SlideShare ist ein Scribd-Unternehmen logo

GDPR challenges for the healthcare sector and the practical steps to compliance

Als PPTX, PDF herunterladen
IT Governance Ltd
IT Governance Ltd

This webinar covers: - An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector.  -Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus.  -Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture. -The practical steps that healthcare organisations need to take when looking at GDPR compliance. -The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance. A recording of the webinar can be found here: https://www.youtube.com/watch?v=xFEkkkwAdl4

Business
1 von 30
Presented by: • Alan Calder, Founder and CEO • IT Governance Ltd • 8 March 2018 GDPR CHALLENGES FOR THE HEALTHCARE SECTOR AND THE PRACTICAL STEPS TO COMPLIANCE
• Alan Calder • Founder and chief executive officer of IT Governance • IT Governance is the single source for everything to do with IT governance, cyber risk management and IT compliance • Author of IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 6th Edition (Open University textbook) Introduction Copyright IT Governance Ltd – v 0.4
• An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector. • Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus. • Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture. • The practical steps that healthcare organisations need to take when looking at GDPR compliance. • The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance. Today’s Discussion Copyright IT Governance Ltd – v 0.4
EU GENERAL DATA PROTECTION REGULATION (GDPR) Copyright IT Governance Ltd - v 0.4
Copyright IT Governance Ltd – v 0.4 Data protection model under the GDPR
Copyright IT Governance Ltd – v 0.4 • The controller shall take appropriate measures to provide any information … relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 11-1). • The controller shall facilitate the exercise of data subject rights (Article 11-2). • Right to: • Information • Access • Rectification • Erasure • Restriction • Objection • Data portability; • Be informed of the existence of automated decision-making, including profiling, as well as the anticipated consequences • Also: • The right to withdraw consent at any time • The right to lodge a complaint with a supervisory authority • The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. • It applies to controllers not in the EU but providing services into the EU. Rights of data subjects
Copyright IT Governance Ltd – v 0.4 Administrative fines • Imposition of administrative fines will in each case be effective, proportionate and dissuasive. • taking into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, 4% of the total worldwide annual turnover in the preceding financial year. Penalties
DSP Toolkit Copyright IT Governance Ltd - v 0.4 THE DATA SECURITY AND PROTECTION (DSP) TOOLKIT
From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations. Copyright IT Governance Ltd – v 0.4 Overview Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian Review as well as complying with the GDPR’s requirements. NHS Digital has released the draft assertions of the DSP Toolkit and a prototype of the online portal is available to test before April 2018.
Copyright IT Governance Ltd – v 0.4 The 10 data security standards Standard # Application 1 All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. 2 All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. 3 All staff complete appropriate annual data security training and pass a mandatory test. 4 Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. 5 Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. 6 Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. 7 A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. 8 No unsupported operating systems, software or internet browsers are used within the IT estate. 9 A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 10 IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
• DSP Toolkit compliance will be required for all NHS organisations, NHS supply chain and any organisation that accesses NHS networks. • Care homes will be required to complete the DSP Toolkit from 2018– 19. Copyright IT Governance Ltd – v 0.4 Organisation types as detailed in the DSP Toolkit online portal DSP Toolkit: who needs to comply
Cyber Essentials Plus • Satisfies multiple conditions of the DSP Toolkit • Prepopulates all satisfied conditions upon registration to the portal • Goes beyond the minimum requirement for the Toolkit GDPR • Multiple articles of the GDPR are referenced in the Toolkit and to comply organisations must demonstrate compliance with these Articles • NHS Digital have released guidance on GDPR compliance in healthcare which informs the GDPR compliance requirements within the DSP Toolkit • Summary guidance is available in the checklist which is discussed later. Copyright IT Governance Ltd - v 0.4 DSP Toolkit, how to comply
Copyright IT Governance Ltd - v 0.4 CYBER RESILIENCE
A resilient approach to cyber security • Breach prevention • Encryption, pseudonomisation, minimisation • Malware protection • Improve overall cyber security • Policies and procedures • Breach detection • Logging and monitoring (average detection time 146 days) • Policies and procedures • Breach response • Security incident process • Business continuity capabilities
