Upload
percival-woods
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
For more information visit www.espiongroup.com
Surviving an Office of the Data Protection Commissioner (ODPC) Audit Alexander Hotel
March 18th 2015
@IsacaIreland ISACA Ireland Chapter [email protected]
For more information visit www.espiongroup.com
Surviving an Office of the Data Protection Commissioner (ODPC) Audit
Gavin D’Alton
Consultancy Team Lead
Espion
For more information visit www.espiongroup.com
Agenda
1. Speaker Introduction
2. Data Protection Acts 1988 and 2003
3. Implementing a Data Protection Framework
4. What to do if your organisation is subject to audit by the ODPC
5. Notification of Intent to Audit
6. Preparation
7. How the Audit Process Works
8. The Day of the Audit
9. The Audit Report
10. The New Law (time permitting)
11. What can/ should businesses do now?
For more information visit www.espiongroup.com
Introduction
• Going into a new organisation and setting up a new function can be quite daunting.
• However, armed with the right tools and knowledge it is very possible to establish a smooth-running function which will enhance DP awareness across the organisation.
• And help things run smoothly in the event a certain letter arrives…
(Hopefully, a practical approach)
For more information visit www.espiongroup.com
Data Protection Acts 1988 & 2003
• Data Protection is about the management of the processing of personal data and the creation of a framework for the lawful processing and protection of personal data.
• The Irish Data Protection Acts 1988 and 2003 give effect to the European Data Protection Directive 95/46/EC.
• The legislation provides a balance between individual rights and organisational necessity by providing a framework within which to process data fairly and lawfully.
For more information visit www.espiongroup.com
Data Protection Acts 1988 & 2003
The 8 requirements:
1) Obtain and process the information fairly.
2) Keep it only for one or more specified and lawful purposes.
3) Process it only in ways compatible with the purposes for which
it was given to you initially.
4) Keep it safe and secure.
5) Keep it accurate and up-to-date.
6) Ensure that it is adequate, relevant and not excessive.
7) Retain it no longer than is necessary for the specified purpose
or purposes.
8) Give a copy of his/her personal data to any individual, on
request.
For more information visit www.espiongroup.com
Steps to implementing a Data Protection Framework
i. Get buy-inii. Define Rolesiii. Polices and Procedures iv. Trainingv. Personal Data Inventory vi. Managing Data Processorsvii. DP Self-Auditviii. Action Plan and Remedial Work
i. Get buy-inii. Define Rolesiii. Polices and Procedures iv. Trainingv. Personal Data Inventory vi. Managing Data Processorsvii. DP Self-Auditviii. Action Plan and Remedial Work
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
1) Get buy-in: • Arrange a meeting with senior management.• Deliver a presentation around the DP responsibilities of
the organisation and areas which will be in scope for a DP framework.
• These will be:
i. Policies and Procedures
ii. Training
iii. Personal Data Inventory
iv. Managing Data Processors
v. DP Self-Audit.
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
1) Get buy-in: Easier said than done!
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
2) Define Roles:• Who has overall responsibility for the project ?• Who is on the project team and what will their
individual roles be?• Set up a DP Committee which will meet regularly to
discuss the progress of the plan?
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
3) Policies and Procedures:• If policies and procedures do not exist, you may need to
create these from scratch.• Your organisation may already have policies and
procedures in place, if so these will need to be reviewed in line with current DP regulation to ensure that they are fit for purpose.
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
3) Policies and Procedures:• Why? And What needs to be included?
Look at the 8 rules of DP and assess
each one against the activities of your
organisation. Policies set the course of DP in the
organisation for the foreseeable future. Polices clearly define the organisation’s
DP responsibilities and what is needed
to implement them.• Third Party Processors!
Source: http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
4) Training:• All staff who handle personal data in an organisation
must receive data protection training appropriate to their level of responsibilities.
• Staff processing sensitive personal data will require tailored training.
• Staff should receive training at induction stage and before accessing personal data and should also receive annual refresher training.
• Maintain a Training Log. • Third Party Processors!
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
5) Personal Data Inventory:• Create an architecture map of systems within the
organisation which hold personal data • Map out personal customer data on a Register, e.g.
