Data Assessments

Intro: Why Assessments?

1. Document where and what type of data is in the system.
2. Understand the impact that processes will have on the system.
3. Understand two types:
  1. Privacy Impact Assessments
  2. Data Protection Impact Assessments
Inventories and Records
1. Data Inventory - aka - Data Map
  1. Shows you where all the data that resides in your system
  2. How it is shared, organized, and located.
  3. Legally required by GLBA

1. 1. Put all your data inventory into a single sheet
Processing of Activities under GDPR
1. Maintain a detailed record of processing activities, article 30
2. Purposes for the processing
3. Categories of recipients
4. Retention periods for the various categories of personal data
5. Must have detailed processing record to show DPA when asked.
6. Exception if processor employs less than 250 people
7. First action for DPOs
  1. Identify all data owners within each functional group/unit
  2. Understand what data is retained and what data is used.
  3. Create a data inventory - identify personal data vs non-personal data
Assessments and Impact Assessments
1. Privacy Assessment: Measuring Compliance
  1. Used by DPO or audit organizations to see if the organization is compliant or not with external laws or regulations.
  2. Scope can vary to see if the organization is imeplementing the proper controls to determine if proper controls are in place or not.
2. Privacy Impact Assessment
  1. Analysis of the risks of processing data
  2. Why do a PIA?
    1. Implementation of projects with others
    2. Incorporation of data from other organizations
    3. Retiring system that holds personal data
  3. Prioritize projects, products, or services that should be submitted to a PIA
3. PIAs in the US
  1. Required by US Government Agencies
  2. PTA - Privacy Threshold Analysis determines if the PIA is required
4. ISO 29134
  1. How to run a PIA
    1. It explains a PIA covers the risks of having PII under process
  2. Five Steps
    1. Identifying the information flows
    2. Analyzing the implications of the use case
    3. Determine the relevant privacy-safeguarding requirements
    4. Assessing privacy risks
    5. Determine the best privacy risk treatment option
  3. Follow up
    1. Prepare and publish the Repoet
    2. Implement the privacy risk treatment option
5. Data Protection Impact Assessment
  1. When you collect personal data what happens?
    1. Expose your organization to risks
    2. Risks need to be identified
    3. Required if you are subject to GDPR
6. When is a DPIA required
  1. Must be done by controller prior to processing
  2. Triggers
    1. New Data
    2. New Technology
    3. Change of processing
    4. Scale changes
  3. Review article 29 of the GDPR
    1. Evaluation or scoring
    2. Automated decision making with legal or similar significant effect
    3. Systematic monitoring
    4. Sensitive data or data of a highly personal nature
    5. Data processed on a large scale
    6. Matching or combining datasets
    7. Data concerning vulnerable data subjects
    8. Innovative use or application of new technologies
    9. Criteria If you meet two or more of the above criteria - this would be a trigger for the DPIA
7. Minimum features of a DPIA according to the GDPR
  1. Processing type, purpose and legitimate interests
  2. Risks of processing to data subjects
  3. Measures to address the risk

1. 1. Method how to carry out PIA
  2. Model to formalize a PIA
  3. Knowledge base - measures to be used to treat the risks
2. When do you contact supervisor authority
  1. When you can’t find a way to reduce the risk to the appropriate level
  2. When you can’t reduce the number of people with access.
3. Components of a DPIA
  1. Look at WP29 Annex 1, Guidelines on Data Protection Impact Assessment
4. Attestation-a Form of Self Assessment
  1. How you hold functions outside the privacy team accountable
  2. Develop questions for each department you need to hold to responsibility
  3. NIST 800-60
    1. Task - Classify Data
    2. Owner - IT
    3. Questions - Classification system created, each type of data mapped to a category in classification, data that can’t be categorized flagged?
    4. Evidence - Spreadsheet with data inventory, categories
Physical and environmental assessment
1. Use ongoing assessment to determine the threat and risk of data loss.
2. Three Key attributes:
  1. Confidentiality -
  2. Integrity -
  3. Availability -
3. Security Controls Purpose - Help to achieve Information Security
  1. Administrative controls
  2. Technical controls
  3. Physical controls
Assess Vendors
1. Determine specific standards for each vendor and determine if the vendors meet them.
2. Standards
  1. Reputation
  2. Financial Condition and Insurance
  3. Information Security controls
  4. Point of Transfer
  5. Disposal of Information
  6. Employee Training and User Awareness
  7. Vendor Incident response
  8. Audit rights
3. Contract language
  1. Privacy Protections
  2. Regulatory Requirements
  3. Map requirements to statement of work
  4. Example SPecifics
    1. Types of personal info to which the vendor will have access
    2. Vendor plans to protect personal info
    3. Disposal of data upon contract termination
    4. Limitation on the use of data that ensure it will only be used for specified
    5. Rights of audit and investigation
    6. Liability for data breach
Mergers, Acquisitions, and Divestitures: Privacy Checkpoints
1. Trigger a privacy checkpoint that evaluates
  1. New compliance requirements
  2. Sector specific laws
  3. Standards
  4. Jurisidictional laws/regulations
  5. Existing client agreements
  6. New resources, technologies, and processes
Summary
1. Privacy risk equals impact to or loss

Page updated

Report abuse