Key considerations: • Understand current cyber risks and plan for risks arising from new technologies. • Embed cyber resilience by design and default • Cyber resilience should be embedded without compromising provision of care. • Identify how information is used across the organisation • Each organisation or Trust will have a unique data flow map which will need to be understood and should inform any cyber resilience planning • The ‘human element’: • Embed cyber resilience in organisational culture • All staff, regardless of function, need to understand their responsibility towards cyber resilience Achieving cyber resilience in healthcare Copyright IT Governance Ltd - v 0.4
• Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability The principle of accountability and what it means Copyright IT Governance Ltd - v 0.4
Copyright IT Governance Ltd - v 0.4 Data protection by design and default Article 25: Data protection by design and by default • The controller shall implement appropriate technical and organisational measures • Only data necessary for each specific purpose is processed • The obligation applies to the following: • the amount of data collected • the extent of the processing • the period of storage • the accessibility to that data • Personal data is not made accessible to an indefinite number of natural persons without the individual’s intervention • Pseudonymisation and minimisation are recognised techniques in data protection by design
Copyright IT Governance Ltd - v 0.4 Data protection impact assessment (DPIA) •Article 35: Data protection impact assessment •A DPIA assesses the likelihood and impact (i.e. the risk) of a compromise to the confidentiality, integrity and/or availability (‘information security’) of personal data (‘asset’) •A DPIA should therefore be a subset of an organisation’s risk management framework: •Draw on existing expertise and understanding •Integrate conclusions into existing risk treatment plans •Demonstrate data protection by design and by default •DPIA should already be part of risk management as normal
Copyright IT Governance Ltd - v 0.4 Data protection impact assessment (DPIA) • DPIA is not a one-off exercise • Conducted for all new systems and processes • Functionality may change along the way • Risks should be re-evaluated accordingly • Should be conducted on legacy systems • Update the risk register • Update the project plans • The approach adopted goes towards breach mitigation • Risk assessment should be part of staff training • The application of DPIAs demonstrates accountability
Copyright IT Governance Ltd - v 0.4 Practical steps to GDPR compliance 1. Establish governance framework – board awareness, risk register, accountability framework, review 2. Appoint and train a Data Protection Officer (DPO) 3. Conduct a data flow audit and create a data inventory – identify processors and any data held unlawfully 4. Compliance gap analysis  Ensure Privacy Notice and SAR documents and processes are robust and legal  Records of processing 5. Develop operation policies, procedures and processes in line with InfoSec best practice 7. Update communication material and train staff on the Regulation’s requirements Privacy compliance framework Cyber Essentials/Ten Steps to Cyber Security/ISO 27001 6. Data breach response process (NB: Test!) 8. Monitor, audit and continually improve
Copyright IT Governance Ltd - v 0.4 A governance framework and the DPO To achieve a governance framework in accordance with the GDPR, organisations must: Brief management on the GDPR risks and benefits. Gain management support for a GDPR compliance project. Assign a director with accountability for the GDPR. Incorporate data protection risk into corporate risk management and internal control framework. The governance framework will be develop with , and monitored by, the DPO DPO mandatory for organisations processing large volumes of data & all public Authorities Most staff dealing with personal data will need at least basic training in their responsibilities Protected position reporting directly to senior management and must be • appropriately qualified; and • consulted in respect of all data processing activities. Will be ‘good practice’ for organisations even where not mandatory. Healthcare industry partners may need to appoint a DPO
Copyright IT Governance Ltd - v 0.4 Gap Analysis and Data Flow Mapping • Gap Analysis – Audit your current compliance position against the requirements of the GDPR. – Identify compliance gaps requiring remediation. NB: In order to identify your compliance journey you may need to conduct a gap analysis to understand the scope of the work that is needed to achieve compliance • Data Flow Audit – organisations need to – Assess the categories of data held, where it comes from and the lawful basis for your processing. All information assets should be linked to an information asset owner. º In the case of healthcare provision, the most common basis for processing will be - Article 6(1)(e) lawful basis – Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and - Article 9(2)(h) exclusion – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services. – Map data flows into, within and from your organisation. – Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed.
