SlideShare une entreprise Scribd logo

Implementing and Auditing GDPR Series (2 of 10)

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater. Learning Outcomes: This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training. It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role. Webinar 2 of 10 • Special categories of personal data • The rights of data subjects, including data access requests • Controllers and processors

Business
1  sur  26
Télécharger pour lire hors ligne
2/18/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA General Data Protection Regulation (GDPR) Webinar 2 Lawful Basis for Processing About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
2/18/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3,000 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated if you did not receive the first mailing. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
2/18/2020 3 IMPORTANT INFORMATION REGARDING CPE! • ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated after the initial distribution. • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • You must opt in for our mailing list. If you indicate you do not want to receive our emails your registration will be cancelled and you will not be able to attend the Webinar. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC 5 6
2/18/2020 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA Page 8 Special categories of personal data The rights of data subjects, including data access requests Controllers and processors Consent Necessary for marketing Legitimate interests Print communications only 7 8
2/18/2020 5 WHAT IS EU GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons IMPACT ON USA  With respect to data protection, viewed as not having adequate protections for data transfer from the EU due to the differences in the regulatory models and practices  GDPR will be challenging for US companies  Significant confusion, thinking that it doesn’t apply  Lack of familiarity with concepts like subject access and data minimization  Concept of PII (Personal Identifiable Information) (vs. Personal Data in the EU context)  Issue for companies where the EU is a minority of their portfolio 9 10
2/18/2020 6 WHY? WHEN? WHERE? ”GDPR is about May 25th 2018 • All 28 EU member countries harmonization of the (national interpretations of parts protection of of the regulation) fundamental right and • EU businesses, organizations, freedoms of natural authorities, non-profit persons in respect of organisations processing activities” • Businesses outside of the EU registering personal data about EU citizens WHAT? Protection of personal data through organizational, administrative, and technical means, -and to provide evidence of that protection GDPR: WHY, WHEN, WHERE, WHAT? GDPR BASICS  Personal data must be processed lawfully, fairly and in a transparent manner.  Personal data must be processed for specified, explicit and  legitimate purposes and not further processed in an incompatible way.  Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes.  Personal data must be processed in a way that ensures appropriate security using appropriate technical or organizational measures.  The controller shall be responsible for and be able to demonstrate compliance with the principles. 11 12
2/18/2020 7 PRINCIPLES  When is it legal to process personal data?  Consent: by data subject, specific purpose, written, withdrawal at any time, parental consent children under 16  Necessity of processing: Contracts, legal obligations, legitimate reason, public interest, vital interest for registered  Special Categories (Sensitive) - is generally prohibited  Race, political opinions, health, union membership, genetic data, biometric data, sexual orientation or sex life  unless strictly regulated consent or necessity POLLING QUESTION 13 14
2/18/2020 8 SENSITIVE DATA  “Special categories of personal data” (sensitive data) now expressly include “genetic data” and “biometric data” where processed “to uniquely identify a person”.  The grounds for processing sensitive data under the GDPR broadly replicate those under the Data Protection Directive, although there are wider grounds in the area of health and healthcare management.  There is also a broad ability for Member States to adduce new conditions (including limitations) regarding the processing of genetic, biometric or health data. WHAT IS “SENSITIVE”  Article 9(2) sets out the circumstances in which the processing of sensitive personal data which is otherwise prohibited, may take place.  The following categories of data are considered “sensitive”, as set out in Article 9(1):  racial or ethnic origin;  political opinions;  religious or philosophical beliefs;  trade union membership;  data concerning health or sex life and sexual orientation;  genetic data (new);  biometric data where processed to uniquely identify a person (new).  photographs will be covered only to the extent they allow the unique identification or authentication of an individual as a biometric (such as when used as part of an electronic passport) 15 16
