EU General Data Protection Regulation (GDPR)

Wale Omolere –February , 2017

Topic • Risk-based Approach to GDPR Compliance • Risk Management Process• Managing Risk • Assessing Risk • Applying it to Data Protection • Define and Implement Security Measures • Conclusions

Summary of EU GDPR Training Session 2 Activities Description Step 1: Pre Assessment Phase

Meeting with key staff membersWalk-through of engagement activities, and agree roles.Confirm on-site requirements have been providedReview existing Data Protection Policy (if available)Review existing Information Security Policy Documents (if available)Provide workshop questions to support information gathering in advance of on-site workshop & Gap Analysis.

Step 2: Data Discovery Exercise

Hold scoping workshop with IT Development, Data Protection and Information Security represented at decision maker level.Walkthrough of existing Data Protection PolicyAssess and understand current organisation culture and current Data Protection policyDiscuss extent of current personal data holding knowledge and usage for business purposes.Review Existing Information Security Management System in respect to GDPR requirementsIdentify contacts for more accurate information on data holding and change process (as needed)

Step 3: Gap Analysis Completion of GDPR Questionnaire lead by staffs / SME Record statement of gaps between current practice and requirements to meet EU GDPR Compliance.

Step 4: Reporting Phase Creation of the EU GDPR Executive Gap Assessment ReportDefinition of work to resolve gaps into logical projects including objective, resources involved, complexity and-high level costs.

Step 5: Debrief Phase Walkthrough of gaps between current practice and requirements for EU GDPR compliancePresentation of plan (project time & business case) for endorsement by the company executive ( Keji Giwa)Nominate Project Executives for individual projects. (PRINCE2 method or client company preference

Risk-Based ApproachStep Nos. Activities Data flow mapping Identify and understand where, why and how personal data is being processed

Risk Assessment • Identify potential threats • Determine inherent risk • Identify areas of DPIA

Data Protection Impact Assessment

• Determine specific threats for new technologies • Analysis high risk areas

Gap Analysis • Identify technical measures • Identify organisational measures • Evaluate the effectiveness of measure to mitigate risks• Determine residual risk-Is it acceptable or not?

Actions • Identify new and improved technical and organisational measures to reduce risk to an acceptable level

• Determine priorities and actions to implement measures Privacy Compliance Program

• Define privacy organisation, policies and procedure • Implement technical measure • Information and training staff in data processing

Monitor Privacy Compliance

• Set up alerts and warning systems • Audit of measures of effectiveness • Define mechanism to identity more privacy risk areas

GDPR Summarised

Article 24 –Responsibility of the Controller 1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Article 32 –Security of Processing 1. Taking into account the state of the art, the costs of implementation and the nature,

scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Why “risk-based approach”?Activities Article /

RecitalRisk Level

Obligations Expectations

Systematic and extensive automated profiling

35 (a) High Privacy impact assessments • Controller carry out impact assessment of envisage processing

Large-scale processing of special categories of data

91 High

Prior consultation with DPA • Controller shall implements appropriate technical and organizational measures to mitigate the risk

Large-scale, systematic monitoring of a publicly accessible area

97 High

Other activities that are “likely to result in a high risk for the rights and freedoms of individuals”

9, 47,54,73 High Notification of data breach to individuals

• Controller implements appropriate technical and organizational measures (e.g. encryption)

• The high risk is no longer likely to materialize

• Notifying affected individuals would involve disproportionate effort

What is “risk-based approach”?• Understand the organisation and its context• Understand the needs and expectations of stakeholders• Articulate your objectives• Develop Risk Criteria (What’s acceptable, What’s substantial)• Assess risks (Identify, Analyse, Evaluate)• Use the output of risk assessments to inform decision-making

Context of the processing • Purpose • Data processing operations • Technical and operative environment • Flow of data • Number and types of data subjects • Processors• Third parties

Controller on the basis on an objective assessment, with reference to the nature, scope, context and purpose of the processing

What is risk?• The Effect of Uncertainty on Objectives (ISO 31000 / Guide

73) • Risk is the chance of something Happening that will have

an Impact on Objectives (Australian Standard 4360:2004) • Operational risk is defined as the risk of loss resulting from

inadequate or failed internal processes, people and systems or from external events. (Bank of International Settlements’ Basel Committee)

Risk Management StandardA number of standards have been developed worldwide to help organisations implement risk management systematically and effectively. These standards seek to establish a common view on frameworks, processes and practice, and are generally set by recognised international standards bodies or by industry groups. 

The different standards reflect the different motivations and technical focus of their developers, and are appropriate for different organisations and situations. Standards are normally voluntary, although adherence to a standard may be required by regulators or by contract.

Risk Management Framework

Risk Management Framework• Context Establishment

This step serves to launch an iteration of the risk management process. All relevant information is collected, the elements to carry out the rest of the exercise are defined (e.g. risk evaluation criteria, impact criteria, etc.), the scope and objective of the framework is defined and responsibilities are assigned to key staff in order to carry out the exercise.

• Risk AssessmentTaking the information collected and defined in the previous "Context Establishment" step, "Risk Assessment" aims at identifying and describing the risks the organisation is subject to by performing the following steps:

• Risk Identification• The goal of this step is to determine what risks can affect the organisation (i.e. to

determine what can go wrong, how it can go wrong, and understand why this could happen). For this identification to be meaningful, the previous analysis of the specific context [1.2.2.2 A] of the organisation is of paramount importance.

• Risk Analysis• Once a set of risks has been identified, each risk is analysed in order to determine the

probability that this risk materialises and the consequences it may then have on the organisation.