Certifications Copyright IT Governance Ltd - v 0.4 • Organisations must: – Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis. – Bring data protection policies and privacy notices in line with the GDPR. – Where relying on consent, ensure gaining of consent meets new requirements. – Review and update employee, customer and supplier contracts. – Secure personal data through appropriate procedural and technical measures. – Ensure policies and procedures are in place to detect, report and investigate a personal data breach. – Review whether the mechanisms for data transfers outside the EU are compliant. Develop operation policies, procedures and processes • How can you demonstrate what policies, procedures and processes have been implemented? – Codes of conduct and certifications may be used to demonstrate compliance with GDPR – Recognised international standards (eg ISO/IEC 27001) – Recognised national management standards (eg BS 10012 – for a PIMS or Personal Information Management System) – Recognised national technical standards (eg Cyber Essentials in the UK) – Emergence of new standards, privacy seals etc across EU • Certification does not absolve controller of need to comply
Subject Access Requests (SARs) and data breach response Exemptions Obligation for data controller to communicate a personal data breach to data subjects • Appropriate technical and organisational measures were taken • A high risk to the data subjects will not materialise • Communication with data subjects would involve disproportionate effort • Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights • Communication must be in clear, plain language • Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights • Communication must be in clear, plain language • Supervisory authority may compel communication with data subject Obligation for data controllers to revise their current SARs procedure to include: • Response within one month. • Possibility for requests to be made electronically (eg via email). Where this is the case, a response must be available in a commonly accepted electronic format. Fees: • Organisations may not charge for SARs other than: • A reasonable administrative charge. • Where the request is ‘manifestly unfounded or excessive’. SARs Data breach response Copyright IT Governance Ltd - v 0.4
Copyright IT Governance Ltd - v 0.4 Communication Communication materials must be updated to reflect more stringent transparency requirements: Articles 12 - 18: Transparency • Any communications with a data subject must be concise, transparent, intelligible and suitable to the intended audience • Controller must be transparent in providing information about itself and the purposes of the processing • Controller must provide data subject with information about their rights • Specific provisions (Article 14) covering data not obtained directly from the data subject • Rights to access, rectification, erasure (‘right to be forgotten’), to restriction of processing and data portability
Copyright IT Governance Ltd - v 0.4 Staff training and awareness To ensure a compliance programme is completely integrated across your organisation, it’s imperative that staff are addressed at all stages as they can influence whether it is a success. GDPR compliance requires everyone who accesses, collects or processes data to change their behaviour to remain compliant. • Identify potential problems with GDPR implementation; • Educate staff on their responsibility and the consequences of their individual actions; • Ensure that any procedures are followed consistently across the organisation; and • Ensure staff are fully aware of corporate compliance requirements of the Regulation. Healthcare providers and supply chain will need to audit the application of staff awareness training to fulfil their obligation to the DSP Toolkit staff awareness survey.
Certified EU GDPR Foundation Training Course (classroom, online, distance learning) Certified EU GDPR Practitioner Training Course (classroom, online, distance learning) DPIA Workshop (classroom) IT Governance: one-stop shop - training GDPR ISO 27001 & ISO 22301 ISO22301 Certified BCMS Lead Implementer Training Course (classroom) ISO27001 Certified ISMS Lead Implementer (classroom, online, distance learning) ISO27001 Certified ISMS Lead Auditor Training Course (classroom, online, distance learning) In-house training options are available
IT Governance: one-stop shop - consultancy Consultancy • Gap analysis • Data flow audit • DPO as a service • Cyber resilience • Implementing and ISO 27001-compliant ISMS • Implementing an ISO 22301-complianct BCMS • Incident response management Self-help materials • EU GDPR Documentation Toolkit • EU GDPR Compliance Gap Assessment Tool Copyright IT Governance Ltd - v 0.4
Resources to help begin your compliance journey: • EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide • Speak to a healthcare expert via the online form (www.itgovernance.co.uk/healthcare/speak-to-an-expert) Next steps Copyright IT Governance Ltd - v 0.4 Call us +44 (0)333 800 7000 Email us servicecentre@itgovernance.co.uk Visit our website www.itgovernance.co.uk Like us on Facebook /ITGovernanceLtd Follow us on Twitter /itgovernance Join us on LinkedIn /company/it-governance
Copyright IT Governance Ltd - v 0.4 Questions