2/18/2020 9 WHEN CAN YOU PROCESS SENSITIVE DATA?  Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law  Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement  Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent  Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members  Data manifestly made public by the data subject  Necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity WHEN CAN YOU PROCESS SENSITIVE DATA?  Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures  Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional  Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices  Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes 17 18
2/18/2020 10 CRIMINAL CONVICTIONS AND OFFENCES  Data relating to criminal convictions and offences are not categorized as “sensitive” (EU)  UK Data Protection Act treats personal data relating to criminal proceedings and convictions as sensitive data AUDITING GDPR  Ensure you are clear about the grounds relied on by your organization to process sensitive data, and check these grounds will still be applicable under the GDPR  Where relying on consent, ensure the quality of consent meets GDPR requirements in relation to the collection of consent  Check if rules on children are likely to affect you, and, if so, which national rules you will need to follow when obtaining their consent  If you process substantial amounts of genetic, biometric or health data, pay attention to national developments since Member States have a broad right to impose further conditions 19 20
2/18/2020 11 POLLING QUESTION GDPR ROLES Data Subject Every person is considered a Data Subject: citizens, consumers, customers, business partners, employees, you and me. Your company. You are controlling, reviewing, comparing and aggregating data about your customers (e.g. web analytics data). Data Controller Any information relating to an identified or identifiable natural person (in other words: the Data Subject). 21 22
2/18/2020 12 RIGHTS OF DATA SUBJECTS Right to be informed Right to erasure Right to data portability Right to restriction Right to rectification Right of access  Including additional processing details Right to object Right to prevent automated processing, including profiling INDIVIDUAL RIGHTS  Right to withdraw consent at any time – Implicit under DPA; explicit under GDPR  Right to ask for erasure of data if consent withdrawn (right to be forgotten)  Unconditional right to object to processing for direct marketing under DPA/GDPR  Must comply with objection within one month 23 24
2/18/2020 13 RIGHT TO KNOW  Why the Data Controller is processing the data.  What categories of data are being processed.  Whether the Data Controller is processing their data.  Will the Controller share their data and with who.  How long the data will be stored.  That they have the right to erasure, rectification, restriction of processing, and to object to processing.  That they have the right to complain to the Data Protection Authority (DPA).  If there is automated processing that has a significant effect on them.  The data was collected unlawfully.  The time limit for the storage of the data has expired. POLLING QUESTION 25 26
2/18/2020 14 WHO IS WHO IN GDPR  Supervisory Authority (“SA”)– is an independent public authority from each Member State in the EU with the authority to regulate compliance with GDPR.  Data Protection Authority - is an independent public authority responsible for monitoring the application of data protection law within its territory.  European Data Protection Board (“EDPB”) - The old Article 29 “Working Party” has become the European Data Protection Board. The EDPB has the status of an EU body with legal personality and extensive powers to determine disputes between national supervisory authorities, to give advice and guidance and to approve EU-wide codes and certification. CONTROLLERS AND PROCESSORS  “Controller”  the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.  “Processor”  a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller 27 28
2/18/2020 15   Controller  - Alone or jointly with others determines the purposes and means of processing personal data.   Processor  - Processes personal data on behalf of the controller.   Both controllers and processors regulated directly under GDPR.   Controllers have more responsibilities, for example:  - Providing notices to data subjects, responding to exercise of subject rights, appointing representative in EEA, notifying supervisory authorities and data subjects of data breaches, maintaining records of processing. 39 CONTROLLER VS. PROCESSOR  GDPR requires that processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, and that stipulates that the processor:  Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject…;  Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;  Takes all measures required pursuant security of personal data  Respects the conditions for engaging another processor; 40 PROCESSING AGREEMENT 29 30
