Business impact of new EU General Data Protection Regulation (GDPR) on organizations
1. Standards, Security, and Audit
Business impact of new EU General Data
Protection Regulation (GDPR) on
organizations
2. MÁRIO LAVADO
Partner at INOSERV
More than 20 years of experience in management consulting, training and
auditing 9001, ISO 27001, ISO 20000, ISO 22301 management systems.
PECB Partner and PECB Certified Trainer, PECB Lead Implementer/Auditor ISO
9001, ISO 27001, ISO 20000, ISO 22301, ISO 55001, Lead IT Corporate
Governance Manager, Lead Incident Manager, Lead Risk Manager, ITIL® RCV,
ITIL® SO, Scrum Master e ScrumStudy™ Agile Master.
Contact Information
+ 351 962 160 934
mario.lavado@inoserv.pt
www.inoserv.pt
linkedin.com/mario.lavado
3. 3
Agenda
• General Data Protection Regulation (GDPR)
• Security and risk management in the area of personal data
• Data Protection Impact Assessment (DPIA)
• Conclusions
4. 4
General Data Protection Regulation (GDPR)
Introduction
• The General Data Protection Regulation (EU) 679/2016 (GDPR) will be, as
of 25 May 2018, the main data protection legal framework in EU directly
applicable to all Member States: The Regulation achieves substantial
harmonisation of data protection rules at EU level, creating one single law
applicable across the EU;
• The new rules are expected to bring benefits of an estimated €2.3 bilion
per year, at European Level.
• The Regulation establishes a ‘one-stop-shop’ for enforcement: business
organisations will only have to deal with one single data protection
authority – the authority in the country where they have their main base.
5. 5
General Data Protection Regulation (GDPR)
Context
• Nowadays electronic communication networks and digital services are an
essential part of an increasing number of everyday commodities.
• In the era of automated profiling and electronic surveillance, citizens face
a serious threat against their right to privacy and informational self-
determination, especially when using the internet and mobile services.
• The lack of transparency regarding the functionality and interconnection
of such services increases the risk of uncontrollable processing of personal
data.
6. 6
General Data Protection Regulation (GDPR)
GDPR changes to the Directive (95/46/EC)
Broader territorial scope Applies to players not established in the EU but whose activities consist of targeting
data subjects in the EU
Enforcement Data Protection Authorities will be entitled to impose fines ranging between 2% and
4% of annual turnover
Accountability Explicit obligation to the controller as well as the processor to be able to
demonstrate their compliance to the GDPR
Expanded definitions Personal data now explicitly includes location data, IP addresses, online and
technology identifiers
Data subjects rights Reinforced rights: Access, rectification, restriction, erasure, objection to processing;
no automated processing and profiling
Consent Spelled out more clearly and focus on ability of individuals to distinguish a consent
Data breach notification Report a personal data breach to the Data Protection Authority within 72h
One-stop shop Data Protection Authorities (DPA) of main establishment can act as lead DPA,
supervising processing activities throughout the EU
International data transfers BCRs as tools for data transfers outside the EU are now embedded in law.
7. 7
Security for the processing of personal data
Security obligations in GDPR
• Security (in the sense of integrety and confidentiality) is established as
one of the principles relating to personal data processing (Article 5).
• Security is at the core of data protection together with the rest of data
protection principles, i.e. lawfulness, fairness and transparency, purpose
limitation, accuracy and storage limitation).
8. 8
Security for the processing of personal data
Risk-based approach
• Technical and organizational measures for the protection of personal data should be
appropriate to the risk presented.
• Establish specif data protection parameters that need to be considered for this assessment,
in particular nature, scope, context and purposes of the processing.
• Relates the risk to the measures taken in order to preserve the rights and freedoms of
individuals;
• Introduces the impact of a potential personal data breach to the data subjects as a major
aspect of the risk assessment (Article 35)
• Risk is central for the controler to implement diferent obligations:
– Notification of personal data breaches (Article 33 e 34);
– Conduction of data protection impact assessment
– Prior consultation with competence authorities (Article 36)
9. 9
Security for the processing of personal data
An information management system for personal data
• Establishment of information management system for the protection of
confidentiality, integrety, availability and resilence of personal data;
• Establishment of a process for testing, assessing and evaluating the
effectiveness of the adopted measures.
10. 10
Security for the processing of personal data
Security for privacy
• GDPR does not provide a direct reference to privacy enhancing
technologies (PETs), it specifically address pseudonymisation and
encryption as core protection measures for the security of personal data.
