This document provides an overview of data protection impact assessments (DPIAs) and the role of the data protection officer (DPO) under the General Data Protection Regulation (GDPR). It discusses when DPIAs are required, the DPIA process, how to identify and assess risks, select controls, and ensure continuous monitoring. It also outlines the DPO requirements, including the need for independence and expertise. The DPO is responsible for enabling compliance and fostering a data protection culture.

1. 4/16/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 4
Data Protection
Impact Assessment
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2

2. 4/16/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE you will receive a link via email to download
your certificate. The official email for CPE will be issued via NoReply@gensend.io and it
is important to white list this address. It is from this email that your CPE credit will be
sent. There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4

3. 4/16/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via NoReply@gensend.io and it is important to white list this address. It is from this
email that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6

4. 4/16/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
• How to perform a data protection impact assessment
(DPIA)
• The role of the data protection officer (DPO)
• Transferring personal data outside the EU
7
8

5. 4/16/2020
5
PRIVACY IMPACT
ASSESSMENT
• “An evaluation conducted to assess how the adoption of new
information policies, the procurement of new computer systems, or the
initiation of new data collection programs will affect individual privacy”
• [cf. A.M. Green, Yale, 2004]
• Considering privacy issues at the early stages of a project cycle
reduces potential adverse impacts on privacy after it has been
implemented
• To be effective
• DPIA process should be independent
• DPIA performed by an independent entity (office and/or commissioner) not linked
to the project under review
RISK OF NOT DOING A DPIA
 The need to redesign all or major parts of the system/project
 Collapse of the project due to adverse publicity
 Loss of trust or reputation
 Breach of data protection legislation and significant fines
 Subsequent regulatory action by the Information Commissioner’s
Office (ICO) as a result of complaints received from data
subjects
 Individuals subjected to fraud, identity theft and distress
 Legal action taken by individuals to sue the organization
9
10

6. 4/16/2020
6
 When you plan to:
 Embark on a new project involving the collection of
personal data
 Introduce new IT systems for storing, accessing or
otherwise using personal information
 Participate in a new data-sharing initiative with other
organizations
 Create new policies that affect individuals
 Initiate actions based on a policy of identifying particular
demographics
 Use existing data for a “new and unexpected or more
intrusive purpose”
 Prior to outsourcing any type of processing to a service
provider
DO I NEED TO CARRY OUT A DPIA?
EXISTING SYSTEMS OR ACTIVITIES
 If an existing activity or system that processes personal data might have
intrinsic risks and no DPIA was done at the design stage
 Processing of special category personal data
 Processing of financial data
 Using external software
 Using a surveillance system
 Processing data that, if disclosed, could lead to discrimination or
other harm
 Processing data that, if disclosed, could lead to loss of reputation
for data subjects or corporation
 Review an existing system or activity if there are any concerns
about privacy intrusion or security vulnerabilities
11
12

7. 4/16/2020
7
WHERE DO WE START
 Do we need a DPIA
 Description of Activity
 How is the information collected, stored, used and deleted?
 What information is used?
 What it is used for?
 Who will have access to it?
 Compliance with Privacy Laws
 Screening
 Risk Identification
THE PROCESS
 Planning and Mobilization
 Setup the team, finalize the scope
 Determine what resources are needed
 Identify process owners and stakeholders, establish
consultation plan
 Perform the Assessment
 Consult stakeholders, analyze risks and legal gaps, create risk
map
 Determine necessary controls and remediation measures to
address legal gaps and risks
 Create risk management plan, get sign off
 Implement the control framework
 Deploy risk management controls
 Address legal gaps through remediation measures
 Monitor and evaluate on a regular basis
13
14

