Upload
dama-ireland
View
204
Download
0
Embed Size (px)
Citation preview
PenaltiesPenalties
• Failure to implement appropriate securitymeasures
• Failure to implement Data Protection byDesign/by Default
• Failure to ensure governance of dataprocessors
• Failure to conduct a PIA where required• Failure to maintain records of processing
activities• Failure to have processes to support Data
Subject rights
• Breach of core Data Protectionprinciples
• Failure to ensure lawful basis forprocessing
• Failure to meet conditions for consent• Failure to respect/comply with rights of
data subject• Failure to ensure data transfers on valid
basis• Failure to comply with order of the DPC
Administration & Governance Offences Fundamental Rights & Duties Offences
2% of Global Turnover (or €10,000,000)[which ever is greater]
4% of Global Turnover (or €20,000,000)[which ever is greater]
LiabilityLiability
Civil liability for both material damage and immaterialdamage
Data Protection breaches can get you sued!
An evolution of existing rights
The Problem with how most organisations do Data PrivacyThe Problem with how most organisations do Data Privacy
The Need for Holistic ThinkingThe Need for Holistic Thinking
Need to consider the entire environment
Information EnvironmentEthical Environment
Legal can’t fix broken process designs
Bad Tyre Swing Design
The Global Legislative TrendThe Global Legislative Trend
717
36
68
110
1970s 1980s 1990s 2000s 2010-2016
Total Global Data Privacy Law
Within this, there is also continued evolution of existing Data Privacy laws(e.g. EU Data Protection Regulation)
castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie
Castlebridgechanging how people think about information
The GDPR and DMBOKThe GDPR and DMBOK
GDPR SummarisedGDPR Summarised
Regulatory“One Stop Shop”
Core Principles
IncreasedPenalties
Risk based approach toData Protection
ExplicitFocus on
Governance
PrinciplesDriven
PrinciplesDriven
Stricter Consent(where consent
only basis)
Enhanced Rights:Data Portability;
RTBF;
Risk & PenaltyMitigation
Documentation
Data ProtectionOfficer
Evidence ofEffectiveness
Risk & PenaltyMitigation
Enforcementagainst DataProcessors
Extraterritoriality
Fines as % ofGlobal
Turnover
MitigatingFactors
1. Lawfulness, fairness, transparency2. Purpose Limitation3. Data Minimisation4. Accuracy5. Storage Limitation6. Integrity & Confidentiality7. Accountability
+ Article 1, 7, and 8 ECHR
Privacy byDesign/Default
The GDPR Principles – An evolution…The GDPR Principles – An evolution…
Fair Obtaining
Purpose Specification
Purpose Limitation
Security
Accuracy
Adequate / Relevant
Retention
Data Subject Rights
Lawfulness, fairness, transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity & Confidentiality
Accountability
The Accountability PrincipleThe Accountability Principle
“The Controller shall be responsible for, and be able to demonstratecompliance with…”
Article 5(2) General Data Protection Regulation
“The Controller shall be responsible for, and be able to demonstratecompliance with…”
Article 5(2) General Data Protection Regulation
Creates a positive duty to actively monitor and govern the management of personal data
“Shelf-ware” policies and reactive responses to issues do not demonstrate compliance
One key change: Some new definitionsOne key change: Some new definitions
Personal Data: any information relating to an identified or identifiable natural person who can beidentified either directly or indirectly, in particular by reference to an identifier such as a name,identification number, location data, online identifier, or one or more factors specific to physical,physiological, genetic, mental, economic, cultural, or social identity of that person
Processing: any operation or set of operations which is performed upon personal data or sets ofpersonal data, whether or not by automated means, such as collection, recording, organising,structuring, use, disclosure, transmission, dissemination or otherwise making available, alignmentor combination, restriction, erasure or destruction;
Definition of processing is slightly broader in terms of the things that might constitutepersonal data…
HOARDS still valid as a way of remembering what Processing is…
One key change: Some new definitionsOne key change: Some new definitions
Profiling: any form of automated processing consisting of using data to evaluate certain personalaspects relating to a natural person, in particular to analyse or predict aspects concerning thatnatural person’s performance at work, economic situation, health, personal preferences,interests, reliability, behaviour, location or movements
Personal data breach: a breach of security leading to the accidental or unlawful destruction,loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, orotherwise processed
A broad category of activity – “automated processing” now clearly defined
Current Irish DPC Code of Practice includes “risk of breach”
A clearly defined test for “Compatible Purpose”A clearly defined test for “Compatible Purpose”
Is there a link between the purposes?