Customer Data Details Data Volumes Name of the system in which it is held Business/ Technical Owner Purpose for processing the Data Details of 3rd parties to whom the data may be transferred (include
security measures such as encryption How long is data retained for
• Repeat process annually as part of an internal data protection audit process
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
6) Managing Data Processors:• Must be a written contract in place!• The contract must contain a DP clause setting out the Data Controllers instructions around processing, retention and destruction.
• The contract must have a start and end date
• The contract must give the Data Controller the ‘Right to Audit’
• The controller must set out technical security measures to be applied to the data, i.e. that the processor must obtain ISO 27001 etc.
Interesting case study: https://dataprotection.ie/docs/CASE-STUDIES-2013/1441.htm#CS14
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
7) Data protection self audit:• The ODPC publish their “Guide to Audit Process” on
their website which includes sample audit questions and a self-help checklist
http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf
• The sample questions are based on the 8 rules of DP• Extremely useful in measuring your organisations
compliance levels and any gaps that may exist • Top tip:
– Have staff from different departments complete the sample questions – Then hold group workshops in order to analyse the answers – Gain a deeper understanding of the state of DP compliance in the
organisation!
For more information visit www.espiongroup.com
Implementing a Data Protection Framework
8) Action Plan and Remedial Work • Usually at this stage it is a good idea to produce a high-
level findings report• The findings should be risk-rated with an action plan to
remediate the findings• The report should be discussed with Senior Management
and a prioritised plan should be put in place • It may be a good idea to put in place an ‘Information
Governance Council’ comprised of an Information Working Group, Information Leads, Data Business Owners and Data Stewards
For more information visit www.espiongroup.com
So your organisation receives THAT letter…
i. Legal basis for auditii. Selection of audit targetsiii. Types of auditsiv. In practice: What is an ODPC audit?v. Notification of intent
For more information visit www.espiongroup.com
ODPC audits
1) Legal Basis for Audit:• Section 10(1A) of the Data Protection Acts 1988 & 2003
states that:– (1A) The Commissioner may carry out or cause to be
carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications Networks and Services Regulations of 2003 and to identify any contravention thereof
• Section 24(2) delegates specific powers and rights of access to authorised officers of the Data Protection Commissioner.
For more information visit www.espiongroup.com
ODPC audits
2) Selection of ODPC targets.• An audit target list is maintained.• The intention of the ODPC is to audit a broad mix
between the public, private and voluntary sector representative of all entities holding personal data.
• Entities are selected for a wide range of reasons: Complaints An acknowledged holder
of substantial repositories of personal data.
A multi-national organisation who has established its European headquarters in Ireland.
Research involving human data subjects
Media reports featuring specific allegations
A policy area which requires further clarification, may lead to an organisation being selected for audit
Products which rely upon a large amount of personal data Etc.
For more information visit www.espiongroup.com
ODPC audits
3) Types of ODPC audits• 2 types of audits:
– Scheduled audits– “On the spot” audits
For more information visit www.espiongroup.com
ODPC audits
4) In practice: What is an ODPC audit?• Audits of the kind carried out by the Office of the Data
Protection Commissioner in Ireland are compliance based.• A compliance audit typically examines an organisation’s
procedures, policies, systems and records • Objective:
– To assess whether the organisation is generally in compliance with data protection legislation requirements.
– An audit will also include an assessment of the organisation’s level of awareness regarding data protection requirements based on existing policies and practices within that organisation.
Source: http://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf
For more information visit www.espiongroup.com
ODPC audits
5) Notification of intent to audit.• The ODPC will give approximately one months notice of the
audit with an “Intention to Audit” letter • This letter may explain briefly why the organisation is going
to be audited such as:– Part of a schedule of audits into the activities of a particular industry.– Your organisation has had a number of personal data breaches which
have been reported to the ODPC.
• Details what areas the inspection will focus on. – Any area within an organisation where personal data is held and
processed and those areas will be audited in line with the 8 rules of data protection
• It may also detail more specific areas which the audit will focus on, e.g. marketing, customer database etc.