8. 4/16/2020
8
AUTOMATED PERFORMANCE TOOLS
 One Trust
 Maintain Ongoing, Scalable Records to Demonstrate Global Privacy
Compliance
 Integrate Privacy by Design into Existing Processes
 Sharing Project Assessments Externally
 CENTRL's Privacy360
 Automate the full assessment process
 Use standard assessment templates or upload proprietary ones
 Track issues and manage process to remediation
 Reporting and analytics
 Vigilant Software
 Identify data security risks and determine the likelihood of their
occurrence and impact.
 Easily review and update DPIAs when changes in processing activities
occur.
 Share DPIA findings with stakeholders and data processors.
 Demonstrate that appropriate measures have been taken to comply with
the requirements of the GDPR.
RISK ASSESSMENT
 Absolute risk – The maximum potential exposure data has to a
specific risk the exposure before controls
 The personal data being processed should be categorized
according to the risk to do damage
 Mitigation of risk
 A description of the measures to address the absolute risk and
reduce it to a residual risk
 Should indicate how the technical measures comply with the
principles of GDPR
 Proportionality
 Is the data over collected and over retained with respect to its
original purpose?
 Is it in line with the corporate risk appetite?
15
16

9. 4/16/2020
9
RISK CLASSIFICATION
 Inherent Risk
 The pure risk as part of the nature of the activity
 Control risk
 The risk that an established control will fail to function
as intended
 Detection Risk
 The risk of management and/or auditors failing to
detect a risk
 Planning Risk
 The risk of the managers and/or auditors choosing the
wrong plan
 Residual Risk
 The risk remaining after all controls are in place and
effective
RISK ANALYSIS
18
Opportunity
Hazard
Uncertainty
Compliance and
Prevention
Operating
Performance
Strategic
Initiatives
Internal
Auditor
Manager Director CEO
17
18

10. 4/16/2020
10
SELECTING CONTROLS FOR MONITORING
Tools to evaluate controls
Application control cube
IT areas
Components
Threats
Adequate
Inadequate
 Jerry FitzGerald CDP, CISA
 Used to identify high-impact areas for auditing
 Looks at systems via their components and
threats
 Threat identification
 Threat evaluation
 Control identification
 Control evaluation
 Audit work selection
 Recommendation formulation
 Allows the use of nested matrices
DEVELOPED FROM THE FITZGERALD
MATRIX APPROACH
20
19
20

11. 4/16/2020
11
1 Identify the components and threats in a
given audit unit
2 Rank the components and threats
3 Create the control matrix identifying the
high-risk quartile and the low-risk quartile
4 Identify controls known / believed to be in place
5 Evaluate the effectiveness and cost/benefits of the
systems of internal control
6 Make recommendations where controls
are deemed to be inadequate
7 Test key controls to ensure their effectiveness
8 Re-evaluate based on known control effectiveness
and make recommendations where appropriate
STEPS IN THE MATRIX APPROACH
21
DATA PROTECTION
PRINCIPLES
 Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and
transparency')
 The inclusion of the principle of transparency is a new provision within the GDPR.
 Data obtained for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes
 GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing.
Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose.
However there would be a need to consider pseudo anonymising the data.
 Data processed is adequate, relevant and limited to what is necessary
 Data is accurate and, where necessary, kept up to date
 Rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle
 Data should not to be kept longer than is necessary for the purpose
 GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for
archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.
 Appropriate technical and organisational measures against unauthorised or unlawful processing,
loss, damage or destruction
21
22

12. 4/16/2020
12
CONTINUOUS MONITORING
23
Continuous Risk Management
 Risk Assessment and Security Planning Policies &
Procedures
 Risk Analysis as part of the development cycle
 Periodic Risk Assessments
Risk Mitigation
 Vulnerability scanning
 Patching
 Incident response coordination
 Feedback loop with installed base
DPO
 DPO requirement applies to both controllers and
processors
 No exception for small or medium-sized companies, but
risk-based approach
 The GDPR requires the appointment of a DPO in three
cases:
 1.Public authorities or bodies (except courts)
 2.Private companies where the “core activities” consist of
 a)processing operations which require “regular and
systematic monitoring” of data subjects “on a large
scale”
 b)“large scale” processing of sensitive data or data
relating to criminal convictions and offences
23
24

13. 4/16/2020
13
ROLE OF THE DPO
 Enabling compliance with the GDPR
 Fostering a data protection culture within the
organization
 Not personally responsible for non-compliance.
SOURCING THE DPO
 Single DPO if easily accessible from each
establishment
 Full-time or part-time employee
 Consultant / Outsource under contract
 Single role or part of another role
 A supporting team around the DPO
 No conflict of interest
 No position within the organization that leads them
to determine the purposes and the means of the
processing of personal data
 chief executive, chief operating, chief financial, chief medical
officer, head of marketing department, head of HR, head of IT
25
26

