Embed Size (px)
Citation preview
GEORGES ATAYA (SBS-EM)
12 December 2017
FIVE DOMAINS OF COMPETENCE FOR DATA
PROTECTION PROFESSIONALS
1
© 2017 ictc.eu
PROGRAM IN
EUROPEAN DATA PROTECTION© 2017 ictc.eu
DPO
Data Protection Officers (DPO)
Internal and external auditors
Information Technology
experts
Information Security experts
Legal experts and Lawyers
General ManagersEnterprise Architects
Projects ManagersData ScientistsFinancial Officers
Public Service personnel
Enterprise Architects
ConsultantsBusiness
ManagersMarketing Managers
4
ARTICLE 39 Tasks of the data protection officer 1.The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2.The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
LEGAL AND MANAGEMENT STATEGY
5
1.LEGAL AND MANAGEMENT REQUIREMENTS
Define the Data Protection strategy and GDPR compliance aligned with organizational goals and objectives where risk and harms are managed appropriately
• GDPR Principles: Material scope, Personal scope, and Territorial scope• Processing principles: Lawfulness of processing, Conditions for consent,
Processing of sensitive data and Processing not requiring identification• Data subject (DS) Rights: General modalities; Information and access to
data; Rectification and erasure; Right to portability; Right to object; Right to not be subject to automated individual decision making/profiling
• Remedies and sanctions• Responsibility of Controller• Responsibility of Processor and Sub-Processor• Data Processing Agreement• Data Protection by Design and by Default • Records of Processing Activities• DPO Designation, Position and Tasks• Cross border data flows today and the road ahead• International Data Transfers solutions: adequacy, Derogations and
Safeguards • Role of Certification and Codes of Conduct• Analysis of Cloud computing (Case discussion)
7
– Legal and regulatory requirements for Data Protection – Roles and responsibilities required for Data Protection management throughout the enterprise– Methods to implement Data Protection policies– The fundamental concepts of governance and how they relate to Data Protection management– Internationally recognized Data Protection principles, standards, frameworks and good practicesrelated to Data Protection governance and strategy development
Knowledge
– Creating, implementing and measuring Data Protection policies, standards and procedures– Achieving Data Protection compliance with external regulations and other legal requirements– Aligning privacy strategy with corporate governance goals– Creating privacy policies that align with business needs and make use of information security safeguards, and devising methods to measure the effectiveness of the policies– Communicating with executive leadership.
Experience
8
Demonstrated understanding of privacy principles and how to effectively implement them within an organization.
Possible certifications to support qualifications include: CIPP, CISM, Certified in the Governance of Enterprise IT® (CGEIT®), CRISC or other privacy certifications
Qualifications
• Ability to translate legal requirements to practical actions• Ability to understand technical requirements and determine how to implement them to most effectively support privacy protections• Proven leader with excellent communication skills• Process orientation
Behavioural skills
• Good understanding of privacy practices that apply to specific business practices involving personal information• Understanding of technologies that degrade privacy protections
Technical skills
RISK AND IMPACT ASSESSMENT
9
2.RISK AND IMPACT ASSESSMENT
Risk Assessment and Data Protection Impact Assessment to align with enterprise risk management directives
• Data Protection Impact Assessments Context, Relevance • Risk Management principles, Risk Scenario and their categories• Risk Response Priority Workflow• Information Risk Management Steps• Samples of detailed Risk Scenario Analysis• DPIA Process in light if the guidelines from the G29 Working Party• Detailed Walkthrough of the DPIA Process (Risks, Controls, Risks, and
Decisions)• The Concept of Legitimate Interest• Shadow IT impact on GDPR Compliance• Analysis of Internet of Things applications (Case discussion)• Analysis of Facebook tracking through social plug-ins (Case discussion)
11
– Methods to establish a privacy risk classification model consistent with business objectives– Methods to establish a Data Protection harms classification model consistent with business objectives and in support of data subjects– Data Protection risk assessment and analysis methodologies– Business processes, business use of personal information, essential functions– Data Protection standards– Privacy-related laws and regulations– Risk frameworks and models, risk quantification, risk recording and risk reporting
Knowledge
Significant amount of experience in Data Protection and business management, including experience in:– Assessing the risk related to Data Protection practices– Assessing information security risk– Mitigating Data Protection risk based on the business needs of the enterprise in consideration with the associated Data Protection harms– Risk management, risk profiling and threat assessments– Data Protection harms assessment and mitigation
Experience
12
Demonstrated experience in and understanding of how to identify and mitigate information security risk, Data Protection risk and Data Protection harms
Possible certifications to support qualifications include: CISM, CIPP, CRISC, or one of the available Data Protection certifications and/or risk management certifications
Qualifications
• Abstract thinker• Problem-solving expertise• Process orientation• Forward thinking
Behavioural skills
