SlideShare une entreprise Scribd logo
1  sur  26
Télécharger pour lire hors ligne
Legal and Regulatory Privacy Challenges for the Financial Services Sector  ,[object Object],[object Object],[object Object],[object Object]
Disclaimer (otherwise knows as the  exciting stuff ) ,[object Object],[object Object],[object Object],[object Object]
Subjects we will be covering ,[object Object],[object Object],[object Object]
EU Data Protection Directive ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
EU Data Protection Directive (95/46/EC) Highlights ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What is personal data? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Current and Future Challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Demonstrating Global Compliance ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Stating the Obvious:  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Where do you start? What are your risks? Prioritize . . .  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Data Capture Sheet Data Stream Sub-Data Stream Data Capture Questions Ref. Number Brief Description Data Capture Sheet Questions ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Privacy Questionnaire Baseline Baseline Requirement Equivalent Local Law Brief Description of Local Law Questions UK DPA Principle 1UK DPA Principle 2UK DPA Schedule 2Dir 95/46/EC Article 6.1aDir 95/46/EC Article 6.1bDir 95/46/EC Article 7 For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7) HKDPO Principle 1 ver 1 Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose.  Personal data shall be collected by means which are lawful and fair. (-) Have you identified on what basis you are able to lawfully process the personal data?  (+) When you collect personal data, do you disclose the purpose of use to the data subject? UK DPA Principle 1 UK DPA Principle 2 UK DPA Schedule 3 Dir 95/46/EC Article 6.1a Dir 95/46/EC Article 6.1b Dir 95/46/EC Article 8 If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8) N/A Under the HKPO there is no separate concept of "Sensitive Personal Data". (-) Are you processing sensitive personal data?  Defined as personal data relating to: (a) the racial or ethnic origin of the data subject,  (b) his political opinions,  (c) his religious beliefs or other beliefs of a similar nature,  (d) whether he is a member of a trade union,  (e) his physical or mental health or condition,  (f) his sexual life,  (g) the commission or alleged commission by him of any offence, or  (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU  BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Selection of Privacy Risks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Controls (what works for us may not work for you) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Putting it together (Principle) Risk Control Risk Owner (Local v. Central) Overall Risk RAG Rating Evidence Remediation Actions Remediation RAG Rating The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures. Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively.  Boba Fett Amber Identify area of testing. Green Develop and implement. Green Analyse results. Amber Remediation plan. Red MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk. The Emperor Green Obtain. Green Use Jedi mind trick. Amber Receive update. Green Execute under-performers. Green RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues. Darth Vader Amber Inspect the stormtroopers. Amber Check they are using the RCA to inspire fear. Amber Validate results with the locals. Amber
Dashboard mock-up Not Real Data
Focus: Records Management – June 2009 Not Real Data Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff. Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June. IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies BAU Schedule for RM management activities in place. Management of RM/DP project actions integrated with existing CSA action management system. Current State Residual Risk Commentary 1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates.  Activities to date have reduced the overdue actions with further focus being applied in July. RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses. Exception Commentary Cumulative Achievements Improved BU team refresh process to be proposed and implemented if agreed Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address. Refresh Retention Schedules in conjunction with Group and Legal. Launch phase two of the assessment programme beginning with Jersey and Guernsey Major Activities next month RM SME resource departed mid June  Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource. Risks Identified to Date
Lessons we have learned ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Awareness Material
Awareness Material
Awareness Material
Awareness Material
Help with Training & Awareness ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
It works! ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The End ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Contenu connexe

Tendances

ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseMart Rovers
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
Compliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_enCompliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_enBalázs Antók
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001Owako Rodah
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001Iris Maaß
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...himalya sharma
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 

Tendances (20)

Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdfIso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
Iso 28000 supply chain white paper lakshy rev02_17022015 low.pdf
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
we45 ISO-27001 Case Study
we45 ISO-27001 Case Studywe45 ISO-27001 Case Study
we45 ISO-27001 Case Study
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
Compliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_enCompliance mapping GDPR vs ISO_en
Compliance mapping GDPR vs ISO_en
 
General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001General Data Protection Regulation (GDPR) and ISO 27001
General Data Protection Regulation (GDPR) and ISO 27001
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and Developments
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
27001 2015(+a1)
27001 2015(+a1)27001 2015(+a1)
27001 2015(+a1)
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
It security iso 27001
It security iso 27001It security iso 27001
It security iso 27001
 
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
ISO 27001 Training | ISO 27001 Internal Auditor Training | ISMS Internal Audi...
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 

Similaire à Legal And Regulatory Dp Challenges For The Financial Services Sector

Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramMSpadea
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1rtjbond
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020Fullstaak
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Example Association Internal GDPR Policy
Example Association Internal GDPR PolicyExample Association Internal GDPR Policy
Example Association Internal GDPR PolicyLen Murphy
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
ISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentMohammed J. Khan
 