What was the context of collection, in particularrelationship between Controller & Data Subjects
What is the data?
What are the risks/possible consequences to thedata subject?
What safeguards are being put in place to protectfundamental rights?
New Duties: Privacy By Design/DefaultNew Duties: Privacy By Design/Default
Privacy is the default setting for processes.Must ensure appropriate controls are in place in design and
developmentMust ensure appropriate tech and organisational measures are in
place to minimise access to data for particular purposes
Privacy is the default setting for processes.Must ensure appropriate controls are in place in design and
developmentMust ensure appropriate tech and organisational measures are in
place to minimise access to data for particular purposes
New(ish) Duty: Data Security BreachNew(ish) Duty: Data Security Breach
Largely as per current DPC Code of Practice
Must notify DPC “without undue delay” or within 72 hours, unless breach is unlikely to resultin risk to individuals rights/freedoms
Any delay over 72 hours will require a reasoned justification
Communication to Data Subject required if there is a high risk to rights and freedoms. Not required if data is unintelligible (e.g. encrypted)
Not required if controller has taken steps to eliminate risk of impact to rights/freedoms
Not required if a disproportionate effort
DPC has final say.
New Role: The Data Protection OfficerNew Role: The Data Protection Officer
Not mandatory in all cases, but recommended Will be mandatory for public authorities or organisations that engage in systematic monitoring on
a large scale or process sensitive personal data on a large scale
Member States may set their own rules locally
DPO must have “expert knowledge of data protection law and practices and an ability tofulfil tasks” of the DPO.
May be a member of staff or may be a contractor
Contact details should be published and communicate to the DPC.
New Role: The Data Protection OfficerNew Role: The Data Protection Officer
A public facing role (can be contacted by Data Subjects) Must be involved in a “timely manner” in all issues relating to processing of personal data
E.g. system design and specification
Must be supported by Data Controller in execution of tasks and maintaining knowledge. Must be able to act independently in relation to Data Protection tasks ( Should report to the most senior executive level Role is to
Inform and advise Monitor compliance with externa legislation and internal policies and procedures, including training Supporting Privacy Impact Assessments Acting as contact point for DPC
Cannot be dismissed or penalised for performing Data Protection tasks
A Focus on Governance & ControlsA Focus on Governance & Controls
Article 23:Privacy by Design & Default
Article 33:Data Protection Impact Assessment
Article 28:Documentation
Article 35:Data Protection Officer
Article 37:Tasks of DPO
Article 33(8):Data Protection Compliance
Review
Article 37:Tasks of DPO
Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel© DAMA International, used with permission
DataGovernance Data
Protection
Data Quality
TRUST
The Anatomy of the StoolThe Anatomy of the Stool
Internal Uses(e.g. Analytics)
Customer “value” perception
External Uses(e.g. Open
Data)
Data Privacy: PrinciplesData Privacy: Principles
GDPR Data Governance Data QualityLawfulness, fairness, and transparencyPurpose LimitationData MinimisationAccuracyStorage LimitationIntegrity and ConfidentialityAccountabilityData Subject Rights
Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality
Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAPAccuracy X X XCompleteness X X XTimeliness X X XConsistency X XConformity X XRelevance/Not Excessive X XAdequacy (for purpose) X XDuplication X XQuality of Data Definition (business & tech) X XInformation Product Specification X X X
Defining Information Quality & Information QualityManagementDefining Information Quality & Information QualityManagement
Based on 9-box model developed by Abcouwer, A.W., Maes, R. Truijens, J, Amsterdam Univeristy (1997-2003)
Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel
© DAMA International, used withpermission
What is Data Governance in DMBOK?What is Data Governance in DMBOK?
Definition:The exercise of authority and control (planning,monitoring, and enforcement) over themanagement of data assets..
Goals:• To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics.• To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and
procedures.• To sponsor, track, and oversee the delivery of data management projects and services.• To manage and resolve data related issues.• To understand and promote the value of data assets.
