Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 2 of 10
• Special categories of personal data
• The rights of data subjects, including data access requests
• Controllers and processors
1. 2/18/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 2
Lawful Basis for
Processing
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 2/18/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,000 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive CPE as
the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE you will receive a link via email to download
your certificate. The official email for CPE will be issued via NoReply@gensend.io and it
is important to white list this address. It is from this email that your CPE credit will be
sent. There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 2/18/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via NoReply@gensend.io and it is important to white list this address. It is from this
email that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt in for our mailing list. If you indicate you do not want to receive our emails your
registration will be cancelled and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6
4. 2/18/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
Special categories of personal data
The rights of data subjects, including data access
requests
Controllers and processors
Consent
Necessary for marketing
Legitimate interests
Print communications only
7
8
5. 2/18/2020
5
WHAT IS EU GDPR?
On 4 May 2016, the EU Regulation on Data Protection
(GDPR) was published in the Official Journal of the
European Union
The GDPR entered into force on 24 May 2016 to replace
the former 1995 EU Data Protection Directive and create
a harmonized data protection law across Europe
To more effectively manage data on their customers,
employees, contacts and any other relevant persons
IMPACT ON USA
With respect to data protection, viewed as not
having adequate protections for data transfer from
the EU due to the differences in the regulatory
models and practices
GDPR will be challenging for US companies
Significant confusion, thinking that it doesn’t
apply
Lack of familiarity with concepts like subject
access and data minimization
Concept of PII (Personal Identifiable
Information) (vs. Personal Data in the EU
context)
Issue for companies where the EU is a minority
of their portfolio
9
10
6. 2/18/2020
6
WHY? WHEN? WHERE?
”GDPR is about May 25th 2018 • All 28 EU member countries
harmonization of the (national interpretations of parts
protection of of the regulation)
fundamental right and • EU businesses, organizations,
freedoms of natural authorities, non-profit
persons in respect of organisations
processing activities” • Businesses outside of the EU
registering personal data about
EU citizens
WHAT?
Protection of personal data
through organizational,
administrative, and technical
means, -and to provide
evidence of that protection
GDPR: WHY, WHEN, WHERE,
WHAT?
GDPR BASICS
Personal data must be processed lawfully, fairly and in a
transparent manner.
Personal data must be processed for specified, explicit and
legitimate purposes and not further processed in an incompatible
way.
Personal data must be adequate, relevant and limited to what is
necessary in relation to the purposes.
Personal data must be processed in a way that ensures appropriate
security using appropriate technical or organizational measures.
The controller shall be responsible for and be able
to demonstrate compliance with the principles.
11
12
7. 2/18/2020
7
PRINCIPLES
When is it legal to process personal data?
Consent: by data subject, specific purpose, written, withdrawal
at any time, parental consent children under 16
Necessity of processing: Contracts, legal obligations, legitimate
reason, public interest, vital interest for registered
Special Categories (Sensitive) - is generally prohibited
Race, political opinions, health, union membership, genetic data,
biometric data, sexual orientation or sex life
unless strictly regulated consent or necessity
POLLING QUESTION
13
14
8. 2/18/2020
8
SENSITIVE DATA
“Special categories of personal data” (sensitive data)
now expressly include “genetic data” and “biometric
data” where processed “to uniquely identify a person”.
The grounds for processing sensitive data under the
GDPR broadly replicate those under the Data
Protection Directive, although there are wider grounds
in the area of health and healthcare management.
There is also a broad ability for Member States to
adduce new conditions (including limitations)
regarding the processing of genetic, biometric or
health data.
WHAT IS “SENSITIVE”
Article 9(2) sets out the circumstances in which the processing of
sensitive personal data which is otherwise prohibited, may take place.
The following categories of data are considered “sensitive”, as set out
in Article 9(1):
racial or ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union membership;
data concerning health or sex life and sexual orientation;
genetic data (new);
biometric data where processed to uniquely identify a person
(new).
photographs will be covered only to the extent they allow the
unique identification or authentication of an individual as a
biometric (such as when used as part of an electronic passport)
15
16
9. 2/18/2020
9
WHEN CAN YOU PROCESS
SENSITIVE DATA?
Explicit consent of the data subject, unless reliance on consent
is prohibited by EU or Member State law
Necessary for the carrying out of obligations under employment,
social security or social protection law, or a collective agreement
Necessary to protect the vital interests of a data subject who is
physically or legally incapable of giving consent
Processing carried out by a not-for-profit body with a political,
philosophical, religious or trade union aim provided the
processing relates only to members or former members
Data manifestly made public by the data subject
Necessary for the establishment, exercise or defense of legal
claims or where courts are acting in their judicial capacity
WHEN CAN YOU PROCESS
SENSITIVE DATA?
