
– How does data flow in, out and through your organisation- document and map it.
– Who accesses it, who is it shared with, how is it stored, how long is it kept, is it secure?
– Identify your legal basis for processing – consent, contract etc.
– Identify your sensitive data hotspots and high risk processing.
Trinity College Dublin, The University of Dublin
Personal Data Processing Inventory
Trinity College Dublin, The University of Dublin
GDPR – Review your documents
– Update your Privacy Statement - this defines your organisations approach to personal data.
– Demonstrate fair processing and transparency –no surprises.
– CLEAR AND PLAIN ENGLISH.
– Update your policy documents.
– Review and update data processing agreements.
Trinity College Dublin, The University of Dublin
GDPR – Transparency
Trinity College Dublin, The University of Dublin
GDPR – Communicate
– Training, training, training – the freedom within the higher education environment implies individuals must take responsibility.
– Awareness campaign and online training modules.
– Everyone in your organisation needs to know what their responsibilities are and who they should contact if they have questions.
– Share ideas - GDPR University Group meetings.
People
Process
Technology
Trinity College Dublin, The University of Dublin
GDPR – IT Services Responsibilities
1. Document Data
Processing
2. Data Processor
Compliance
3. Enterprise IT Security Controls
4. Provision of Compliant Services
5. Training & Advice
Trinity College Dublin, The University of Dublin
GDPR – Accountability Principle Article 5(2)
Maintain relevant documentation on processing activities.
Implement measures that meet the principles of data protection by design and by default - Data Minimisation; Pseudonymising Data
Use data protection impact assessments where appropriate.
Trinity College Dublin, The University of Dublin
Statements of the information you collect and process, and the purpose for processing (Article 13 of the GDPR).
Document Data Processing
Business Systems - In house and cloud hosted
• Student System, VLE, HR System, Finance System,
• Document/DPIA in partnership with Business Areas
IT Services Data Processing
• Service Desk Information Systems
• Web forms
• Office 365
• Supporting systems AD, DNS, IDM, WI-FI
• Many, many Log Files
Trinity College Dublin, The University of Dublin
Data Processing
Records
Purposes of the
processing.
Description of the
categories of individuals
and personal data.
Categories of recipients of
personal data.
Details of transfers to third
countries
Retention schedules
Description of technical
and organisational security measures.
Document Data Processing
Trinity College Dublin, The University of Dublin
Document Data Processing
• DPIAs are legally mandatory where applicable from May 18
• Article 29 Working Party strongly recommends DPIAs for all high risk operations prior to this date
Data Protection Impact Assessment
Description of Data ProcessingAssessment of necessity and
proportionalityMeasures to demonstrate complianceAssessment of risks to the rights and
freedomsMeasures to address the risksDocumentationMonitoring and review
Trinity College Dublin, The University of Dublin
Data Processors Compliance
"Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…
"Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
Trinity College Dublin, The University of Dublin
Data Processors - TCD
Trinity College Dublin, The University of Dublin
Data Processor Compliance
• Controller has an obligation to ensure that the processor has provided sufficient guarantees to implement technical and organisational measures that meet the requirements of the GDPR
Due Diligence Contracts – Data processing agreements Security Policies/Certifications/Audits
Breach notification Process
Trinity College Dublin, The University of Dublin
Data Processor Compliance
Must keep records of processing, demonstrate appropriate technical and organisational controls
Data subjects may enforce rights directly against Data Processors
Non-compliant Data Processor open to legal action from Data Controllers and Data Subjects and sanctions from the Regulator – i.e. Fines.
Trinity College Dublin, The University of Dublin
Enterprise IT Controls - Supporting the Security of Personal data
Mobile Devices
Network Perimeter
Applications
Databases
PC’s
Data
Trinity College Dublin, The University of Dublin
Enterprise IT Controls - 2017
External Cyber Security Audit
Significant Security Breach
Ransomware threat – Wannacry etc
GDPR Preparation
Trinity College Dublin, The University of Dublin
Enterprise IT Controls
Program of Security Enhancements 2018
Firewall Upgrade IPS Technology Multifactor Authentication in Office365 End Point Security Enhancements Malware Filtering Mobile Device Encryption
Trinity College Dublin, The University of Dublin
Provision of Compliant Services - Supporting Day-to-Day Processing
Laptops & Mobile Devices
Secure Network Storage
Secure Applications
Microsoft Teams
SharePoint OneDriveDropbox for
Business
Storage – Processing – Sharing - Collaboration
Trinity College Dublin, The University of Dublin
Training - IT Security
Trinity College Dublin, The University of Dublin
Training - IT Security
Trinity College Dublin, The University of Dublin
Training – Phishing Simulations
• Number of phishing emails sent: 6026 • Recipients who opened the email: 902 • Recipients who opened the attachment & enabled macros: 52
Trinity College Dublin, The University of Dublin
Training - GDPR training for IT Staff
General Advice
and Guidance
Managers
Service Desk
Support Analysts
Project Managers
Developers
Trinity College Dublin, The University of Dublin
Challenges
•Diverse organisation – Teaching - Research –Administration – Campus Companies
•Large volumes of data
•Variable IT skills
•Lack of IT Security Awareness
•Shadow IT
Trinity College Dublin, The University of Dublin
Are you ready?
Questions?
Recommended