2/18/2020 16 POLLING QUESTION  GDPR requires that a legal basis be in place to permit the transfer of personal data from the EEA to jurisdictions lacking adequate data protection legislation (e.g., the United States). See Directive Ch. IV; GDPR Ch. V.  Transfer requirements apply even if GDPR does not apply directly to receiving entity.  The intent is to ensure that GDPR-level protections are extended to personal data notwithstanding their transfer. 44 REQUIREMENTS FOR TRANSFER OF PERSONAL DATA TO U.S. 31 32
2/18/2020 17  Obtaining the explicit consent of the data subject to the transfer of personal data to the U.S. for processing.  Requires advising the data subject of the risks of the transfer resulting from the absence of adequate data protection legislation in the recipient jurisdiction. See GDPR, Art. 49(1)(a).  Entering into model contractual clauses approved by the  European Commission with the EEA entity transferring personal data.  Two sets of controller-controller clauses.  One set of controller-processor clauses.  No processor-controller clauses. See GDPR, Art. 46(2). 46 LEGAL BASES FOR DATA TRANSFER  U.S.-based companies that are for-profit entities may have an additional option of applying for certification under the EU-U.S. Privacy Shield, a program administered by the U.S. Department of Commerce.  - Permits personal data to be transferred from the EEA to U.S. for- profit entities that self-certify for the program after implementing various data protection measures consistent with EU privacy law. 48 LEGAL BASES FOR DATA TRANSFER 33 34
2/18/2020 18  Legal basis for processing  Different rules for marketing by (i) Email/text; (ii) phone; (iii) print  Definition of Consent  Compliance strategy for existing contacts EXTERNAL COMMUNICATIONS - MAIN ISSUES  Must have a lawful basis for processing i.e. a legitimate reason for using personal data  Two options for external marketing:  Consent  Legitimate interests LEGAL BASIS FOR PROCESSING 35 36
2/18/2020 19  We can rely on legitimate interests for print communications only and for holding the data in the first place  Consent is necessary for marketing by email or text  Mixture of legitimate interests and consent for marketing calls CONSENT VS LEGITIMATE INTERESTS  Suitable basis when we use people’s data in ways they would reasonably expect and which have minimal impact on their privacy  GDPR specifically recognises direct marketing as an example of a legitimate interest  Required to balance our interests against rights and interests of individual LEGITIMATE INTERESTS 37 38
2/18/2020 20  Must carry out a LIA in order to demonstrate compliance (accountability principle). 3-part test 1. Purpose: What is our legitimate interest? 2. Necessity: Why do we need to process personal data to achieve it? 3. Balancing of interests: Do the individual’s interests override the legitimate interest?  One LIA for key activities within your area LEGITIMATE INTERESTS ASSESSMENT (LIA) POLLING QUESTION 39 40
2/18/2020 21  Provides rules for unsolicited direct marketing by electronic means (email, text, phone)  Unsolicited: Not specifically requested  Direct marketing: Targets particular individuals  Marketing is not limited to commercial marketing (sale of goods and services)  Covers any advertising and promotional material, including that promoting aims of not-for-profit organisations, such as HEIs PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS (PECR) - SCOPE  Prior consent required for e-mails or texts sent to individuals  Every email/text must have valid address to enable individual to opt-out/unsubscribe  PECR does not apply to business to business emails/texts RULES OF PECR - EMAILS/TEXT 41 42
2/18/2020 22  No calls to people registered with Telephone Preference Service (TPS) or those who have otherwise objected  Can only call TPS number with specific prior consent  OK to call non-TPS numbers but DPA/GDPR applies i.e. person must be aware we have their number and intend to use it to make marketing calls RULES OF PECR - CALLS CONSENT 43 44
2/18/2020 23  Specific, informed, freely given (genuine choice)  Requires positive action i.e. opt-in  Failure to opt-out is not consent  Granular: separate consent for distinct activities  Consent under PECR must be specific to sender of marketing (college/University/department) and to method of communication (email/text) CONSENT UNDER GDPR AND PECR  Tick box  Signing a declaration/form  Sending an email  Selecting Yes/No options  Oral statement  Whichever method is used, GDPR requires us to keep evidence of consent (accountability) OBTAINING CONSENT 45 46
2/18/2020 24 RECORDING CONSENT  Who  When  What they were told  How they consented RIGHT TO WITHDRAW CONSENT  Individuals – at any time  Must be notified when consent given  Must be as easy to withdraw as to give consent 47 48
2/18/2020 25 POLLING QUESTION AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week 49 50
2/18/2020 26 THANK YOU! Page 51 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 51