Empfohlen

Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 

Empfohlen

Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR PresentationCILIP Ireland
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowPiwik PRO
 
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptxHUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptxHgjnvhn
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Env.Protection Act 1986 ppt.pptx
Env.Protection Act 1986 ppt.pptxEnv.Protection Act 1986 ppt.pptx
Env.Protection Act 1986 ppt.pptxAshutosh Kumar Srivastava
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Interpretation of statutes
Interpretation of statutesInterpretation of statutes
Interpretation of statutesPrerak Bhavsar
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
GDPR
GDPRGDPR
GDPRGopi PD
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowPiwik PRO
 
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptxHUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptxHgjnvhn
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Vijay Dalmia
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDineshPrasad64
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Interpretation of statutes
Interpretation of statutesInterpretation of statutes
Interpretation of statutesPrerak Bhavsar
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 

Was ist angesagt? (20)

GDPR Presentation
GDPR PresentationGDPR Presentation
GDPR Presentation
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
GDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to KnowGDPR Data Subject Rights - What You Need to Know
GDPR Data Subject Rights - What You Need to Know
 
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptxHUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
HUMAN RIGHTS AND DISADVANTAGED GROUPS.pptx
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Digital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptxDigital personal data protection act, 2023.pptx
Digital personal data protection act, 2023.pptx
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Env.Protection Act 1986 ppt.pptx
Env.Protection Act 1986 ppt.pptxEnv.Protection Act 1986 ppt.pptx
Env.Protection Act 1986 ppt.pptx
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Interpretation of statutes
Interpretation of statutesInterpretation of statutes
Interpretation of statutes
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
GDPR
GDPRGDPR
GDPR
 

Ähnlich wie GDPR challenges for the healthcare sector and the practical steps to compliance

FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...Erik Vollebregt
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviSharique Rizvi
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxHillaryObomighie
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 

Ähnlich wie GDPR challenges for the healthcare sector and the practical steps to compliance (20)

The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...EU cybersecurity requirements under current and future medical devices regula...
EU cybersecurity requirements under current and future medical devices regula...
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Group 10 - PDPA II.pptx
Group 10 - PDPA II.pptxGroup 10 - PDPA II.pptx
Group 10 - PDPA II.pptx
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M RizviGeneral Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
General Data Protection Regulation and Compliance - GDPR: Sharique M Rizvi
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptx
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 

Mehr von IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 

Mehr von IT Governance Ltd (20)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 

Kürzlich hochgeladen

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...lizamodels9
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperityhemanthkumar470700
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptP&CO
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 

Kürzlich hochgeladen (20)

unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 

GDPR challenges for the healthcare sector and the practical steps to compliance

  • 1. Presented by: • Alan Calder, Founder and CEO • IT Governance Ltd • 8 March 2018 GDPR CHALLENGES FOR THE HEALTHCARE SECTOR AND THE PRACTICAL STEPS TO COMPLIANCE
  • 2. • Alan Calder • Founder and chief executive officer of IT Governance • IT Governance is the single source for everything to do with IT governance, cyber risk management and IT compliance • Author of IT Governance: An International Guide to Data Security and ISO27001/ISO27002, 6th Edition (Open University textbook) Introduction Copyright IT Governance Ltd – v 0.4
  • 3. • An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector. • Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus. • Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture. • The practical steps that healthcare organisations need to take when looking at GDPR compliance. • The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance. Today’s Discussion Copyright IT Governance Ltd – v 0.4
  • 4. EU GENERAL DATA PROTECTION REGULATION (GDPR) Copyright IT Governance Ltd - v 0.4
  • 5. Copyright IT Governance Ltd – v 0.4 Data protection model under the GDPR
  • 6. Copyright IT Governance Ltd – v 0.4 • The controller shall take appropriate measures to provide any information … relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 11-1). • The controller shall facilitate the exercise of data subject rights (Article 11-2). • Right to: • Information • Access • Rectification • Erasure • Restriction • Objection • Data portability; • Be informed of the existence of automated decision-making, including profiling, as well as the anticipated consequences • Also: • The right to withdraw consent at any time • The right to lodge a complaint with a supervisory authority • The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. • It applies to controllers not in the EU but providing services into the EU. Rights of data subjects
  • 7. Copyright IT Governance Ltd – v 0.4 Administrative fines • Imposition of administrative fines will in each case be effective, proportionate and dissuasive. • taking into account technical and organisational measures implemented. • €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. • €20,000,000 or, in the case of an undertaking, 4% of the total worldwide annual turnover in the preceding financial year. Penalties
  • 8. DSP Toolkit Copyright IT Governance Ltd - v 0.4 THE DATA SECURITY AND PROTECTION (DSP) TOOLKIT
  • 9. From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations. Copyright IT Governance Ltd – v 0.4 Overview Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian Review as well as complying with the GDPR’s requirements. NHS Digital has released the draft assertions of the DSP Toolkit and a prototype of the online portal is available to test before April 2018.
  • 10. Copyright IT Governance Ltd – v 0.4 The 10 data security standards Standard # Application 1 All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. 2 All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. 3 All staff complete appropriate annual data security training and pass a mandatory test. 4 Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. 5 Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. 6 Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. 7 A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. 8 No unsupported operating systems, software or internet browsers are used within the IT estate. 9 A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 10 IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
  • 11. • DSP Toolkit compliance will be required for all NHS organisations, NHS supply chain and any organisation that accesses NHS networks. • Care homes will be required to complete the DSP Toolkit from 2018– 19. Copyright IT Governance Ltd – v 0.4 Organisation types as detailed in the DSP Toolkit online portal DSP Toolkit: who needs to comply
  • 12. Cyber Essentials Plus • Satisfies multiple conditions of the DSP Toolkit • Prepopulates all satisfied conditions upon registration to the portal • Goes beyond the minimum requirement for the Toolkit GDPR • Multiple articles of the GDPR are referenced in the Toolkit and to comply organisations must demonstrate compliance with these Articles • NHS Digital have released guidance on GDPR compliance in healthcare which informs the GDPR compliance requirements within the DSP Toolkit • Summary guidance is available in the checklist which is discussed later. Copyright IT Governance Ltd - v 0.4 DSP Toolkit, how to comply
  • 13. Copyright IT Governance Ltd - v 0.4 CYBER RESILIENCE
  • 14. A resilient approach to cyber security • Breach prevention • Encryption, pseudonomisation, minimisation • Malware protection • Improve overall cyber security • Policies and procedures • Breach detection • Logging and monitoring (average detection time 146 days) • Policies and procedures • Breach response • Security incident process • Business continuity capabilities
  • 15. Key considerations: • Understand current cyber risks and plan for risks arising from new technologies. • Embed cyber resilience by design and default • Cyber resilience should be embedded without compromising provision of care. • Identify how information is used across the organisation • Each organisation or Trust will have a unique data flow map which will need to be understood and should inform any cyber resilience planning • The ‘human element’: • Embed cyber resilience in organisational culture • All staff, regardless of function, need to understand their responsibility towards cyber resilience Achieving cyber resilience in healthcare Copyright IT Governance Ltd - v 0.4