For more information visit www.espiongroup.com
ODPC audits
Notification of intent to audit (continued…)• The letter will also ask that relevant managers and staff
be available for the duration of the audit• It is vital to notify staff in advance to drop everything for
the proposed dates.• The letter will likely also ask for a number of documents
to be sent to the ODPC in advance of the audit such as data protection polices, codes of practice, website privacy statement, data protection training materials
• The letter will also state that a draft report will be issued following the audit – the organisation will have the opportunity to comment on the
report prior to receiving the final audit report
For more information visit www.espiongroup.com
Surviving the audit…
i. Preparationii. How the audit process worksiii. The day of the auditiv. Outputs: The audit report
For more information visit www.espiongroup.com
Surviving the audit
1) Preparation:• Letter has been received = an organisation has a clear
instruction as to what areas will be audited.• Identify relevant managers and staff and to arrange
workshops/ meetings in advance of the audit so that they are clear about DP responsibilities.
• Ensure managers are fully aware of the DP activities within these Third Party Processors
• Ensure Third Party Processors are complying with their contractual DP obligations
• Review any previous DP breaches to ensure that these actions have been implemented
For more information visit www.espiongroup.com
Surviving the audit
Preparation (continued…):• Review training materials and training statistics for the
organisation and any third parties.• Review your third party requests log. • Review your Subject Access Requests (SAR’s) log.• Gather and review all of the documentation requested by
the ODPC in their letter of intent.
For more information visit www.espiongroup.com
Surviving the audit
More Preparation:• Review case studies in ODPC annual reports.• Review audit reports of similar organisations.• Ensure that you obtain consent for cookies on your
website.
For more information visit www.espiongroup.com
Surviving the audit
Even more preparation:• It is a good idea also to map out key business processes
and to also map out your organisations main data systems
• If possible, also have in place an Information Register. – This will detail the names of systems which holds
personal data, how the data is classified, list data contained therein and the data owner.
• Other useful registers:– Data Retention Register – Third Party Transfer Register
For more information visit www.espiongroup.com
Surviving the audit
2) How the Audit Process Works:• The audit may last a matter of one day, a few days,
weeks or even months • The authorised officers will likely ask for access to key
systems or they will request that a member of staff conduct a walkthrough of key customer databases
• They will indicate a rough timetable of events for the day and which staff they will want to interview
• It is useful to start off the audit with a brief presentation giving a high-level overview of the organisation and data.
• Top tip: Use your charts and registers from the prep. Phase!
For more information visit www.espiongroup.com
Surviving the audit
3) The Day of the Audit:• Questionnaire-based approach:
– focuses on the flow of personal data within and outside the organisation.
– questions typically structured around the 8 data protection principles.
• They will generally focus on areas of the organisation – which either hold a lot of personal data – or which have been the subject of a previous breach.
• They will go into further detail around what actions have been taken to mitigate against further breaches
• They will likely ask for further documents over the course of the day to be forwarded after the audit.
• The audit is a two-way process; Co-operation is vital.
For more information visit www.espiongroup.com
Surviving the audit
4) The Audit Report• The draft report will be sent to the organisation within
about 8 weeks.• The organisation will have an opportunity to respond to
the draft report before a final report is published.– Objective: To have agreement between the ODPC and the
organisation on the contents of the final report,
• The ODPC will not publish the report but the organisation will be mentioned in their Annual Report – Organisations may chose to publish the report themselves.– Chance are, a member of the public will make an FOI request for
the report anyway.
For more information visit www.espiongroup.com
Surviving the audit
5) The Audit Report – Typical contents.• An opinion: Is the audited organisation operating in accordance with
the Data Protection Acts (1988 & 2003).– Compliance based: Is the organisation is operating in accordance with
its own documented data protection or privacy-related policies, sectoral codes of practice, guidelines and procedures.
• A compliance audit will identify existing and potential gaps and weaknesses.– Identification of non-compliances.– Identification of any risks or possible contraventions of applicable
legislation.
• Remedial Actions to be taken. – Immediate remedial action may be prescribed by the Office of the Data
Protection – Improvements.