Recommandé

Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity SlidesJim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 

Recommandé

Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity SlidesJim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditorsJim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14Skillspire LLC
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13Skillspire LLC
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01Skillspire LLC
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Hacking3e ppt ch11
Hacking3e ppt ch11Hacking3e ppt ch11
Hacking3e ppt ch11Skillspire LLC
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and consIllumeo
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 

Contenu connexe

Tendances

Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breachBaltimax
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and consIllumeo
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 

Tendances (20)

Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditors
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
How to safe your company from having a security breach
How to safe your company from having a security breachHow to safe your company from having a security breach
How to safe your company from having a security breach
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 
Hacking3e ppt ch11
Hacking3e ppt ch11Hacking3e ppt ch11
Hacking3e ppt ch11
 
Remote auditing: the pros and cons
Remote auditing: the pros and consRemote auditing: the pros and cons
Remote auditing: the pros and cons
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
 

Similaire à Implementing and Auditing GDPR Series (2 of 10)

General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationJim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) Jim Kaplan CIA CFE
 
How to data mine your print reports
How to data mine your print reports How to data mine your print reports
How to data mine your print reports Jim Kaplan CIA CFE
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketingSpotler
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal AuditorJim Kaplan CIA CFE
 
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyA Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyFLUZO
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issuesJagdeepSingh394
 
Forensic and investigating audit reporting
Forensic and investigating audit reportingForensic and investigating audit reporting
Forensic and investigating audit reportingJim Kaplan CIA CFE
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018Human Capital Department
 
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data PrivacyPriyanka Aash
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare IndustryEMMAIntl
 
EU GDPR Changes: What do you need to know? - CommuniGator Seminar
EU GDPR Changes: What do you need to know? - CommuniGator SeminarEU GDPR Changes: What do you need to know? - CommuniGator Seminar
EU GDPR Changes: What do you need to know? - CommuniGator SeminarSpotler
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Delphix
 
5 Ways an IAPP Privacy Certification Can Boost Your Career
5 Ways an IAPP Privacy Certification Can Boost Your Career5 Ways an IAPP Privacy Certification Can Boost Your Career
5 Ways an IAPP Privacy Certification Can Boost Your CareerInfosec
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 

Similaire à Implementing and Auditing GDPR Series (2 of 10) (20)

General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10)
 
How to data mine your print reports
How to data mine your print reports How to data mine your print reports
How to data mine your print reports
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketing
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
 
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyA Global Marketer's Guide to Privacy
A Global Marketer's Guide to Privacy
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
Forensic and investigating audit reporting
Forensic and investigating audit reportingForensic and investigating audit reporting
Forensic and investigating audit reporting
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
 
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
(SACON) Shivangi Nadkarni & Sandeep Rao - An introduction to Data Privacy
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
EU GDPR Changes: What do you need to know? - CommuniGator Seminar
EU GDPR Changes: What do you need to know? - CommuniGator SeminarEU GDPR Changes: What do you need to know? - CommuniGator Seminar
EU GDPR Changes: What do you need to know? - CommuniGator Seminar
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
 
IT Fraud and Countermeasures
IT Fraud and CountermeasuresIT Fraud and Countermeasures
IT Fraud and Countermeasures
 
5 Ways an IAPP Privacy Certification Can Boost Your Career
5 Ways an IAPP Privacy Certification Can Boost Your Career5 Ways an IAPP Privacy Certification Can Boost Your Career
5 Ways an IAPP Privacy Certification Can Boost Your Career
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analytics
 

Plus de Jim Kaplan CIA CFE

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsJim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceJim Kaplan CIA CFE
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection Jim Kaplan CIA CFE
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Jim Kaplan CIA CFE
 

Plus de Jim Kaplan CIA CFE (11)

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliers
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal Auditors
 
Building and Striving for Data Analytics Excellence
Building and Striving for Data Analytics ExcellenceBuilding and Striving for Data Analytics Excellence
Building and Striving for Data Analytics Excellence
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics
 

Dernier

Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSendBig4
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfDanny Diep To
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Associazione Digital Days
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 

Dernier (20)

Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.com
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdfGUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
GUIDELINES ON USEFUL FORMS IN FREIGHT FORWARDING (F) Danny Diep Toh MBA.pdf
 
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
Lucia Ferretti, Lead Business Designer; Matteo Meschini, Business Designer @T...
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 

Implementing and Auditing GDPR Series (2 of 10)