• This point should be linked to the provisions of GDPR for data protection
by design and by default (Article 25), witch put emphasis on the
engineering of privacy requirements into IT systems and services.
• Security of processing is not an isolated obligation in GDPR under a
particular article, it should be considered within the overall GDPR
accountability framework for data protection
11. 11
Data Protection Impact Assessment (DPIA) on GDPR
DPIA on GDPR
The GDPR does not formally define the concept of a DPIA as such, but
• its minimal content is specified by Article 35(7) as follows:
• “(a) a systematic description of the envisaged processing operations and the
purposes of the processing, including, where applicable, the legitimate interest
pursued by the controller;
• (b) an assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
• (c) an assessment of the risks to the rights and freedoms of data subjects
referred to in paragraph 1; and
• (d) the measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights
and legitimate interests of data subjects and other persons concerned”
12. 12
Data Protection Impact Assessment (DPIA) on GDPR
DPIA Goals & Role
• Its meaning and role is clarified by recital 84 as follows: “In order to
enhance compliance with this Regulation where processing operations are
likely to result in a high risk to the rights and freedoms of natural persons,
the controller should be responsible for the carrying-out of a data
protection impact assessment to evaluate, in particular, the origin, nature,
particularity and severity of that risk”
• Recital 84: “The outcome of the assessment should be taken into account
when determining the appropriate measures to be taken in order to
demonstrate that the processing of personal data complies with this
Regulation”.
13. 13
Data Protection Impact Assessment (DPIA) on GDPR
Non-compliance with DPIA
• Under the GDPR, non-compliance with DPIA requirements can lead
to fines imposed by the competent supervisory authority.
• Failure to carry out a DPIA when the processing is subject to a DPIA
(Article 35(1) and (3)), carrying out a DPIA in an incorrect way
(Article 35(2) and (7) to (9)), or failing to consult the competent
supervisory authority where required (Article 36(3)(e)), can each
result in an administrative fine of up to 10M€, or in the case of an
undertaking, up to 2 % of the total worldwide annual turnover of
the preceding financial year, whichever is higher.
14. 14
Data Protection Impact Assessment (DPIA) on GDPR
Basic principles related to the DPIA in the GDPR
Likely to result in high
risks?
Art 35 (1), (3), & (4)
Advice of DPO
Art 35 (2)
Monitor Performance
Art 35 (2)
Code (s) of conduct
Art 35 (8)
Seek the views of data
subject
Art 35 (9)
Exception ?
Art 35 (5), (10)
DPIA
Art 35 (7)
Residual high risks?
Art 36 (1)
Processing reviewed by
the controller
Art 35 (11)
No DPIA needed
No
Yes
YesNo prior
consultion
No
Prior
consultion
No
Yes
15. 15
What does a DPIA address?
A single processing operation or a set of similar processing operations
• A DPIA may concern a single data processing operation.
• However, Article 35(1) states that “a single assessment may address
a set of similar processing operations that present similar high risks”
• Recital 92 adds that “there are circumstances under which it may be
reasonable and economical for the subject of a data protection
impact assessment to be broader than a single project, for example
where public authorities or bodies intend to establish a common
application or processing platform or where several controllers plan
to introduce a common application or processing environment
across an industry sector or segment or for a widely used horizontal
activity”.
16. 16
What does a DPIA address?
A single processing operation or a set of similar processing operations
• When the processing operation involves joint controllers, they need to define their
respective obligations precisely. Their DPIA should set out which party is
responsible for the various measures designed to treat risks and to protect the
rights of the data subjects.
• A DPIA can also be useful for assessing the data protection impact of a technology
product, for example a piece of hardware or software, where this is likely to be
used by different data controllers to carry out different processing operations. An
example could be the relationship between manufacturers of smart meters and
utility companies.
17. 17
Data Protection Impact Assessment (DPIA) on GDPR
Which processing operations are subject to a DPIA?
• Where a processing is “likely to result in a high risk to the rights and freedoms of natural
persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)). It is
particularly relevant when a new data processing technology is being introduced.
• Article 35(3) provides some examples when a processing is “likely to result in high risks”:
• “(a) a systematic and extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including profiling, and on which
decisions are based that produce legal effects concerning the natural person or similarly
significantly affect the natural person10;
• (b) processing on a large scale of special categories of data referred to in Article 9(1), or
of personal data relating to criminal convictions and offences referred to in Article 1011;
or
• (c) a systematic monitoring of a publicly accessible area on a large scale”.