  • 16. • Article 5: Principles relating to processing of personal data • “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability’).” 1 • Processed lawfully, fairly and in a transparent manner 2 • Collected for specified, explicit and legitimate purposes 3 • Adequate, relevant and limited to what is necessary 4 • Accurate and, where necessary, kept up to date 5 • Retained only for as long as necessary 6 • Processed in an appropriate manner to maintain security Accountability The principle of accountability and what it means Copyright IT Governance Ltd - v 0.4
  • 17. Copyright IT Governance Ltd - v 0.4 Data protection by design and default Article 25: Data protection by design and by default • The controller shall implement appropriate technical and organisational measures • Only data necessary for each specific purpose is processed • The obligation applies to the following: • the amount of data collected • the extent of the processing • the period of storage • the accessibility to that data • Personal data is not made accessible to an indefinite number of natural persons without the individual’s intervention • Pseudonymisation and minimisation are recognised techniques in data protection by design
  • 18. Copyright IT Governance Ltd - v 0.4 Data protection impact assessment (DPIA) •Article 35: Data protection impact assessment •A DPIA assesses the likelihood and impact (i.e. the risk) of a compromise to the confidentiality, integrity and/or availability (‘information security’) of personal data (‘asset’) •A DPIA should therefore be a subset of an organisation’s risk management framework: •Draw on existing expertise and understanding •Integrate conclusions into existing risk treatment plans •Demonstrate data protection by design and by default •DPIA should already be part of risk management as normal
  • 19. Copyright IT Governance Ltd - v 0.4 Data protection impact assessment (DPIA) • DPIA is not a one-off exercise • Conducted for all new systems and processes • Functionality may change along the way • Risks should be re-evaluated accordingly • Should be conducted on legacy systems • Update the risk register • Update the project plans • The approach adopted goes towards breach mitigation • Risk assessment should be part of staff training • The application of DPIAs demonstrates accountability
  • 20. Copyright IT Governance Ltd - v 0.4 Practical steps to GDPR compliance 1. Establish governance framework – board awareness, risk register, accountability framework, review 2. Appoint and train a Data Protection Officer (DPO) 3. Conduct a data flow audit and create a data inventory – identify processors and any data held unlawfully 4. Compliance gap analysis  Ensure Privacy Notice and SAR documents and processes are robust and legal  Records of processing 5. Develop operation policies, procedures and processes in line with InfoSec best practice 7. Update communication material and train staff on the Regulation’s requirements Privacy compliance framework Cyber Essentials/Ten Steps to Cyber Security/ISO 27001 6. Data breach response process (NB: Test!) 8. Monitor, audit and continually improve
  • 21. Copyright IT Governance Ltd - v 0.4 A governance framework and the DPO To achieve a governance framework in accordance with the GDPR, organisations must: Brief management on the GDPR risks and benefits. Gain management support for a GDPR compliance project. Assign a director with accountability for the GDPR. Incorporate data protection risk into corporate risk management and internal control framework. The governance framework will be develop with , and monitored by, the DPO DPO mandatory for organisations processing large volumes of data & all public Authorities Most staff dealing with personal data will need at least basic training in their responsibilities Protected position reporting directly to senior management and must be • appropriately qualified; and • consulted in respect of all data processing activities. Will be ‘good practice’ for organisations even where not mandatory. Healthcare industry partners may need to appoint a DPO
  • 22. Copyright IT Governance Ltd - v 0.4 Gap Analysis and Data Flow Mapping • Gap Analysis – Audit your current compliance position against the requirements of the GDPR. – Identify compliance gaps requiring remediation. NB: In order to identify your compliance journey you may need to conduct a gap analysis to understand the scope of the work that is needed to achieve compliance • Data Flow Audit – organisations need to – Assess the categories of data held, where it comes from and the lawful basis for your processing. All information assets should be linked to an information asset owner. º In the case of healthcare provision, the most common basis for processing will be - Article 6(1)(e) lawful basis – Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and - Article 9(2)(h) exclusion – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services. – Map data flows into, within and from your organisation. – Use the data map to identify the risks in your data processing activities and whether a data protection impact assessment (DPIA) is needed.