  • 1. 2/18/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA General Data Protection Regulation (GDPR) Webinar 2 Lawful Basis for Processing About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
  • 2. 2/18/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3,000 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you meet the criteria for earning CPE you will receive a link via email to download your certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated if you did not receive the first mailing. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
  • 3. 2/18/2020 3 IMPORTANT INFORMATION REGARDING CPE! • ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated after the initial distribution. • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • You must opt in for our mailing list. If you indicate you do not want to receive our emails your registration will be cancelled and you will not be able to attend the Webinar. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC 5 6
  • 4. 2/18/2020 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA Page 8 Special categories of personal data The rights of data subjects, including data access requests Controllers and processors Consent Necessary for marketing Legitimate interests Print communications only 7 8
  • 5. 2/18/2020 5 WHAT IS EU GDPR? On 4 May 2016, the EU Regulation on Data Protection (GDPR) was published in the Official Journal of the European Union The GDPR entered into force on 24 May 2016 to replace the former 1995 EU Data Protection Directive and create a harmonized data protection law across Europe To more effectively manage data on their customers, employees, contacts and any other relevant persons IMPACT ON USA  With respect to data protection, viewed as not having adequate protections for data transfer from the EU due to the differences in the regulatory models and practices  GDPR will be challenging for US companies  Significant confusion, thinking that it doesn’t apply  Lack of familiarity with concepts like subject access and data minimization  Concept of PII (Personal Identifiable Information) (vs. Personal Data in the EU context)  Issue for companies where the EU is a minority of their portfolio 9 10
  • 6. 2/18/2020 6 WHY? WHEN? WHERE? ”GDPR is about May 25th 2018 • All 28 EU member countries harmonization of the (national interpretations of parts protection of of the regulation) fundamental right and • EU businesses, organizations, freedoms of natural authorities, non-profit persons in respect of organisations processing activities” • Businesses outside of the EU registering personal data about EU citizens WHAT? Protection of personal data through organizational, administrative, and technical means, -and to provide evidence of that protection GDPR: WHY, WHEN, WHERE, WHAT? GDPR BASICS  Personal data must be processed lawfully, fairly and in a transparent manner.  Personal data must be processed for specified, explicit and  legitimate purposes and not further processed in an incompatible way.  Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes.  Personal data must be processed in a way that ensures appropriate security using appropriate technical or organizational measures.  The controller shall be responsible for and be able to demonstrate compliance with the principles. 11 12
  • 7. 2/18/2020 7 PRINCIPLES  When is it legal to process personal data?  Consent: by data subject, specific purpose, written, withdrawal at any time, parental consent children under 16  Necessity of processing: Contracts, legal obligations, legitimate reason, public interest, vital interest for registered  Special Categories (Sensitive) - is generally prohibited  Race, political opinions, health, union membership, genetic data, biometric data, sexual orientation or sex life  unless strictly regulated consent or necessity POLLING QUESTION 13 14
  • 8. 2/18/2020 8 SENSITIVE DATA  “Special categories of personal data” (sensitive data) now expressly include “genetic data” and “biometric data” where processed “to uniquely identify a person”.  The grounds for processing sensitive data under the GDPR broadly replicate those under the Data Protection Directive, although there are wider grounds in the area of health and healthcare management.  There is also a broad ability for Member States to adduce new conditions (including limitations) regarding the processing of genetic, biometric or health data. WHAT IS “SENSITIVE”  Article 9(2) sets out the circumstances in which the processing of sensitive personal data which is otherwise prohibited, may take place.  The following categories of data are considered “sensitive”, as set out in Article 9(1):  racial or ethnic origin;  political opinions;  religious or philosophical beliefs;  trade union membership;  data concerning health or sex life and sexual orientation;  genetic data (new);  biometric data where processed to uniquely identify a person (new).  photographs will be covered only to the extent they allow the unique identification or authentication of an individual as a biometric (such as when used as part of an electronic passport) 15 16