18. 18
Data Protection Impact Assessment (DPIA) on GDPR
Criteria for processing operations subject to a DPIA
1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning
the data subject's performance at work, economic situation, health, personal preferences or
interests, reliability or behavior, location or movements” (recitals 71 and 91)
2. Automated-decision making with legal or similar significant effect: processing that aims at
taking decisions on data subjects producing “legal effects concerning the natural person” or
which “similarly significantly affects the natural person” (Article 35(3)(a))
3. Systematic monitoring: processing used to observe, monitor or control data subjects,
including data collected through “a systematic monitoring of a publicly accessible area”
(Article 35(3)(c))
4. Sensitive data: this includes special categories of data as defined in Article 9 (for example
information about individuals’ political opinions), as well as personal data relating to
criminal convictions or offences.
19. 19
Data Protection Impact Assessment (DPIA) on GDPR
Criteria for processing operations subject to a DPIA
5. Data processed on a large scale: The processing is carried out on a large scale:
a. the number of data subjects concerned, either as a specific number or as a proportion
of the relevant population;
b. the volume of data and/or the range of different data items being processed;
c. the duration, or permanence, of the data processing activity;
d. the geographical extent of the processing activity.
6. Datasets that have been matched or combined, for example originating from two or more
data processing operations performed for different purposes and/or by different data
controllers in a way that would exceed the reasonable expectations of the data subject;
7. Data concerning vulnerable data subjects (recital 75): the processing of this type of data can
require a DPIA because of the increased power imbalance between the data subject and the
data controller, meaning the individual may be unable to consent to, or oppose, the
processing of his or her data.
20. 20
Data Protection Impact Assessment (DPIA) on GDPR
Criteria for processing operations subject to a DPIA? (cont.)
8. Innovative use or applying technological or organisational solutions, like combining use of
finger print and face recognition for improved physical access control, etc.
9. Data transfer across borders outside the EU (recital 116) – taking into consideration,
amongst others, the envisaged country or countries of destination, the possibility of further
transfers or the likelihood of transfers based on derogations for specific situations set forth
by the GDPR;
10. When the processing in itself “prevents data subjects from exercising a right or using a
service or a contract” (Article 22 and recital 91).
21. 21
Data Protection Impact Assessment (DPIA) on GDPR
Criteria for applying DPIA (Example)
Meet at least two of these criteria will require a DPIA
Examples of processing Possible relevant criteria DPIA required
A hospital processing its patients’ genetic and
health data (hospital information system).
• Sensitive data
• Data concerning vulnerable data
subjects
Yes
The use of a camera system to monitor driving
behavior on highways. The controller
envisages to use an intelligent video analysis
system to single out cars and automatically
recognize license plates.
• Systematic monitoring
• Innovative use or applying
technological or organisational
solutions
A company monitoring its employees’
activities, including the monitoring of the
employees’ work station, internet activity, etc.
• Systematic monitoring
• Data concerning vulnerable data
subjects
The gathering of public social media profiles
data to be used by private companies
generating profiles for contact directories.
• Evaluation or scoring
• Data processed on a large scale
22. 22
Data Protection Impact Assessment (DPIA) on GDPR
Criteria for applying DPIA (Example)
Meeting less than two criteria may not require a DPIA
Examples of processing Possible relevant criteria DPIA required
An online magazine using a mailing list to
send a generic daily digest to its subscribers.
• (none)
No
An e-commerce website displaying adverts for
vintage car parts involving limited profiling
based on past purchases behavior on certain
parts of its website.
• Evaluation or scoring, but not
systematic or extensive
23. 23
Data Protection Impact Assessment (DPIA) on GDPR
When isn’t a DPIA required?
A DPIA is not required in the following cases:
• where the processing is not "likely to result in a high risk to the rights and freedoms of
natural persons" (Article 35(1));
• when the nature, scope, context and purposes of the processing are very similar to the
processing for which DPIA have been carried out. In such cases, results of DPIA for similar
processing can be used (Article 35(1)18);
• where a processing operation has a legal basis in EU or Member State law and has stated that
an initial DPIA does not have to be carried out, where the law regulates the specific
processing operation and where a DPIA, according to the standards of the GDPR, has already
been carried out as part of the establishment of that legal basis (Article 35(10))19;
• where the processing is included on the optional list (established by the supervisory
authority) of processing operations for which no DPIA is required (Article 35(5)20).
24. 24
Data Protection Impact Assessment (DPIA) on GDPR
Components of a DPIA
• Recital 90 of the GDPR outlines a number of components of the DPIA
which overlap with well-defined components of risk management (e.g. ISO
31000).