Necessary for reasons of substantial public interest on the basis
of Union or Member State law which is proportionate to the aim
pursued and which contains appropriate safeguarding measures
Necessary for the purposes of preventative or occupational
medicine, for assessing the working capacity of the employee,
medical diagnosis, the provision of health or social care or
treatment or management of health or social care systems and
services on the basis of Union or Member State law or a
contract with a health professional
Necessary for reasons of public interest in the area of public
health, such as protecting against serious cross-border threats
to health or ensuring high standards of healthcare and of
medicinal products or medical devices
Necessary for archiving purposes in the public interest, or
scientific and historical research purposes or statistical purposes
17
18
10. 2/18/2020
10
CRIMINAL CONVICTIONS AND
OFFENCES
Data relating to criminal convictions and offences are
not categorized as “sensitive” (EU)
UK Data Protection Act treats personal data relating
to criminal proceedings and convictions as sensitive data
AUDITING GDPR
Ensure you are clear about the grounds relied on by your
organization to process sensitive data, and check these grounds
will still be applicable under the GDPR
Where relying on consent, ensure the quality of consent meets
GDPR requirements in relation to the collection of consent
Check if rules on children are likely to affect you, and, if so, which
national rules you will need to follow when obtaining their consent
If you process substantial amounts of genetic, biometric or health
data, pay attention to national developments since Member States
have a broad right to impose further conditions
19
20
11. 2/18/2020
11
POLLING QUESTION
GDPR ROLES
Data Subject Every person is considered a Data Subject: citizens,
consumers, customers, business partners, employees, you and me.
Your company. You are controlling, reviewing, comparing and
aggregating data about your customers (e.g. web analytics data).
Data Controller Any information relating to an identified or identifiable
natural person (in other words: the Data Subject).
21
22
12. 2/18/2020
12
RIGHTS OF DATA SUBJECTS
Right to be informed
Right to erasure
Right to data portability
Right to restriction
Right to rectification
Right of access
Including additional processing details
Right to object
Right to prevent automated processing,
including profiling
INDIVIDUAL RIGHTS
Right to withdraw consent at any time –
Implicit under DPA; explicit under GDPR
Right to ask for erasure of data if consent
withdrawn (right to be forgotten)
Unconditional right to object to processing
for direct marketing under DPA/GDPR
Must comply with objection within one month
23
24
13. 2/18/2020
13
RIGHT TO KNOW
Why the Data Controller is processing the data.
What categories of data are being processed.
Whether the Data Controller is processing their data.
Will the Controller share their data and with who.
How long the data will be stored.
That they have the right to erasure, rectification,
restriction of processing, and to object to processing.
That they have the right to complain to the Data
Protection Authority (DPA).
If there is automated processing that has a significant
effect on them.
The data was collected unlawfully.
The time limit for the storage of the data has expired.
POLLING QUESTION
25
26
14. 2/18/2020
14
WHO IS WHO IN GDPR
Supervisory Authority (“SA”)– is an independent public
authority from each Member State in the EU with the authority
to regulate compliance with GDPR.
Data Protection Authority - is an independent public authority
responsible for monitoring the application of data protection
law within its territory.
European Data Protection Board (“EDPB”) - The old Article 29
“Working Party” has become the European Data Protection
Board. The EDPB has the status of an EU body with legal
personality and extensive powers to determine disputes
between national supervisory authorities, to give advice and
guidance and to approve EU-wide codes and certification.
CONTROLLERS AND
PROCESSORS
“Controller”
the natural or legal person, public authority, agency or any
other body which alone or jointly with others determines the
purposes and means of the processing of personal data.
“Processor”
a natural or legal person, public authority, agency or any other
body which processes personal data on behalf of the controller
27
28
15. 2/18/2020
15
Controller
- Alone or jointly with others determines the purposes and
means of processing personal data.
Processor
- Processes personal data on behalf of the controller.
Both controllers and processors regulated directly under
GDPR.
Controllers have more responsibilities, for example:
- Providing notices to data subjects, responding to exercise of
subject rights, appointing representative in EEA, notifying
supervisory authorities and data subjects of data breaches,
maintaining records of processing.
39
CONTROLLER VS. PROCESSOR
GDPR requires that processing by a processor shall be governed by
a contract or other legal act under Union or Member State law, that is
binding on the processor with regard to the controller and sets out
the subject-matter and duration of the processing, the nature and
purpose of the processing, the type of personal data and
categories of data subjects and the obligations and rights of the
controller, and that stipulates that the processor:
Processes the personal data only on documented instructions from
the controller, including with regard to transfers of personal data to a
third country or an international organization, unless required to do so
by Union or Member State law to which the processor is subject…;
Ensures that persons authorized to process the personal data have
committed themselves to confidentiality or are under an appropriate
statutory obligation of confidentiality;
Takes all measures required pursuant security of personal data
Respects the conditions for engaging another processor;
40
PROCESSING AGREEMENT
29
30
16. 2/18/2020
16
POLLING QUESTION
GDPR requires that a legal basis be in place to permit
the transfer of personal data from the EEA to
jurisdictions lacking adequate data protection
legislation (e.g., the United States). See Directive Ch.