Activities:1. Data Management Planning• Understand Strategic Enterprise Data Needs• Develop and Maintain the Data Strategy• Establish Data Professional Roles and Organizations• Identify and Appoint Data Stewards• Establish Data Governance and Stewardship Organizations• Develop and Approve Data Policies, Standards, and Procedures• Review and Approve Data Architecture• Plan and Sponsor Data Management Projects and Services• Estimate Data Asset Value and Associated Costs2. Data Management Control• Supervise Data Professional Organizations and Staff• Coordinate Data Governance Activities• Manage and Resolve Data Related Issues• Monitor and Ensure Regulatory Compliance• Monitor and Enforce Conformance With Data Policies, Standards, and Architecture• Oversee Data Management Projects and Services• Communicate and Promote the Value of Data Assets
Inputs Outputs
Inputs:• Business Goals• Business Strategies• IT Objectives• IT Strategies• Data Needs• Data Issues• Regulatory Requirements
Primary Deliverables:• Data Policies• Data Standards• Resolved Issues• Data Management Projects
and Services• Quality Data and
Information• Recognized Data Value
Data Privacy: Data GovernanceData Privacy: Data Governance
Principle Governance QualityPersonal data which is being processed must be fairlyobtained and processed XPersonal Data shall be obtained for a Specified and LawfulPurpose XPersonal Data shall not be processed in a mannerincompatible with the specified purpose XPersonal Data shall be kept accurate and complete and,where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and notexcessive X XPersonal data should not be kept for longer thannecessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Understanding Information/Data StewardshipUnderstanding Information/Data Stewardship
Information Stewardship is:An ethic that embodies responsible planning and
management of Information Resources through…
The acceptance or assignment of responsibility toshepherd and safeguard the Information Assets ofothers, both inside the organisation and beyond
A Holistic Framework?A Holistic Framework?
Based on 9-box model developed by Abcouwer, A.W., Maes, R. Truijens, J, AmsterdamUniveristy (1997-2003)
Data Protection Officer
Documentation & Controls
Evidence of Effective Operation
Privacy Expectation met orexceeded!
Different Types of Data StewardDifferent Types of Data Steward
Strategic
Operational
Tactical
Doers Definers Deciders Co-ordinators
The D3C Model™ © 2013 Castlebridge Associates
The Data Protection/Privacy Officer RoleThe Data Protection/Privacy Officer Role
• Reporting to ExecutiveBoard
• Must be Independent
• Technical and Business skills
• Accountable for the System ofGovernance
• “Statutory Tenure”
• Relationship to CDO,CPO, CIO etc.
A Data Stewardship Mind Map – Standards?A Data Stewardship Mind Map – Standards?
Governance& Stewardship
Data Use Steward(Doer/Definer)
UX Requirements
Privacy Reporting
Screens & Reports Quality
Screen & Reports Content
Design & Aesthetics
Data GovernanceReqts (Co-ordinator)
Data Standards Compliance
Use of Metadata Documentation
Metric Driven Quality Assurance
Data Management Structure
Data CollectionSteward
(Doer/Definer)
Data Classification (PII, Sensitive)
Encryption
Business Content Rules
Privacy Rules
Privacy ReqtsSteward
(Decider/Definer)
Purpose
Notice
Consent
Transfer (3rd Party)
Access/Correction/Deletion
Proportionality
Retention
Responsible Action
Based on M. Dennedy & Tom Finneran
Castlebridgechanging how people think about information
Data Privacy & Data QualityData Privacy & Data Quality
Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel
© DAMA International, used with permission
What is Data Quality in DMBOK?What is Data Quality in DMBOK?
Definition:Planning, implementation, and control activities that applyquality management techniques to measure, assess,improve, and ensure the fitness of data for use..
Goals:• To measurably improve the quality of data in relation to defined business expectations.• To define requirements and specifications for integrating data quality control into the
system development lifecycle.• To provide defined processes for measuring, monitoring, and reporting conformance to
acceptable levels of data quality.