• In risk management terms, a DPIA aims at “managing risks” to the rights
and freedoms of natural persons, using the following three processes, by:
• establishing the context: “taking into account the nature, scope,
context and purposes of the processing and the sources of the risk”;
• assessing the risks: “assess the particular likelihood and severity of the
high risk”;
• treating the risks: “mitigating that risk” and “ensuring the protection
of personal data”, and “demonstrating compliance with this
Regulation”.
25. 25
Data Protection Impact Assessment (DPIA) on GDPR
What is the methodology to carry out a DPIA?
Different methodologies but common criteria.
The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals
84 and 90):
• “a description of the envisaged processing operations and the purposes of
the processing”;
• “an assessment of the necessity and proportionality of the processing”;
• “an assessment of the risks to the rights and freedoms of data subjects”;
• “the measures envisaged to:
• “address the risks”;
• “demonstrate compliance with this Regulation”.
26. 26
Data Protection Impact Assessment (DPIA)
Security risk management for personal data
Definition of the
processing
operation and its
context
Understanding
and evaluation of
impact
Definition of
possible threats
and evaluation
of their
likelihood
Evaluating of risk
(combining
threat occurence
probability and
impact)
Select
appropriate
measures
Implement &
mantain
measures
27. 27
Data Protection Impact Assessment (DPIA)
Definition of the processing operation and its context
• What is personal data processing operation?
• What are the types of personal data processed?
• What is the purpose of the processing?
• What are the means used for the processing of personal data?
• Where does the processing of personal data take place?
• What are the categories of data subjects?
• Who are the recipients of the data?
28. 28
Data Protection Impact Assessment (DPIA)
Understanding and evaluating impact
• Parameters to consider when evaluating impact:
• Type of personal data
• Criticality of the processing operation
• Volume of personal data processed
• Special characteristics of the data controller/processor
• Special characteristics of the data subjects
• Identifiability of the data subjects:
• Possible secondary effects should also be considred.
29. 29
Data Protection Impact Assessment (DPIA)
Understanding and evaluating impact
• The impact is assessed separately for the loss of confidentiality, integrity
and availability in understanding the specifies of its personal data
processing.
• Consider all possible cases of unauthorised disclosure, alteration or
destruction and evaluate the impact based on the worst-case scenario
30. 30
Data Protection Impact Assessment (DPIA)
Levels of impactLEVEL OF IMPACT DESCRIPTION
Low Individuals may encounter a few minor inconveniences, which they will
overcome without any problem (time spent re-entering information,
annoyances, irritations, etc.)
Medium Individuals may encounter significant inconveniences, which they will overcome
despite a few difficulties, extra costs, denial of access to business services, fear,
lack of understanding, stress, loss of employment, subpoena, worsening of
health, etc.)
High Individuals may encounter significant inconveniences, which they will overcome
albeit with serious difficulties (misappropriation of funds, blacklisting by
financial institutions, property damage, loss of employment, subpoena,
worsening of health, etc.)
Very High Individuals may encounter significant , or even irreversible consequences, which
they may not overcome (inability to work, long-term psychological or physical
ailments, death, etc.)
31. 31
Data Protection Impact Assessment (DPIA)
Possible threats (to personal data)
• An attacker injects code into the form of a website, aiming to gain access to
the personal data stored in the system
• An attacker performs a man-in-middle attack in order to intercept electronic
communication
• An employee steals personal data files from the internal system
• A hospital’s employee (malicious or accidentally) changes a critical parameter
in the medical file of a patient
• Due to a power cut, the IT system of the customers’ database is down
• A USB flash drive with personal data files is lost in transit by a contractor
32. 32
Data Protection Impact Assessment (DPIA)
Dimensions of threats (to personal data)
• Network and technical resources (hardware and software)
• Is any part of the processing of personal data performed through the
internet?
• Is it possible to provide access to an internal personal data processing
system through the internet (e.g. for certain users or groups of users)?
• Is the personal data processing system interconnected to another
external or internal (to your organization) IT system or service?
• Can unauthorized individuals easily access the data processing
environment?
• Is the personal data processing system designed, implemented or
maintained without relevant documented best practices?
33. 33
Data Protection Impact Assessment (DPIA)
Dimensions of threats (to personal data)
• Processes/procedures to the processing of personal data
• Are the roles and responsibilities with regard to personal data
processing vague or not clearly defined?
• Is the acceptable use of the network, system and physical resources
within the organization ambiguous or not clearly defined?
• Are the employees allowed to bring and use their own devices to
connect to the personal data processing system?