IV; GDPR Ch. V.
Transfer requirements apply even if GDPR does not apply
directly to receiving entity.
The intent is to ensure that GDPR-level protections are
extended to personal data notwithstanding their transfer.
44
REQUIREMENTS FOR TRANSFER
OF PERSONAL DATA TO U.S.
31
32
17. 2/18/2020
17
Obtaining the explicit consent of the data subject to the
transfer of personal data to the U.S. for processing.
Requires advising the data subject of the risks of the transfer
resulting from the absence of adequate data protection legislation
in the recipient jurisdiction. See GDPR, Art. 49(1)(a).
Entering into model contractual clauses approved by the
European Commission with the EEA entity transferring personal
data.
Two sets of controller-controller clauses.
One set of controller-processor clauses.
No processor-controller clauses.
See GDPR, Art. 46(2).
46
LEGAL BASES FOR DATA
TRANSFER
U.S.-based companies that are for-profit entities may have an
additional option of applying for certification under the EU-U.S.
Privacy Shield, a program administered by the U.S.
Department of Commerce.
- Permits personal data to be transferred from the EEA to U.S. for-
profit entities that self-certify for the program after implementing
various data protection measures consistent with EU privacy law.
48
LEGAL BASES FOR DATA
TRANSFER
33
34
18. 2/18/2020
18
Legal basis for processing
Different rules for marketing by (i) Email/text; (ii)
phone; (iii) print
Definition of Consent
Compliance strategy for existing contacts
EXTERNAL COMMUNICATIONS -
MAIN ISSUES
Must have a lawful basis for processing i.e. a
legitimate reason for using personal data
Two options for external marketing:
Consent
Legitimate interests
LEGAL BASIS FOR
PROCESSING
35
36
19. 2/18/2020
19
We can rely on legitimate interests for print
communications only and for holding the data in
the first place
Consent is necessary for marketing by email or
text
Mixture of legitimate interests and consent for
marketing calls
CONSENT VS LEGITIMATE
INTERESTS
Suitable basis when we use people’s data in ways
they would reasonably expect and which have
minimal impact on their privacy
GDPR specifically recognises direct marketing as
an example of a legitimate interest
Required to balance our interests against rights
and interests of individual
LEGITIMATE INTERESTS
37
38
20. 2/18/2020
20
Must carry out a LIA in order to demonstrate
compliance (accountability principle). 3-part test
1. Purpose: What is our legitimate interest?
2. Necessity: Why do we need to process personal
data to achieve it?
3. Balancing of interests: Do the individual’s
interests override the legitimate interest?
One LIA for key activities within your area
LEGITIMATE INTERESTS
ASSESSMENT (LIA)
POLLING QUESTION
39
40
21. 2/18/2020
21
Provides rules for unsolicited direct marketing
by electronic means (email, text, phone)
Unsolicited: Not specifically requested
Direct marketing: Targets particular individuals
Marketing is not limited to commercial marketing
(sale of goods and services)
Covers any advertising and promotional material,
including that promoting aims of not-for-profit
organisations, such as HEIs
PRIVACY AND ELECTRONIC
COMMUNICATIONS REGULATIONS (PECR) -
SCOPE
Prior consent required for e-mails or texts sent to
individuals
Every email/text must have valid address to
enable individual to opt-out/unsubscribe
PECR does not apply to business to business
emails/texts
RULES OF PECR - EMAILS/TEXT
41
42
22. 2/18/2020
22
No calls to people registered with Telephone
Preference Service (TPS) or those who have
otherwise objected
Can only call TPS number with specific prior
consent
OK to call non-TPS numbers but DPA/GDPR
applies i.e. person must be aware we have their
number and intend to use it to make marketing
calls
RULES OF PECR - CALLS
CONSENT
43
44
23. 2/18/2020
23
Specific, informed, freely given (genuine choice)
Requires positive action i.e. opt-in
Failure to opt-out is not consent
Granular: separate consent for distinct activities
Consent under PECR must be specific to sender
of marketing (college/University/department) and
to method of communication (email/text)
CONSENT UNDER GDPR AND
PECR
Tick box
Signing a declaration/form
Sending an email
Selecting Yes/No options
Oral statement
Whichever method is used, GDPR requires us to
keep evidence of consent (accountability)
OBTAINING CONSENT
45
46
24. 2/18/2020
24
RECORDING CONSENT
Who
When
What they were told
How they consented
RIGHT TO WITHDRAW
CONSENT
Individuals – at any time
Must be notified when consent given
Must be as easy to withdraw as to give consent
47
48
25. 2/18/2020
25
POLLING QUESTION
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
49
50
26. 2/18/2020
26
THANK YOU!
Page 51
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
51