• An understanding of practices, technologies and activities involving personal information and the risk associated with them• An understanding of Data Protection harms to data subjects and the events that result in those harms• Risk analysis and mitigating controls techniques including CNIL and other methods
Technical skills
COMPLIANCE TRANSFORMATION
13
• Defining security controls• Information Security Management System (ISMS)• ISO 27001 controls & the impact on Privacy & Data Protection• Role of the CISO & information security domains• Data Protection Governance & Business Requirements definition• Differences CISO - DPO• Security Fundamentals• Sources of external threat• Enterprise Security Architecture • Cybersecurity processes• Bottom-up approach using comprehensive security controls checklists• Typical Shortcomings in Existing Management Processes• Network Security methods and Cloud computing threats• Identity and access management• Security information and event management• Implementing and Demonstrating the effectiveness of security controls• Security vs Privacy• Data Protection threats and Data Protection controls• Building Data Protection into systems to counter Vulnerabilities and
attacks• Data protection by design• Data Protection Design Strategies• Data Protection Enhancing technologies• Analysis of GDPR Accountability versus consent (Case discussion)• Analysis of Data Protection by default in a Geolocation (Case
discussion)• Threat modelling technique for privacy
3.COMPLIANCE TRANSFORMATIONTransformation includes program and project management, process improvement and the implementation of adequate enablers to target protection levels. Build enablers and foundations to implement functional processes.
Source: ISACA Privacy Principles and Program Management Guide (2016)16
17
– Enterprise goals and plans for future initiatives involving personal information– Data Protection management trends, services and disciplines– Internationally recognized Data Protection standards, frameworks and good practices related to information security strategy development– Related Role/Structure include:• Data management• Enterprise Architecture practices and frameworks• Process maturity enables • Portfolio, program and project management• Data protection elements, enhancing technologies and frameworks much as CNIL and Nymity• Digital Transformation and Change Management
Knowledge
Demonstrated significant experience in Data Protection management, including:– Experience in Data Protection strategy and governance– Experience incorporating Data Protection throughout the entire personal information life cycle– Experience in creating and implementing strategies and Data Protection principles, practices and activities throughout all areas of an organization– Program management– Enterprise Architecture and digital transformation.
Experience
18
• Demonstrated experience in and understanding of how to establish and implement Data Protection and/or information security management and/or governance programs, and demonstrated understanding of Data Protection principles and how to effectively implement them within an organization• Possible certifications to support qualifications include: TOGAF, CIPP, CISM, CGEIT, CRISC, ISO 20000, or one of the available Data Protection certifications and/or project management certifications
Qualifications
• Proven leader with excellent communication skills and ability to interface with all levels ofthe enterprise• Business transformation orientation• A change manager of how technologies can impact Data Protection
Behavioural skills
• Broad understanding of Technology, people and process impacts • Information security architecture and data protection• Ability to research new and emerging technologies and trends that could involve or derive personal information, and those that impact privacy
Technical skills
INFORMATION SECURITY AND PRIVACY
19
• Personal data categories• Data Life Cycle Management• Data Classification Process• Manage Data Protection within a classification process• Apply security rules to software• Data Flow• Governance enablers in a Data Protection transformation• Seven steps for a Data Protection program implementation• Key success factors for a successful implementation • Link to external resources and usual Data Protection frameworks• Overview of Data Protection standards• The transformation process and Organizational Barriers • Practical step by step implementation at a complex organisation• Creating a Data Protection notice/policy, a consent policy/withdrawal, a
Data breach notification form, and a complaint form
4.INFORMATION SECURITY AND PRIVACY
Build the secure platform within several architectural layers.
GDPR Non-Functional requirements
© Copyright ICTC.EU 2016 21
Network Security
Continuity
Cyber security
Application SecurityArchitecture
Business Impact
22
– How all the technologies within the enterprise interact with the business and Data Protection policies– Data Protection management architectures and methods for applying/implementing them– Application design Data Protection review with threat modelling– Methods to design information security and IT security, Data Protection practices– Cybersecurity skills
Knowledge
– Creating, implementing and measuring Data Protection policies, standards and procedures– Achieving Data Protection compliance with external regulations and other legal requirements– Aligning Data Protection strategy with corporate governance goals– Creating Data Protection policies that align with business needs and make use of information security safeguards, and devising methods to measure the effectiveness of the policies– Communicating with executive leadership.