• Are the employees allowed to transfer, store or otherwise process
personal data outside the premises of the organization?
• Can personal data processing activities be performed without log files
being created?
34. 34
Data Protection Impact Assessment (DPIA)
Dimensions of threats (to personal data)
• Parties/persons involved in the processing of personal data
• Is the processing of personal data performed by an undefined number
of employees?
• Is any part of the data processing operation performed by a
contractor/third party (data processor)?
• Are obligations of the parties/persons involved in personal data
processing ambiguous or not clearly stated?
• Is the personnel involved in the processing of personal data unfamiliar
with security matters?
• Do the persons/parties involved in the data processing operation
neglect to securely store and/or destroy personal data?
35. 35
Data Protection Impact Assessment (DPIA)
Dimensions of threats (to personal data)
• Business sector and scale of processing
• Do you consider your business sector as being prone to cyberattacks?
• Has your organization suffered any cyberattack or other type of
security breach over the last two years?
• Have you received notification and/or complaints with the regard to
the security of the IT system (used for the processing of personal data)
over the last year?
• Does your processing operation concern a large volume of individuals
and/or personal data?
• Are there any security best practices specific to your business sector
that have been adequately followed?
36. 36
Data Protection Impact Assessment (DPIA)
Evaluation of threat occurrence probability
LEVEL OF PROBALITY DESCRIPTION
Low The threat is unlikely to materialize
Medium It is possible that the threat materializes
High The threat is likely to materialize.
37. 37
Data Protection Impact Assessment (DPIA)
Evaluation of risk
IMPACT LEVEL
Threat
Occurence
Probability
Low Medium High/Very High
Low
Medium
High
Legend
Low Risk Medium Risk High Risk
38. 38
Select appropriate measures
• Following the evaluation of the risk level, the organization can proceed
with the selection of appropriate security measures for the protection for
the personal data;
• Two main categories of measures are presented:
• Organizational
• Technical
• Depending on the context of the personal data processing, the
organization can consider adopting additional sector specific measures, as
well as specific regulatory obligations (example: ePrivacy Directive or NIS
Directive).
Data Protection Impact Assessment (DPIA)
39. 39
Organizational Security Measures
Select appropriate measures
Security Measure ISO/IEC 27001 – Security Control
Security Policy and procedures for the protection
of personal data
A.5 – Security Policy
Roles and responsibilities A.6.1.1 – Information security roles and responsibilities
Access control policy A.9.1.1 – Access control policy
Resource/asset management A.8 – Asset management
Change management A.12.1 - Operational procedures and responsibilities
Data processors A .15 – Supplier relationships
Incident response and business continuity A. 16 – Information security incident management
Business continuity A.17 – Information security aspects of business continuity
management
Confidentiality of personnel A.7 – Human resource security
Training A.7.2.2 – Information security awareness, education and
training
40. 40
Technical Security Measures
Select appropriate measures
Security Measure ISO/IEC 27001 – Security Control
Access control and authentication A.9 – Access control
Logging and monitoring A.12.4 – Logging and monitoring
Server/database security A.12 – Operations security
Workstation security A.14.1 – Security requirements of information systems
Network/Communications security A.13 – Communications security
Back-ups A .12.3 – Back-up
Mobile/Portable devices A. 6.2 – Mobile devices and teleworking
Application lifecycle security A.12.6 – Technical vulnerability management
A.14.2 – Security in development and support processes
Data deletion/disposal A.8.2 – Disposal of media
A.12.7 – Secure disposal or re-use of equipment
Physical security A.11 – Physical and environmental security
41. 41
Implement & mantain measures
• Establish priority and planning the implementation of selected security
measures identify accountability, responsibility, deadlines and
effectiveness criteria;
• Design security performance indicators and implement a Performance
Management System with operational and strategic dashboards;
• Monitor, measure, analyze and evaluate security measures;
• Conduct internal audits and penetration tests;
• Conduct management reviews;
• Establish and plan improvements based on management reviews.
Data Protection Impact Assessment (DPIA)
43. 43
Conclusions
• GDPR provision goes beyond the mere adoption of specific security
measures, supporting the establishment of a complete ISMS for the
protection of confidentiality, integrity, availability and resilience of
personal data.
• To comply with GDPR and avoid the fines the organizations should:
• do a Data Protection Impact Assessment (DPIA);
• evaluate the risk and implement the security (organizational and
technical) measures to mitigate the risk;
• monitor, measuring, analysis and evaluate the effectiveness of security
measures implemented.