Intro: Why Assessments?
Document where and what type of data is in the system.
Understand the impact that processes will have on the system.
Understand two types:
Privacy Impact Assessments
Data Protection Impact Assessments
Inventories and Records
Data Inventory - aka - Data Map
Shows you where all the data that resides in your system
How it is shared, organized, and located.
Legally required by GLBA
Put all your data inventory into a single sheet
Processing of Activities under GDPR
Maintain a detailed record of processing activities, article 30
Purposes for the processing
Categories of recipients
Retention periods for the various categories of personal data
Must have detailed processing record to show DPA when asked.
Exception if processor employs less than 250 people
First action for DPOs
Identify all data owners within each functional group/unit
Understand what data is retained and what data is used.
Create a data inventory - identify personal data vs non-personal data
Assessments and Impact Assessments
Privacy Assessment: Measuring Compliance
Used by DPO or audit organizations to see if the organization is compliant or not with external laws or regulations.
Scope can vary to see if the organization is imeplementing the proper controls to determine if proper controls are in place or not.
Privacy Impact Assessment
Analysis of the risks of processing data
Why do a PIA?
Implementation of projects with others
Incorporation of data from other organizations
Retiring system that holds personal data
Prioritize projects, products, or services that should be submitted to a PIA
PIAs in the US
Required by US Government Agencies
PTA - Privacy Threshold Analysis determines if the PIA is required
ISO 29134
How to run a PIA
It explains a PIA covers the risks of having PII under process
Five Steps
Identifying the information flows
Analyzing the implications of the use case
Determine the relevant privacy-safeguarding requirements
Assessing privacy risks
Determine the best privacy risk treatment option
Follow up
Prepare and publish the Repoet
Implement the privacy risk treatment option
Data Protection Impact Assessment
When you collect personal data what happens?
Expose your organization to risks
Risks need to be identified
Required if you are subject to GDPR
When is a DPIA required
Must be done by controller prior to processing
Triggers
New Data
New Technology
Change of processing
Scale changes
Review article 29 of the GDPR
Evaluation or scoring
Automated decision making with legal or similar significant effect
Systematic monitoring
Sensitive data or data of a highly personal nature
Data processed on a large scale
Matching or combining datasets
Data concerning vulnerable data subjects
Innovative use or application of new technologies
Criteria If you meet two or more of the above criteria - this would be a trigger for the DPIA
Minimum features of a DPIA according to the GDPR
Processing type, purpose and legitimate interests
Risks of processing to data subjects
Measures to address the risk
Method how to carry out PIA
Model to formalize a PIA
Knowledge base - measures to be used to treat the risks
When do you contact supervisor authority
When you can’t find a way to reduce the risk to the appropriate level
When you can’t reduce the number of people with access.
Components of a DPIA
Look at WP29 Annex 1, Guidelines on Data Protection Impact Assessment
Attestation-a Form of Self Assessment
How you hold functions outside the privacy team accountable
Develop questions for each department you need to hold to responsibility
NIST 800-60
Task - Classify Data
Owner - IT
Questions - Classification system created, each type of data mapped to a category in classification, data that can’t be categorized flagged?
Evidence - Spreadsheet with data inventory, categories
Physical and environmental assessment
Use ongoing assessment to determine the threat and risk of data loss.
Three Key attributes:
Confidentiality -
Integrity -
Availability -
Security Controls Purpose - Help to achieve Information Security
Administrative controls
Technical controls
Physical controls
Assess Vendors
Determine specific standards for each vendor and determine if the vendors meet them.
Standards
Reputation
Financial Condition and Insurance
Information Security controls
Point of Transfer
Disposal of Information
Employee Training and User Awareness
Vendor Incident response
Audit rights
Contract language
Privacy Protections
Regulatory Requirements
Map requirements to statement of work
Example SPecifics
Types of personal info to which the vendor will have access
Vendor plans to protect personal info
Disposal of data upon contract termination
Limitation on the use of data that ensure it will only be used for specified
Rights of audit and investigation
Liability for data breach
Mergers, Acquisitions, and Divestitures: Privacy Checkpoints
Trigger a privacy checkpoint that evaluates
New compliance requirements
Sector specific laws
Standards
Jurisidictional laws/regulations
Existing client agreements
New resources, technologies, and processes
Summary
Privacy risk equals impact to or loss