  • 9. 2/18/2020 9 WHEN CAN YOU PROCESS SENSITIVE DATA?  Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law  Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement  Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent  Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members  Data manifestly made public by the data subject  Necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity WHEN CAN YOU PROCESS SENSITIVE DATA?  Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures  Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional  Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices  Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes 17 18
  • 10. 2/18/2020 10 CRIMINAL CONVICTIONS AND OFFENCES  Data relating to criminal convictions and offences are not categorized as “sensitive” (EU)  UK Data Protection Act treats personal data relating to criminal proceedings and convictions as sensitive data AUDITING GDPR  Ensure you are clear about the grounds relied on by your organization to process sensitive data, and check these grounds will still be applicable under the GDPR  Where relying on consent, ensure the quality of consent meets GDPR requirements in relation to the collection of consent  Check if rules on children are likely to affect you, and, if so, which national rules you will need to follow when obtaining their consent  If you process substantial amounts of genetic, biometric or health data, pay attention to national developments since Member States have a broad right to impose further conditions 19 20
  • 11. 2/18/2020 11 POLLING QUESTION GDPR ROLES Data Subject Every person is considered a Data Subject: citizens, consumers, customers, business partners, employees, you and me. Your company. You are controlling, reviewing, comparing and aggregating data about your customers (e.g. web analytics data). Data Controller Any information relating to an identified or identifiable natural person (in other words: the Data Subject). 21 22
  • 12. 2/18/2020 12 RIGHTS OF DATA SUBJECTS Right to be informed Right to erasure Right to data portability Right to restriction Right to rectification Right of access  Including additional processing details Right to object Right to prevent automated processing, including profiling INDIVIDUAL RIGHTS  Right to withdraw consent at any time – Implicit under DPA; explicit under GDPR  Right to ask for erasure of data if consent withdrawn (right to be forgotten)  Unconditional right to object to processing for direct marketing under DPA/GDPR  Must comply with objection within one month 23 24
  • 13. 2/18/2020 13 RIGHT TO KNOW  Why the Data Controller is processing the data.  What categories of data are being processed.  Whether the Data Controller is processing their data.  Will the Controller share their data and with who.  How long the data will be stored.  That they have the right to erasure, rectification, restriction of processing, and to object to processing.  That they have the right to complain to the Data Protection Authority (DPA).  If there is automated processing that has a significant effect on them.  The data was collected unlawfully.  The time limit for the storage of the data has expired. POLLING QUESTION 25 26
  • 14. 2/18/2020 14 WHO IS WHO IN GDPR  Supervisory Authority (“SA”)– is an independent public authority from each Member State in the EU with the authority to regulate compliance with GDPR.  Data Protection Authority - is an independent public authority responsible for monitoring the application of data protection law within its territory.  European Data Protection Board (“EDPB”) - The old Article 29 “Working Party” has become the European Data Protection Board. The EDPB has the status of an EU body with legal personality and extensive powers to determine disputes between national supervisory authorities, to give advice and guidance and to approve EU-wide codes and certification. CONTROLLERS AND PROCESSORS  “Controller”  the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.  “Processor”  a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller 27 28
  • 15. 2/18/2020 15   Controller  - Alone or jointly with others determines the purposes and means of processing personal data.   Processor  - Processes personal data on behalf of the controller.   Both controllers and processors regulated directly under GDPR.   Controllers have more responsibilities, for example:  - Providing notices to data subjects, responding to exercise of subject rights, appointing representative in EEA, notifying supervisory authorities and data subjects of data breaches, maintaining records of processing. 39 CONTROLLER VS. PROCESSOR  GDPR requires that processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller, and that stipulates that the processor:  Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject…;  Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;  Takes all measures required pursuant security of personal data  Respects the conditions for engaging another processor; 40 PROCESSING AGREEMENT 29 30
