Since 25th May 2018, GDPR is applicable. Time can come to audit GDPR and privacy compliance

1. GDPR
Ready for
audit ?
1
Audit and Assurance Software Watch Day
Patrick Soenen, IT Audit Associate

2. 2
GDPR – Key changes
Enforcement of the EU
regulatory framework to
companies established outside
the EU for EU citizens
Increased responsibility and
accountability on organizations
to manage how they control and
process personal data
Data protection impact
assessments (DPIA) should be
performed for high risk projects
Demonstrate privacy by design
and privacy by default
Obligation of data breach
notification within 72 hours
Allow individuals the right to
require a controller to delete their
personal data
The ability for individuals to
easily transfer their data files
from one service provider to
another
Nominate one Supervisory
Authority (SA) as the lead
regulator for all compliance
issues
Adoption of a single set of rules
on data protection, directly
applicable in all EU member
states
Adoption of a more active, free
and specific consent model to
support lawful processing of
personal data Regulators able to issue
administrative fines of to €20
million or up to 4% of the annual
turnover
Data processor are equally
accountable as are data
controllers
Designating a Data Protection
Officer (DPO) when core
activities require regular and
systematic monitoring
Increased transparency
obligations; with more complete
privacy notices
2.
Data subject rights
1.
Lawfulness /
Consent
9.
Fines & Sanctions
5.
Accountabilities
4.
Scope
7.
Data protection
3.
Internal register
6.
Data
Protection
Impact
Analysis
8.
Information &
Transparence

3. 3
Data Protection Impact Analysis (DPIA)
6.
Data
Protection
Impact
Analysis
DPIA
criteria
Evaluation
or scoring
Automated
-decision
making
Systematic
monitoring
Sensitive
data
Large
scale
processing
Matching
or
combining
datasets
Vulnerable
data
subjects
New
technology
Preventing
using a
service
Do you require
a DPIA ?

4. 4
6.
Data
Protection
Impact
Analysis
Data Protection Impact Analysis (DPIA)
Likelihood
Severity
+ = Risk level
• Legal
• Organisational measures
• Physical security
• Logical security
How to perform
DPIA ?

5. 5
DPO versus CISO
Personal data protection Information security
GDPR requirements ISO 27001 minimum norms
Legal, rights, proportionality…. Confidentiality, integrity,
availability
Privacy policies Security policies
Towards the data subjects For all organizational staff
Awareness & training
Advices & makes recommendations

6. 6
Lines of defense
Executive Committee
Board / Audit Comittee
1st Line of Defence 2rd Line of Defence 3rd Line of Defence
Mgt.
controle
Data Protection Office
Risk management
Information security Internal audit
Externeaudit
DataProtectionAuthory
Compliance
...
IT
DPA
Commu-
nication
HR
Legal

7. 7
Data Privacy audit program
Risks
► F: Financial Risk
Fines
► O: Operational Risk
Costs, complexity
► R : Reputational Risk
Image
► E : Earnings/Revenue Risk
Service/Marketing limitation

8. 8
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management
Data Privacy audit program

9. 9
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management
• Roles and responsibilities
• Data coverage
1.a. Governance
• Privacy policies developed
• Global policies adapted
• User right procedures
• Information and transparency
1.b. Policies and procedures
• Awareness training
• Key specific training
1.c. Training and awareness
• Data classification
• Impact assessment criteria and methodology
1.d. Risk management (Impact Assessment)
Data Privacy audit program

10. 10
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management
• Identification of personal data
• Data de-identification procedures
2.a. Business Management of Data
• Data use and retention guidelines
• Appropriate retention practices
• Data retention, movement and archival activities
• Consent collection and evidence
• Data retention and return at contract exit
2.b. Use and retention
• Record management procedures
• Record retention procedures
• Manage record on site and off site storage
• Record disposal per retention
2.c. Records management
Data Privacy audit program

11. 11
• Access and identify mgt to personal data
• Adequate logical accesses
3.a. Access management
• Secured sharing and transfer of data
• Communication and training
(employees and contractors)
• Data loss prevention tools
3.b. Transfer of data
• Data encryption standards
• Awareness campaigns
• Physical security
3.c. Data at rest
• Pseudonymising and encryption procedures
• Assessment of effectiveness of security measures
3.d. Security at processing
Data Privacy audit program
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management

12. 12
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management
• Agreed on contractual agreements
• Duly executed contracts
4.a. Management of third party interaction
• Data leakage risk assessment
• Management and review of 3rd party self
assessment
4.b. Contractual obligations with third parties
Data Privacy audit program

13. 13
• Breach reaction and escalation plan
• Breach policy and proper steps
• Data Protection Authority notification procedures
5.a. Incident response & escalation plan
• Notification of breach event by 3rd parties
• Protection measures (& cyber insurance) at 3rd
parties
5.b. External party notification
• Cyber insurance business case
• Adequate coverage of data breaches
5.c. Cyber insurance
1. Privacy
management
2. Data
management
3. Data
Security
4. Third party
agreements
5. Incident
management
Data Privacy audit program

14. 14
“In a digital economy,
only companies that do not harm
customer confidence survive.”
26th sept 2017
Philipppe De Backer