Risk Management Framework• Risk Evaluation

• Each risk that has been analysed and estimated in the previous step is then compared against criteria defined in the "Context Establishment" step. The evaluated risks are then prioritised in order to feed the next step

• Risk Treatment– Once risks have been evaluated and prioritised, a decision on what to do with

each risk needs to be taken by the organisation. Typically, an organisation may decide to reduce the risk (by implementing, changing or removing security measures); to retain the risk (i.e. keep the situation as it is); to avoid the risk (decide to avoid an activity in order to avoid that risk); to share the risk (use an external party that could better cope with managing that risk). These decisions are not mutually exclusive.

– After decisions have been taken, a risk treatment plan is devised (i.e. security measures are defined with a plan on how and when they need to be implemented). Additionally, the residual risks are estimated (i.e. after treatment, a risk is usually not completely eliminated; it is thus necessary to evaluate the level of this remaining risk)

Risk Management Framework• Risk Monitoring and Review

– As with any security-related activity, risks need to be constantly monitored in order to react appropriately to changes to the risks and adapt the appropriate parts of the ISRM accordingly. Furthermore, the ISRM process itself should be reviewed and improved so that any subsequent iteration is more effective and efficient.

Risk Assessment Techniques • Brainstorming • Checklists • Structured Interviews • Bow Tie Analysis

– A BowTie is a diagram that visualises the risk you are dealing with in just one, easy to understand picture. The diagram is shaped like a bow-tie, creating a clear differentiation between proactive and reactive risk management. The power of a BowTieXP diagram is that it gives you an overview of multiple plausible scenarios, in a single picture. In short, it provides a simple, visual explanation of a risk that would be much more difficult to explain otherwise.

• Systematic Analysis of Process Flow • Structured What-If (SWIFT) • Event Tree Logic Diagrams • Root Cause Analysis

Risk Assessment –BOW TIE

Risk Assessment –BOW TIE

Risk Assessment –BOW TIE

Risk Assessment Applied to Data Protection 1-1

• Understand the Organisation and its Context • the internal and external environment

• business processes,• key suppliers, partners • Technological environment • Competitive environment, and • Legal & regulatory requirements

• needs and expectations of stakeholders• Who • Requirements

• The Risk criteria used to evaluate the significance of risks

Risk Assessment Applied to Data Protection 1-2

DP Objectives • Keep all Personal Information Confidential • Maintain Accuracy of Personal Information • Ensure Availability of Information as and when Required • Process Data Fairly and Lawfully • Erase data that is no longer required, in a timely manner • Ensure all Partners / Suppliers conform to rules.

Risk Assessment Applied to Data Protection 1-3

• Assess and Address risks to the achievement of your objectives • Identify (List the risks)

• Data breach (external) • Unintentional disclosure of confidential information

• Analyse (Understand the nature and level of risk) • What controls are in place? • Are they working effectively?

• Evaluate • Is the level of risk acceptable?

• Treat / Address

Risk Assessment Outcome This exercise will allow CI to:• Identify the risks to Career Insights (as an organisation) and

assess the consequences of these risks to the data processing operations.

• It allow CI owner to make informed decisions on how to react with regards to these risks.

• Prioritise actions in order to deal with these risks. • Effectively monitor its activities. • Raise staff awareness on Information Security.

Risk Assessment Outcome

Security controlsSecurity controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets:

Classes of Security controls • Preventive controls – before the event • Detective controls –during the event • Corrective controls –after the event

Categories of Security controls • Physical controls• Procedural / Administrative controls• Technical controls

Goal : In the field of information security , such controls protect the confidentiality, integrity and availability of information.

Risk Assessment –BOW TIE

Keyword Availability Description Availability Property of being accessible and usable upon demand by an authorized entity

Confidentiality Property that information is not made available or disclosed to unauthorized individuals, entities, or processes

Control Measure that is modifying risk

Control objective Statement describing what is to be achieved as a result of implementing controls

Information security Preservation of confidentiality, integrity and availability of information

Integrity Property of accuracy and completeness

Level of risk Magnitude of a risk expressed in terms of the combination of consequences and their likelihood

Residual risk Risk remaining after risk treatment

Risk Effect of uncertainty on objectives

Keyword Risk acceptance Informed decision to take a particular risk

Risk analysis Process to comprehend the nature of risk and to determine the level of riskRisk assessment Overall process of risk identification, risk analysis and risk evaluationRisk communication and consultation

Continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk

Risk criteria Terms of reference against which the significance of risk is evaluatedRisk evaluation Process of finding, recognizing and describing risks

Risk management Coordinated activities to direct and control an organization with regard to risk Risk management process Systematic application of management policies, procedures and practices to the

activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk

Risk treatment Process to modify riskThreat Potential cause of an unwanted incident, which may result in harm to a system or

organization Vulnerability Weakness of an asset or control that can be exploited by one or more threats

Reference • http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj

_en.pdf• http://www.calqrisk.com/a-risk-based-approach-to-data-protection.ht

ml• http://www.cgerisk.com/knowledge-base/risk-assessment/thebowtie

method• https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/

Documents/Supervision/Guidelines/16-03-21_Guidance_ISRM_EN.pdf• https://www.mrs.org.uk/article/item/2902• https://privacyblog.jimdo.com/home/gdpr-dpia-obligations-sept-1-201

6/• https://www.mrs.org.uk/article/item/2902• https://www.collibra.com/blog/adopting-a-risk-based-approach-to-co

mply-with-gdpr/• https://iapp.org/media/pdf/resource_center/GDPR_Study_Maldoff.pdf