14. 4/16/2020
14
INDEPENDENCE
 Data controllers or processors should:
 Identify positions which would be incompatible with the DPO
function;
 Draw up internal rules to avoid “conflicts of interests;”
 Formally declare via internal & external comms & in policy
documentation that the DPO has no conflict of interests with regard
to function as a DPO, as a way of raising awareness of this
requirement;
 Include safeguards within the organization’s internal rules and
ensure that the publicly-posted DPO job description or the services
contract for an External DPO is sufficiently precise and detailed in
order to avoid a conflict of interests.
INDEPENDENT REPORTING
LINE
 Chief Compliance Officer;
 Audit team
 Report directly to the CEO, COO, Board, etc
 External contractor (i.e., outside consultant or counsel)
reporting to a C-level officer or the Board
 Other reporting line without conflicts
27
28

15. 4/16/2020
15
EXPERTISE REQUIRED
 Integrity and high professional ethics
 Expertise in national and European data protection laws and
practices
 In-depth understanding of GDPR
 Knowledge of the business sector and of the organization of the
controller
 Knowledge of the administrative rules and procedures of the
organization
 Autonomy - Does not receive any instructions regarding the
exercise of their tasks
 Not be dismissed or penalized by the controller (or the
processor) for performing their tasks
WP29 SPECIFIES
 Level of Expertise: It is essential that the DPO understand how to
build, implement, & manage data protection programs.
 The more complex or high-risk the data processing activities are,
the greater the expertise the DPO will need.
 Professional Qualities: DPOs need not be lawyers, but they must
have expertise in member state and European data protection law,
including an in-depth knowledge of the GDPR
 DPOs must also have a reasonable understanding of the
organization's technical and organizational structure and be
familiar with information technologies and data security
 In the case of a public authority or body, the DPO should have sound
knowledge of its administrative rules & procedures
29
30

16. 4/16/2020
16
ROLE COMPARISON
CISO
 Responsible for securing global
corporate infrastructure,
applications, IP, & personal data
 Support CPO (Chief Privacy
Officer) by answering security
questions
 Responsible for implementation
of appropriate technical &
organizational measures to
ensure a level of security
appropriate to risk
 Responsible for ensuring the
security of the systems and
transactions with respect to the
rights of data subjects
DPO
 Responsible for oversight of EU
privacy, data protection, & security
compliance
 Advise CPO on when a DPIA is
necessary & the risk-based
methodology to use; review risks
identified by DPIA for GDPR
compliance
 Advise the CPO & CISO on meeting
GDPR documentation
requirements, mitigating security
controls, whether controls have
been accurately carried out
 Advise the organization on whether
it is appropriately respecting the
rights of data subjects
TASKS OF THE DPO
 Advisory role
 The controller, the processor and their employees
 Monitoring compliance
 With GDPR and other data protection legislation, but also
internal policies
 Inform and Advise on data protection impact assessments and
monitor performance (upon request)
 Cooperate with supervisory authorities (“SAs”)
 Contact point for SAs and data subjects
 Contact details of the DPO shall be published and
communicated to the SA
 Serve as a privacy contact
 Data subjects’ rights, withdrawal of consent, right to be
forgotten etc.
31
32

17. 4/16/2020
17
THE NEW DPO
 Get familiar with the processing activities and existing rules and
processes
 Understand the scope of your tasks and responsibilities
 Statutory tasks versus optional tasks (for instance, maintaining the
record of processing activities)
 Identify key issues and contact persons
 Identify budget and other resource requirements
 Draw up a work plan and prioritize
 Regularly attend relevant meetings and speak to employees and
senior management (in some countries Works Councils are
important)
 Regularly report to senior management
 Keep up to date (training)
TRANSFERRING PERSONAL
DATA OUTSIDE THE EU
 Article 2(g): “recipient” shall mean a natural or legal person, public authority,
agency or any other body to whom data are disclosed, whether a third party
or not; however, authorities which may receive data in the framework of a
particular inquiry shall not be regarded as recipients
 Generally - (GDPR) restricts transfers of personal data to countries
outside the EEA. These restrictions apply to all transfers, no matter the
size of transfer or how often you carry them out
 Article 44: General principle for transfers
 Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
 a. Transfers on the basis of adequacy;
 b. Transfers subject to the appropriate safeguards
 c. Binding corporate rules apply.
33
34