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao -  An introduction to Data Privacy(SACON) Shivangi Nadkarni & Sandeep Rao -  An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data PrivacyPriyanka Aash
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .ClinosolIndia
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
9 Practical Steps 2 GDPR Compliance
9 Practical Steps 2 GDPR Compliance9 Practical Steps 2 GDPR Compliance
9 Practical Steps 2 GDPR ComplianceAndreas Batsis
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as RiskMSpadea
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization Vishnuvarthanan Moorthy
 

Similaire à Legal And Regulatory Dp Challenges For The Financial Services Sector (20)

Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy Program
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1
 
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020IAB Digital Advertising Guidance : special category data under the gdpr - 2020
IAB Digital Advertising Guidance : special category data under the gdpr - 2020
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Example Association Internal GDPR Policy
Example Association Internal GDPR PolicyExample Association Internal GDPR Policy
Example Association Internal GDPR Policy
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
GDPR master class accountable research organisations (january 2018)
GDPR master class   accountable research organisations (january 2018)GDPR master class   accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
ISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP AlignmentISACA Journal Data Protection Act (UK) and GAPP Alignment
ISACA Journal Data Protection Act (UK) and GAPP Alignment
 
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao -  An introduction to Data Privacy(SACON) Shivangi Nadkarni & Sandeep Rao -  An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
 
Data Privacy and consent management .. .
Data Privacy and consent management  ..  .Data Privacy and consent management  ..  .
Data Privacy and consent management .. .
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...
 
9 Practical Steps 2 GDPR Compliance
9 Practical Steps 2 GDPR Compliance9 Practical Steps 2 GDPR Compliance
9 Practical Steps 2 GDPR Compliance
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as Risk
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization  GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 

Dernier

Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707harshan90
 
Stock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfStock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfMichael Silva
 
Stock Market Brief Deck for March 26.pdf
Stock Market Brief Deck for March 26.pdfStock Market Brief Deck for March 26.pdf
Stock Market Brief Deck for March 26.pdfMichael Silva
 
20240314 Calibre March 2024 Investor Presentation (FINAL).pdf
20240314 Calibre March 2024 Investor Presentation (FINAL).pdf20240314 Calibre March 2024 Investor Presentation (FINAL).pdf
20240314 Calibre March 2024 Investor Presentation (FINAL).pdfAdnet Communications
 
Sarlat Advisory - Corporate Brochure - 2024
Sarlat Advisory - Corporate Brochure - 2024Sarlat Advisory - Corporate Brochure - 2024
Sarlat Advisory - Corporate Brochure - 2024Guillaume Ⓥ Sarlat
 
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoRWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoCoinGecko
 
The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...Antonis Zairis
 
Stock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfStock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfMichael Silva
 
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.KumarJayaraman3
 
Contracts with Interdependent Preferences
Contracts with Interdependent PreferencesContracts with Interdependent Preferences
Contracts with Interdependent PreferencesGRAPE
 
The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?Stephen Perrenod
 
Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Commonwealth
 
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismTaipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismBrian Lin
 
India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023SkillCircle
 
Buy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxBuy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxPrecize Formely Leadoff
 
Work and Pensions report into UK corporate DB funding
Work and Pensions report into UK corporate DB fundingWork and Pensions report into UK corporate DB funding
Work and Pensions report into UK corporate DB fundingHenry Tapper
 

Dernier (20)

Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707Mphasis - Schwab Newsletter PDF - Sample 8707
Mphasis - Schwab Newsletter PDF - Sample 8707
 
Stock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdfStock Market Brief Deck for 3/22/2024.pdf
Stock Market Brief Deck for 3/22/2024.pdf
 
Stock Market Brief Deck for March 26.pdf
Stock Market Brief Deck for March 26.pdfStock Market Brief Deck for March 26.pdf
Stock Market Brief Deck for March 26.pdf
 
20240314 Calibre March 2024 Investor Presentation (FINAL).pdf
20240314 Calibre March 2024 Investor Presentation (FINAL).pdf20240314 Calibre March 2024 Investor Presentation (FINAL).pdf
20240314 Calibre March 2024 Investor Presentation (FINAL).pdf
 
Sarlat Advisory - Corporate Brochure - 2024
Sarlat Advisory - Corporate Brochure - 2024Sarlat Advisory - Corporate Brochure - 2024
Sarlat Advisory - Corporate Brochure - 2024
 
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGeckoRWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
RWA Report 2024: Rise of Real-World Assets in Crypto | CoinGecko
 
The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...The unequal battle of inflation and the appropriate sustainable solution | Eu...
The unequal battle of inflation and the appropriate sustainable solution | Eu...
 
