Embed Size (px)
Citation preview
CONFIDENTIAL
WASHINGTON, D.C.BEIJINGATLANTABRUSSELSDENVER DUBAIDUBLINHONGKONGLONDON MADRIDMILANNEW YORKPARISSANFRANCISCOSINGAPORESYDNEYTOKYO TORONTO
Privacy&DataProtectionDataMappingSolutions– SampleSlidesJune6,2016
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 2
TypicalDataLifecycleMappingQuestions
Key data lifecycle categories Key elements of information captured 1. Basic Details • Process or activity to which the system relates
• Ownership of data• Data subjects to whom the personal information relates (e.g., applicants, employees, contractors) • Data Categories (e.g., basic personal details; health and welfare; performance and pay; employment details) • Specific sensitive or other confidential data types involved (e.g., credit card information, salary, performance
reviews, disability details, diversity information)2. Data Collection • Source of data (i.e., where the personal information originates prior to being entered into the system. For example,
data may be generated from a user of the system, an employee or applicant or provided by a third party.)• Means of collection (i.e., how the personal information was collected, obtained or generated for the purposes of the
system / process. For example, direct input by employee, email received and data manually input to system by user, or automated feeds from linked systems or databases.)
3. Data Usage & Data Handling • Purpose of processing the personal information• Key manual data handling or automated data processing activities• Handling of hard copy documents or files containing personal information• Hosting, testing and system development locations where applicable
4. Data Transfers and Access & Disclosures
• Internal, external and onward transfers, access or disclosures to personal information • Disclosures to service providers, vendors, and relevant parties• Assess locations for the purposes of identifying cross border data transfers
5. Data Retention & Destruction • Data retention and destruction processes around how personal information is archived or destroyed• Retention periods prior to destruction• Responsibilities of external vendors for the archiving / destruction of personal information transferred
6. Security • Scope to include specific technical and organizational security considerations which have been applied. For example, access controls and restrictions, use of passwords / encryption
The key questions and considerations below can be used to assess the privacy impact of the data flows identified and can be instrumental in the development of data maps.
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 3
RecentDataMappingFrameworkProject
CreationofDataMappingToolkit
ü Alignment with and cross-reference to business process mapping
ü Provides a detailed record of key processes/activities within the organisation
ü Aids in the identification of knowledge gaps to prompt further investigation
ü Increases knowledge of data handling practices within the organisation
ü Forms a basis for best practices and regulator standards
• A toolkit of data mapping templates, information gathering and reporting tools,user guidance and training materials was produced to allow the client to roll outthe data mapping exercise to other areas of its business
• Training workshops and management briefing sessions were run to explain how toapply the methodology and use the toolkit in order to deploy and maintain theData Mapping Framework
• QA managers and related local contacts were assigned responsibility for themaintenance and updating of the Data Mapping Framework, including periodicmilestones and reporting obligations
SamplePilotDataMappingExercise
• Interviews were undertaken with stakeholders relevantto the data lifecycle of the pilot business areas
• A review was made of the existing business processdata maps and QA documentation to align with andvalidate data lifecycle practices identified duringinformation gathering
• Fieldwork also included interviews and documentationreviews relating to management of key systems anddata lifecycle related technology
• Data Mapping tables, diagrams and reports were refinedduring the pilot phase and provided the basis for theData Mapping Toolkit templates and guidance
DataLifecycleMappingTable
DataLifecycleMappingReports
DataMaps&Key
UserGuidance
DataTypes
Guidance
Data LifecycleMapping Framework
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 4
OverviewofOutputsandTemplates
Key Outputs of theData LifecycleMapping Process DataMappingTable
DataCategories,Subjects&TypesTable
SpecialDataTypes
Table
DataMap&Key
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 5
OverviewofDataLifecycleMappingFramework
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 6
SampleOverviewDataFlowMap
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 7
SampleProcessSpecificDataLifecycleMap
CONFIDENTIAL©2016PromontoryFinancialGroupLLC.Allrightsreserved. 8
ContactDetails
RobertGrosvenorDirectorPromontoryFinancialGroup(UK)Limited30OldBroadStreetLondonEC2N1HT
Direct:+44(0)[email protected]
JamesGregoireSeniorPrincipalPromontoryFinancialGroup,LLCSpearTower,1MarketPlaza,Suite4100SanFrancisco,CA94105
Direct:[email protected]
SimonMcDougallManagingDirectorPromontoryFinancialGroup(UK)Limited30OldBroadStreetLondonEC2N1HT
Direct:+44(0)[email protected]
MichaelSpadeaDirectorPromontoryFinancialGroup,LLCSpearTower,1MarketPlaza,Suite4100SanFrancisco,CA94105
Direct:[email protected]