  • 23. Certifications Copyright IT Governance Ltd - v 0.4 • Organisations must: – Create Article 30 documentation – the record of personal data processing activities drawn from the data flow audit and gap analysis. – Bring data protection policies and privacy notices in line with the GDPR. – Where relying on consent, ensure gaining of consent meets new requirements. – Review and update employee, customer and supplier contracts. – Secure personal data through appropriate procedural and technical measures. – Ensure policies and procedures are in place to detect, report and investigate a personal data breach. – Review whether the mechanisms for data transfers outside the EU are compliant. Develop operation policies, procedures and processes • How can you demonstrate what policies, procedures and processes have been implemented? – Codes of conduct and certifications may be used to demonstrate compliance with GDPR – Recognised international standards (eg ISO/IEC 27001) – Recognised national management standards (eg BS 10012 – for a PIMS or Personal Information Management System) – Recognised national technical standards (eg Cyber Essentials in the UK) – Emergence of new standards, privacy seals etc across EU • Certification does not absolve controller of need to comply
  • 24. Subject Access Requests (SARs) and data breach response Exemptions Obligation for data controller to communicate a personal data breach to data subjects • Appropriate technical and organisational measures were taken • A high risk to the data subjects will not materialise • Communication with data subjects would involve disproportionate effort • Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights • Communication must be in clear, plain language • Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights • Communication must be in clear, plain language • Supervisory authority may compel communication with data subject Obligation for data controllers to revise their current SARs procedure to include: • Response within one month. • Possibility for requests to be made electronically (eg via email). Where this is the case, a response must be available in a commonly accepted electronic format. Fees: • Organisations may not charge for SARs other than: • A reasonable administrative charge. • Where the request is ‘manifestly unfounded or excessive’. SARs Data breach response Copyright IT Governance Ltd - v 0.4
  • 25. Copyright IT Governance Ltd - v 0.4 Communication Communication materials must be updated to reflect more stringent transparency requirements: Articles 12 - 18: Transparency • Any communications with a data subject must be concise, transparent, intelligible and suitable to the intended audience • Controller must be transparent in providing information about itself and the purposes of the processing • Controller must provide data subject with information about their rights • Specific provisions (Article 14) covering data not obtained directly from the data subject • Rights to access, rectification, erasure (‘right to be forgotten’), to restriction of processing and data portability
  • 26. Copyright IT Governance Ltd - v 0.4 Staff training and awareness To ensure a compliance programme is completely integrated across your organisation, it’s imperative that staff are addressed at all stages as they can influence whether it is a success. GDPR compliance requires everyone who accesses, collects or processes data to change their behaviour to remain compliant. • Identify potential problems with GDPR implementation; • Educate staff on their responsibility and the consequences of their individual actions; • Ensure that any procedures are followed consistently across the organisation; and • Ensure staff are fully aware of corporate compliance requirements of the Regulation. Healthcare providers and supply chain will need to audit the application of staff awareness training to fulfil their obligation to the DSP Toolkit staff awareness survey.
  • 27. Certified EU GDPR Foundation Training Course (classroom, online, distance learning) Certified EU GDPR Practitioner Training Course (classroom, online, distance learning) DPIA Workshop (classroom) IT Governance: one-stop shop - training GDPR ISO 27001 & ISO 22301 ISO22301 Certified BCMS Lead Implementer Training Course (classroom) ISO27001 Certified ISMS Lead Implementer (classroom, online, distance learning) ISO27001 Certified ISMS Lead Auditor Training Course (classroom, online, distance learning) In-house training options are available
  • 28. IT Governance: one-stop shop - consultancy Consultancy • Gap analysis • Data flow audit • DPO as a service • Cyber resilience • Implementing and ISO 27001-compliant ISMS • Implementing an ISO 22301-complianct BCMS • Incident response management Self-help materials • EU GDPR Documentation Toolkit • EU GDPR Compliance Gap Assessment Tool Copyright IT Governance Ltd - v 0.4
  • 29. Resources to help begin your compliance journey: • EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide • Speak to a healthcare expert via the online form (www.itgovernance.co.uk/healthcare/speak-to-an-expert) Next steps Copyright IT Governance Ltd - v 0.4 Call us +44 (0)333 800 7000 Email us servicecentre@itgovernance.co.uk Visit our website www.itgovernance.co.uk Like us on Facebook /ITGovernanceLtd Follow us on Twitter /itgovernance Join us on LinkedIn /company/it-governance
  • 30. Copyright IT Governance Ltd - v 0.4 Questions

Hinweis der Redaktion

  1. There was a slide preceding this looking at how ISO27001 and ISO22301 can help organisations be compliant with GDPR, NIS and DSP but it has been removed due to presentation length. If you think it might be worth adding I am happy to do so. Examine the potential risks of a 'paperless' NHS (e-patient records, e-prescribing and sending patient information to pharmacy, e-diagnostics functionality, 'smart' monitors/alert systems.
  2. Here add: Implementation and compliance guide ttae