Effects & Policies Of Bank Consolidation
Effects & Policies Of Bank ConsolidationEffects & Policies Of Bank Consolidation
Effects & Policies Of Bank Consolidation
 
Stock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdfStock Market Brief Deck for March 19 2024.pdf
Stock Market Brief Deck for March 19 2024.pdf
 
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
ACCOUNTING FOR BUSINESS.II DEPARTMENTAL ACCOUNTS.
 
New Monthly Enterprises Survey. Issue 21. (01.2024) Ukrainian Business in War...
New Monthly Enterprises Survey. Issue 21. (01.2024) Ukrainian Business in War...New Monthly Enterprises Survey. Issue 21. (01.2024) Ukrainian Business in War...
New Monthly Enterprises Survey. Issue 21. (01.2024) Ukrainian Business in War...
 
Contracts with Interdependent Preferences
Contracts with Interdependent PreferencesContracts with Interdependent Preferences
Contracts with Interdependent Preferences
 
The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?The Power Laws of Bitcoin: How can an S-curve be a power law?
The Power Laws of Bitcoin: How can an S-curve be a power law?
 
Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]Monthly Market Risk Update: March 2024 [SlideShare]
Monthly Market Risk Update: March 2024 [SlideShare]
 
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for TourismTaipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
Taipei, A Hidden Jewel in East Asia - PR Strategy for Tourism
 
Monthly Economic Monitoring of Ukraine No.230, March 2024
Monthly Economic Monitoring of Ukraine No.230, March 2024Monthly Economic Monitoring of Ukraine No.230, March 2024
Monthly Economic Monitoring of Ukraine No.230, March 2024
 
India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023India Economic Survey Complete for the year of 2022 to 2023
India Economic Survey Complete for the year of 2022 to 2023
 
Buy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptxBuy and Sell Urban Tots unlisted shares.pptx
Buy and Sell Urban Tots unlisted shares.pptx
 
Commercial Bank Economic Capsule - March 2024
Commercial Bank Economic Capsule - March 2024Commercial Bank Economic Capsule - March 2024
Commercial Bank Economic Capsule - March 2024
 
Work and Pensions report into UK corporate DB funding
Work and Pensions report into UK corporate DB fundingWork and Pensions report into UK corporate DB funding
Work and Pensions report into UK corporate DB funding
 

Legal And Regulatory Dp Challenges For The Financial Services Sector

  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12. Privacy Questionnaire Baseline Baseline Requirement Equivalent Local Law Brief Description of Local Law Questions UK DPA Principle 1UK DPA Principle 2UK DPA Schedule 2Dir 95/46/EC Article 6.1aDir 95/46/EC Article 6.1bDir 95/46/EC Article 7 For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7) HKDPO Principle 1 ver 1 Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair. (-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject? UK DPA Principle 1 UK DPA Principle 2 UK DPA Schedule 3 Dir 95/46/EC Article 6.1a Dir 95/46/EC Article 6.1b Dir 95/46/EC Article 8 If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8) N/A Under the HKPO there is no separate concept of "Sensitive Personal Data". (-) Are you processing sensitive personal data? Defined as personal data relating to: (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
  • 13.
  • 14.
  • 15.
  • 16. Putting it together (Principle) Risk Control Risk Owner (Local v. Central) Overall Risk RAG Rating Evidence Remediation Actions Remediation RAG Rating The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures. Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively. Boba Fett Amber Identify area of testing. Green Develop and implement. Green Analyse results. Amber Remediation plan. Red MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk. The Emperor Green Obtain. Green Use Jedi mind trick. Amber Receive update. Green Execute under-performers. Green RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues. Darth Vader Amber Inspect the stormtroopers. Amber Check they are using the RCA to inspire fear. Amber Validate results with the locals. Amber
  • 18. Focus: Records Management – June 2009 Not Real Data Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff. Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June. IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies BAU Schedule for RM management activities in place. Management of RM/DP project actions integrated with existing CSA action management system. Current State Residual Risk Commentary 1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates. Activities to date have reduced the overdue actions with further focus being applied in July. RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses. Exception Commentary Cumulative Achievements Improved BU team refresh process to be proposed and implemented if agreed Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address. Refresh Retention Schedules in conjunction with Group and Legal. Launch phase two of the assessment programme beginning with Jersey and Guernsey Major Activities next month RM SME resource departed mid June Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource. Risks Identified to Date
  • 19.
  • 24.
  • 25.
  • 26.

Notes de l'éditeur

  1. “ data” means information which— (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; Opinion 4/2007 on the concept of personal data Opinion 1/2008 on data protection issues related to search engines Log Files, IP Addresses, Cookies
  2. Project managers, consultants, internal and external lawyers.
  3. Data Capture sheet- next slide Questionnaire- two slides
  4. Why questionnaire and then RCA? Because you needed to know where your risks are first!