For more information visit www.espiongroup.com
Surviving the audit
6) The Audit Report – Not all doom and gloom• Positive Findings!• An audit will identify strengths and areas where data
protection practices in an organisation are to be commended.
For more information visit www.espiongroup.com
The new Data Protection Laws
i. Why the need for EU Data Protection Reform?ii. Why do individuals need more protection?iii. What does the Commission hope to achieveiv. Key changesv. Strengthening Individual Rights – Profiling:vi. Strengthening Individual Rights – Right to be
Forgotten
For more information visit www.espiongroup.com
The New Data Protection Laws
1) “Radical overhaul”? Not really…• In January 2012, the European Commission outlined it’s
proposals for a radical overhaul of DP rules in the EU• The new law is expected to be enacted by a regulation
which will supersede the existing Data Protection directive (95/46/EC)
• The regulation was initially expected to be in force by 2015 but the legislative process takes time…
• The proposed changes do not represent a radical overhaul of DP law, rather an enhancement of the existing law, taking into account the fact that when the 1995 law came about, the internet was in its infancy
For more information visit www.espiongroup.com
The New Data Protection Laws
2) Why the need for EU Data Protection Reform?• Each country in the EU implemented the 1995 EU Data
Protection Directive differently, so there is a very strong appetite for united Regulation across the EU
• However…• In 1995 the Internet was a very different beast - Our
Digital DNA is now everywhere we go • And every country has interpreted things a bit
differently…
For more information visit www.espiongroup.com
The New Data Protection Laws
3) Why do individuals need more protection?• Loss of control vs what is required for everyday life.• 74% of European individuals think that disclosing
personal data is part of modern life.• BUT 72% of internet users feel that they give away too
much data.• 43% of internet users believe they have been asked for
more personal information than is necessary.• Cloud computing means that more data is stored on
remote servers instead of personal computers.• The right of individuals to retain effective control over their
personal data is fundamental and must be protected.
For more information visit www.espiongroup.com
The New Data Protection Laws
4) What does the Commission hope to achieve?• Reinforce individuals’ rights – privacy by design and by
default.• Strengthen the EU internal market through new, clear and
robust rules for the free movement of data – simplification of binding corporate rules.
• Ensure consistent enforcement of the rules.• Set global data protection standards.• Ensure a high level of DP across all industries.
For more information visit www.espiongroup.com
The New Data Protection Laws
5) Key changes:
1) A level playing field for business through one single law applicable to any business across the EU – – harmonisation expected to save businesses up to €2.3 billion per
year
2) One-Stop-Shop – companies in the EU will be answerable to a single DPA no
matter how many EU countries they do business in
3) Companies with over 250 employees must hire a Data Protection Officer – increase accountability of data controllers.
4) Individuals will have the right to refer all cases to their home country national data protection authority, even if the data is processed outside of their home country.
For more information visit www.espiongroup.com
The New Data Protection Laws
Key changes (continued):
5) Privacy by design.
6) Make the data transfer process from one service provider to another easier.
7) Strengthen the right to be forgotten – the onus will be on data controllers to prove that they need to keep the data, not on the data subject.
8) Ensure that consent is explicitly given rather than assumed.
9) Every individual will have the right not to be profiled.
For more information visit www.espiongroup.com
What can / should businesses do now?
i. The 7 P’sii. A checklist
For more information visit www.espiongroup.com
What can / should businesses do now?
1) Flag changes to Management.
2) Appoint a Data Protection Officer.
3) If your business is outside the EU, plan to appoint a DP representative who is based in the EU.
4) Look at what data you process – create an Information Management Policy and data registers / flows.
5) Look at your organisations data breach procedures and have a clear plan of action should a data breach occur as you may have only 24 hours to notify.
For more information visit www.espiongroup.com
What can / should businesses do now?
6) Review contracts with data processors to ensure that the terms regarding Data Protection are strong enough.
7) Review your internal data protection polices
8) Introduce Privacy Impact Assessments to detect data protection risks at an early stage
9) Review all consents received for direct marketing to ensure that they fit within the new definition of consent
10)Review your training materials and organise tailored staff training, if necessary
For more information visit www.espiongroup.com
@IsacaIreland ISACA Ireland Chapter [email protected]