18. 4/16/2020
18
ADEQUACY
Transfers on the basis of adequacy
 A transfer may take place where there is an adequate level of
protection
 The adequacy criteria:
 – the rule of law;
 – respect for human rights and fundamental freedoms;
 – relevant legislation, both general and sectoral, including:
 concerning public security
 defense
 national security
 criminal law
SUBJECT TO APPROPRIATE
SAFEGUARDS
 Legally binding agreement between public authorities or bodies
 Standard data protection clauses in the form of template transfer clauses
adopted by the Commission
 Standard data protection clauses in the form of template transfer clauses
adopted by a supervisory authority and approved by the Commission
 Compliance with an approved code of conduct approved by a supervisory
authority
 Certification under an approved certification mechanism as provided for in
the GDPR
 Contractual clauses agreed authorized by the competent supervisory
authority
 Provisions inserted in to administrative arrangements between public
authorities or bodies authorized by the competent supervisory authority
35
36

19. 4/16/2020
19
DEROGATIONS (EXEMPTIONS)
 Made with the individual’s informed consent
 Necessary for the performance of a contract between the individual
and the organization or for pre-contractual steps taken at the
individual’s request
 Necessary for the performance of a contract made in the interests of
the individual between the controller and another person
 Necessary for important reasons of public interest
 Necessary for the establishment, exercise or defense of legal claims
 Necessary to protect the vital interests of the data subject or other
persons, where the data subject is physically or legally incapable of
giving consent
 Made from a register which under UK or EU law is intended to provide
information to the public (and which is open to consultation by either
the public in general or those able to show a legitimate interest in
inspecting the register)
BINDING CORPORATE RULES
 Binding Corporate Rules (BCRs) are designed to allow
multinational companies to transfer personal data from the
European Economic Area (EEA) to their affiliates located
outside of the EEA
 Applicants must demonstrate that their BCRs put in place
adequate safeguards for protecting personal data throughout
the organization
 Existing model BCRs are Data Protection Directive (DPD)-
related
37
38

20. 4/16/2020
20
PRIVACY SHIELD (USA ONLY)
 The decision on the EU-U.S. Privacy Shield was adopted by the
European Commission on 12 July, 2016
 Commercial sector
 Strong obligations on companies and robust enforcement
 U.S Government access
 Clear safeguards and transparency obligations
 Redress
 Directly with the company
 With the data protection authority
 Privacy shield panel
 Monitoring
 Annual joint review mechanism between US Department of
commerce and EU Commission
SAFE HARBOR
 Safe Harbor was a transfer mechanism negotiated
between the Commission and the U.S. Department of
Commerce (DOC) that for years was the basis for a
Commission adequacy decision finding that the U.S.
provided an “adequate level of protection.”
 More than 4,000 American companies relied on to
legitimize their transatlantic data transfers
 Following the Snowden revelations, Safe Harbor fell
under criticism as not providing sufficient protection
against U.S. surveillance
39
40

21. 4/16/2020
21
SAFE HARBOR vs PRIVACY SHIELD
 The Privacy Shield Framework was deemed adequate by the European
Commission
 Participating organizations are deemed to provide “adequate” privacy
protection
 Compliance requirements of the Privacy Shield Framework are clearly laid out
and can be implemented by small and medium-sized enterprises
 Privacy Shield supersedes Safe Harbor (mutually exclusive)
 Withdrawal from Safe Harbor requires recertification from Privacy Shield
 NB: Privacy Shield reflects DPD, not GDPR
PRIVACY SHIELD CHANGES
1. Notice
2. Choice
3. Enhanced Redress for Data Subjects
4. Onward C2C Transfers
5. C2P Transfers and Vendor Management
6. Verification
7. Ongoing Obligations
41
42