Activities:1. Develop and Promote Data Quality Awareness2. Define Data Quality Requirements3. Profile, Analyze, and Assess Data Quality4. Define Data Quality Metrics5. Define Data Quality Business Rules6. Test and Validate Data Quality Requirements7. Set and Evaluate Data Quality Service Levels8. Continuously Measure and Monitor Data Quality9. Manage Data Quality Issues10. Clean and Correct Data Quality Defects11. Design and Implement Operational DQM Procedures12. Monitor Operational DQM Procedures and Performance
Inputs OutputsInputs:• Business Requirements• Data Requirements• Data Quality Expectations• Data Policies and Standards• Business Metadata• Technical Metadata• Data Sources and Data Stores
Primary Deliverables:• Improved Quality Data• Data Management• Operational Analysis• Data Profiles• Data Quality Certification
Reports• Data Quality Service Level• AgreementsMetrics:• Data Value Statistics• Errors / Requirement Violations• Conformance to Expectations• Conformance to Service Levels
Tools:• Data Profiling Tools• Statistical Analysis Tools• Data Cleansing Tools•
• Data Integration Tools• Issue and Event Management Tools
Data Protection: Quality PrinciplesData Protection: Quality Principles
Principle Governance QualityPersonal data which is being processed must be fairlyobtained and processed XPersonal Data shall be obtained for a Specified and LawfulPurpose XPersonal Data shall not be processed in a mannerincompatible with the specified purpose XPersonal Data shall be kept accurate and complete and,where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and notexcessive X XPersonal data should not be kept for longer thannecessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality
Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAPAccuracy X X XCompleteness X X XTimeliness X X XConsistency X XConformity X XRelevance/Not Excessive X XAdequacy (for purpose) X XDuplication X XQuality of Data Definition (business & tech) X XInformation Product Specification X X X
Case Study: Online customer registration process, UK bankCase Study: Online customer registration process, UK bank
Register forSMS alert
Displayproposednumber
UpdateContactDetails
SelectPreferredContactNumber
Send SMSUpdates
***9901(no option for 2nd
number)
Message
Case StudyCase Study
Issues:*****9901 was a number that hasn’t been used for >5 years by
that account holder.Mobile phone numbers are recycled – usually 12- 18 months after
termination of contractSMS containing bank details of this customer potentially being
sent to a 3rd partyCustomer complained to UK Data Privacy RegulatorCustomer knows a bit about data modelling
What is Data Quality in DMBOK?What is Data Quality in DMBOK?
Definition:Planning, implementation, and control activities that applyquality management techniques to measure, assess,improve, and ensure the fitness of data for use..
Goals:• To measurably improve the quality of data in relation to defined business expectations.• To define requirements and specifications for integrating data quality control into the
system development lifecycle.• To provide defined processes for measuring, monitoring, and reporting conformance to
acceptable levels of data quality.
Activities:1. Develop and Promote Data Quality Awareness2. Define Data Quality Requirements3. Profile, Analyze, and Assess Data Quality4. Define Data Quality Metrics5. Define Data Quality Business Rules6. Test and Validate Data Quality Requirements7. Set and Evaluate Data Quality Service Levels8. Continuously Measure and Monitor Data Quality9. Manage Data Quality Issues10. Clean and Correct Data Quality Defects11. Design and Implement Operational DQM Procedures12. Monitor Operational DQM Procedures and Performance
Inputs OutputsInputs:• Business Requirements• Data Requirements• Data Quality Expectations• Data Policies and Standards• Business Metadata• Technical Metadata• Data Sources and Data Stores
Primary Deliverables:• Improved Quality Data• Data Management• Operational Analysis• Data Profiles• Data Quality Certification
Reports• Data Quality Service Level• AgreementsMetrics:• Data Value Statistics• Errors / Requirement Violations• Conformance to Expectations• Conformance to Service Levels
Tools:• Data Profiling Tools• Statistical Analysis Tools• Data Cleansing Tools
• Data Integration Tools• Issue and Event Management Tools
Legal requirementsEthical Requirements
“The Creepy Line”
A Data Privacy KPI?A Data Privacy KPI?
EU E-Marketing rules require data to be usedwithin 12 months from consent having beenobtained or consent is nullified.
Client organisation had no assessment of howmuch trust they could place in their marketingdata
Was facing prosecutions for breaches of rules
Developed a Dashboard
Associated a financial “Business Impact” KPI
Senior Executive were shocked at impact of notmanaging their customer data…
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
12 months orover
10 -12 Months 6-9 months 3-6 months 0-3 months
Marketing Months since last contact
ePrivacy Directive Consent TrackerAverage revenue uplift of €10/ Month per campaign, 10% success rate, 1.2 million customers
Opportunity Lost: €1,440,000 Value at Risk: €4,320,000