Experience
23
Good understanding of networking protocol, databases, applications and operating systems, and how they are applicable to the business processesPossible certifications to support qualifications include: CISSP, ISO2700X, CISM, CISA, CRISC, or one of the available Data Protection certifications and/or project management certifications
Qualifications
• Abstract thinker• Problem-solving expertise• Risk oriented strategy focus
Behavioural skills
• Deep and broad knowledge of IT and emerging technologies trends, both within business and in the general public (e.g., wearable technologies, mobile apps, surveillance tools)• Technical design capabilities for information technology• Strong subject matter expertise in IT and technical protections
Technical skills
OPERATIONS & BREACH MANAGEMENT
24
• Response / Breach Management & Communication• Security of Processing & Data Breach Notification People, Process,
Technology• Statistics overview and Questionnaires to relate risks of security and
data breaches• Security operations centre• Data Breach requirements in GDPR • Reasons of personal data breach • Maintain a Personal Data incident/Response Plan• Incident Handling standards• Incident identification & classification and key performance indicators• Incident Management guidance
5.OPERATIOND & BREACH MANAGEMENT
Operations, Service Management, Response and breach handling activities require due care, Protection and adequate preparation.
26
– Incident management and handling including communication and incident notification– Crisis management and Problem handling– Managing Data Protection management programs, policies, procedures and standards as they pertainto business activities– Personal information access log monitoring, log aggregation and log analysis– The following are the related roles/structure for Data Protection management operations: CISO, CTO, PM, Data Protection management team– incident, Problem and Crisis Management– Communication skills
Knowledge
Service management and security operations experience, including:– Strong background in Data Protection management and/or Data Protection compliance– Working knowledge of all privacy-related functions in the enterprise and an understanding of how they align with the business objectives
Experience
27
Demonstrated experience in and understanding of how to identify and mitigate information security risk, Data Protection risk and Data Protection harms
Possible certifications to support qualifications include: CISM, CIPP, CRISC, or one of the available Data Protection certifications and/or risk management certifications
Qualifications
• Proficiency in managing Operations and staff• Analytical mindset, detail orientation• Strong facilitation skills• Strong time management skills• Good communications skills
Behavioural skills
• Strong subject matter expertise in business operations and information security technologies• Incident tracking• Forensics
Technical skills
G3 – IT Risk and Legal concerns
M2 – IT Services and Run Management
G1 – The CIO Foundation
G2 – IT Governance Workshop
M1 – Applications Build and Management
B2 – Business Transformation
B3 – Digital Agility and Innovation
B1 – Enterprise Strategy and Architecture
M3 – IT Sourcing Management
G – track IT Governance
M – track IT Management
B – track Business Agility
Lectured tracks and modules
A1 – IT Finance and Portfolio Management
A2 – Soft Skills for IT professionals
A3 – Building Expert Opinion
A – track Activating skills
© 2014 ictc.eu
WednesdayThursday MondayTuesday
S1 – Information Security Management
S2 – IT Security Practices
S3 – Cybersecurity Workshop
S – trackInfo Security
Monday
© Copyright ICTC.EU 2017
Solvay.edu/IT
29
Organisation, Skills and Resources
Resources and Architecture
Program Implementation
GDPR Functional requirements
Processes
Principles, Policies and Frameworks
Organisational Structures
Culture, Ethics and Behaviour
Information
Services
People, Skills and competencies
Infrastructure
Applications
Portfolio
Programs
Projects
30
Implementing privacy requires a
continuous improvement life
cycle methodology
It should provide general guidance on
how to adapt the approach for a
privacy management
32
Body of knowledge
with 5 domains
EDITION FACTS
G3 – IT Risk and Legal concerns
M2 – IT Services and Run Management
G1 – The CIO Foundation
G2 – IT Governance Workshop
M1 – Applications Build and Management
B2 – Business Transformation
B3 – Digital Agility and Innovation
B1 – Enterprise Strategy and Architecture
M3 – IT Sourcing Management
G – track IT Governance
M – track IT Management
B – track Business Agility
Data Protection supporting modules
A1 – IT Finance and Portfolio Management
A2 – Soft Skills for IT professionals
A3 – Building Expert Opinion
A – track Activating skills
© 2014 ictc.eu
WednesdayThursday MondayTuesday
S1 – Information Security Management
S2 – IT Security Practices
S3 – Cybersecurity Workshop
S – trackInfo Security
Monday
© Copyright ICTC.EU 2017
Solvay.edu/IT
A new Executive Programmewill be added to the SBS-EM ITME/ ISME portfolio, namely ‘Executive Programme for Data Protection Officers’. A participant would be granted with this certificate based on successful completion of the S1 (Information Security Management), S2 (IT Security Practices), G2 (IT Governance Workshop) and G3 (IT Risk and Legal concerns) modules in addition to the ‘Certified General Data Protection Professional – Privacy Security Governance’.
Executive Programme for Data Protection Officers
Executive Programme for GDPR implementation
DREAM. LEARN. LEAD.THANKS