22. 4/16/2020
22
NOTICE
 Companies must provide “clear and conspicuous
”privacy policies that contain at least 13 enumerated
items of information about the company, its data
processing, and the consumer’s rights under Privacy
Shield.(For comparison, Safe Harbor only required four
items to be disclosed in privacy notices.)
 In practice, this will require process mapping, gap
assessments, and updates to privacy notices.
CHOICE
 Companies must give individuals an opt-out any time they intend to
use data for a purpose that is “materially different” than the
purposes for which the data was collected
 Also, any time companies intend to transfer or use “sensitive data
”for new and different purposes (e.g.,data about race, ethnicity,
medical conditions, religious beliefs, or sex life), they must first
obtain opt-in consent from users
 Choice principle will require process mapping to determine in-scope
data, designate authorized uses, and assess gaps in existing opt-
out mechanisms
43
44

23. 4/16/2020
23
ENHANCED REDRESS FOR
DATA SUBJECTS
 Individuals are entitled to lodge a complaint directly with the company
responsible for their data
 The company must respond within 45 days.
 Companies are obligated to designate and cooperate with an “independent
recourse mechanism”(basically a mediation provider)
 Companies must inform consumers of who the mediation provider is and
ensure that consumers can lodge complaints (and participate in
mediation)free of charge
 Individual EU citizens can lodge complaints against Privacy Shield
companies directly with their local DPAs
 The DPA will forward complaints to the DOC, which will investigate them at
no cost to the individual
 After attempting all three oft he above mechanisms–individuals can invoke
a special Privacy-Shield-specific arbitration procedure
 Privacy Shield companies are bound by the results of the arbitration
 Alternatively, U.S. companies can elect to work directly with European
DPAs in resolving consumer complaints (binding)
ONWARD C2C TRANSFERS
 In order to transfer data to a another company acting as a controller,
Privacy Shield requires companies to:
 Inform individuals about the “type or identity” of the data recipient and the
purposes of the transfer
 Give individuals an opportunity to opt out of the transfer
 Enter a written agreement with the recipient obligating it to maintain “the
same level of protection” required by Privacy Shield
45
46

24. 4/16/2020
24
C2P TRANSFERS AND
VENDOR MANAGEMENT
 Privacy Shield requires written contracts as the basis for any relationship
with a processor
 This will generally require businesses to engage in a contract and/or vendor
management program for outsourced processing activities
 As part of managing contractual relationships, Privacy Shield requires both
due diligence and auditing of vendors.
 Notably, Privacy Shield contains a new liability rule ensuring that its
Principles flow through to vendors
 Privacy Shield organizations are presumed liable for any violation of the
Privacy Shield Principles committed by their vendors
VERIFICATION
 While Safe Harbor gave companies the option of
conducting compliance audits, Privacy Shield now
mandates that organization annually verify that they are
in compliance with Privacy Shield Principles and that
their published privacy policies are accurate
 Privacy Shield permits organizations to do so through
self-assessment or third-party audits
 If self-assessing, an officer’s signed certification will be
required and can be demanded by the FTC or DOCat
any time
47
48

25. 4/16/2020
25
ONGOING OBLIGATIONS
 Any organization that receives personal data under Privacy
Shield must apply the Privacy Shield Principles to that
information for as long as the organization retains it
 Even if the organization stops participating in (or is removed
from) the Privacy Shield program
 There is a possibility the Commission may insert a Data
Retention Principle into Privacy Shield decision that would
require organizations to delete EU data after a specified time
 Either way, organizations will need to map their data flows and
implement compliance systems for Privacy Shield data
SELF CERTIFICATION
 The information that an organization must provide during the self-
certification process includes:
 Organization information:
 Company name
 Address
 Contact
 Mechanism to investigate complaints
 Description of privacy policy
 The following URL must be included in an organization’s privacy
policy to meet the Framework requirement
https://www.privacyshield.gov
49
50

26. 4/16/2020
26
THE CLOUD
 The Cloud is not automatically territorially limited
 Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
 Transfers on the basis of adequacy
 Transfers subject to the appropriate safeguards
 Binding corporate rules apply
 All provisions shall be applied to ensure the protection of natural
persons is not undermined
 To countries with similar data protection regulations
 Cloud providers are a key risk area
 Highest penalties apply to breaches of these provisions
 Cloud providers need to ensure they are able to differentiate their EU
and non-EU provision and provide clarity to data subjects and
controllers
QUESTIONS?
Any Questions?
Don’t be Shy!
51
52

27. 4/16/2020
27
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 54
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
53
54