  • 16. 2/18/2020 16 POLLING QUESTION  GDPR requires that a legal basis be in place to permit the transfer of personal data from the EEA to jurisdictions lacking adequate data protection legislation (e.g., the United States). See Directive Ch. IV; GDPR Ch. V.  Transfer requirements apply even if GDPR does not apply directly to receiving entity.  The intent is to ensure that GDPR-level protections are extended to personal data notwithstanding their transfer. 44 REQUIREMENTS FOR TRANSFER OF PERSONAL DATA TO U.S. 31 32
  • 17. 2/18/2020 17  Obtaining the explicit consent of the data subject to the transfer of personal data to the U.S. for processing.  Requires advising the data subject of the risks of the transfer resulting from the absence of adequate data protection legislation in the recipient jurisdiction. See GDPR, Art. 49(1)(a).  Entering into model contractual clauses approved by the  European Commission with the EEA entity transferring personal data.  Two sets of controller-controller clauses.  One set of controller-processor clauses.  No processor-controller clauses. See GDPR, Art. 46(2). 46 LEGAL BASES FOR DATA TRANSFER  U.S.-based companies that are for-profit entities may have an additional option of applying for certification under the EU-U.S. Privacy Shield, a program administered by the U.S. Department of Commerce.  - Permits personal data to be transferred from the EEA to U.S. for- profit entities that self-certify for the program after implementing various data protection measures consistent with EU privacy law. 48 LEGAL BASES FOR DATA TRANSFER 33 34
  • 18. 2/18/2020 18  Legal basis for processing  Different rules for marketing by (i) Email/text; (ii) phone; (iii) print  Definition of Consent  Compliance strategy for existing contacts EXTERNAL COMMUNICATIONS - MAIN ISSUES  Must have a lawful basis for processing i.e. a legitimate reason for using personal data  Two options for external marketing:  Consent  Legitimate interests LEGAL BASIS FOR PROCESSING 35 36
  • 19. 2/18/2020 19  We can rely on legitimate interests for print communications only and for holding the data in the first place  Consent is necessary for marketing by email or text  Mixture of legitimate interests and consent for marketing calls CONSENT VS LEGITIMATE INTERESTS  Suitable basis when we use people’s data in ways they would reasonably expect and which have minimal impact on their privacy  GDPR specifically recognises direct marketing as an example of a legitimate interest  Required to balance our interests against rights and interests of individual LEGITIMATE INTERESTS 37 38
  • 20. 2/18/2020 20  Must carry out a LIA in order to demonstrate compliance (accountability principle). 3-part test 1. Purpose: What is our legitimate interest? 2. Necessity: Why do we need to process personal data to achieve it? 3. Balancing of interests: Do the individual’s interests override the legitimate interest?  One LIA for key activities within your area LEGITIMATE INTERESTS ASSESSMENT (LIA) POLLING QUESTION 39 40
  • 21. 2/18/2020 21  Provides rules for unsolicited direct marketing by electronic means (email, text, phone)  Unsolicited: Not specifically requested  Direct marketing: Targets particular individuals  Marketing is not limited to commercial marketing (sale of goods and services)  Covers any advertising and promotional material, including that promoting aims of not-for-profit organisations, such as HEIs PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS (PECR) - SCOPE  Prior consent required for e-mails or texts sent to individuals  Every email/text must have valid address to enable individual to opt-out/unsubscribe  PECR does not apply to business to business emails/texts RULES OF PECR - EMAILS/TEXT 41 42
  • 22. 2/18/2020 22  No calls to people registered with Telephone Preference Service (TPS) or those who have otherwise objected  Can only call TPS number with specific prior consent  OK to call non-TPS numbers but DPA/GDPR applies i.e. person must be aware we have their number and intend to use it to make marketing calls RULES OF PECR - CALLS CONSENT 43 44
  • 23. 2/18/2020 23  Specific, informed, freely given (genuine choice)  Requires positive action i.e. opt-in  Failure to opt-out is not consent  Granular: separate consent for distinct activities  Consent under PECR must be specific to sender of marketing (college/University/department) and to method of communication (email/text) CONSENT UNDER GDPR AND PECR  Tick box  Signing a declaration/form  Sending an email  Selecting Yes/No options  Oral statement  Whichever method is used, GDPR requires us to keep evidence of consent (accountability) OBTAINING CONSENT 45 46
  • 24. 2/18/2020 24 RECORDING CONSENT  Who  When  What they were told  How they consented RIGHT TO WITHDRAW CONSENT  Individuals – at any time  Must be notified when consent given  Must be as easy to withdraw as to give consent 47 48
  • 25. 2/18/2020 25 POLLING QUESTION AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week 49 50
  • 26. 2/18/2020 26 THANK YOU! Page 51 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 51