Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater.
Learning Outcomes:
This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training.
It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role.
Webinar 5
• Certification against GDPR
• The powers of supervisory authorities
• Lead supervisory authorities
• The role of the European Data Protection Board (EDPB)
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
General Data Protection Regulation for Auditors 5 of 10
1. 5/19/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 5
GDPR Certification
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 5/19/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 5/19/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6
4. 5/19/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
Certification against GDPR
The powers of supervisory authorities
The role of the European Data Protection Board
(EDPB)
Lead supervisory authorities
7
8
5. 5/19/2020
5
HOW DOES GDPR APPLY TO
US-BASED ENTITIES?
Established in the EU (activity through stable arrangements
(i.e., office / EE’s)).
Offer goods or services to EU residents (does not have to be a
financial transaction)
Monitor the behavior of EU residents.
Company must show intent to draw EU data subjects as
“customers”
Company website or access to Company email address or
contact information (by itself) is not enough.
GDPR AND THE US PRIVACY SHIELD
GDPR “biggest shake-up of data privacy regulations since
the birth of the web”
European Commission “We expect all companies to fully
comply with the General Data Protection Regulation”
EU data protection authorities will watch over their correct
application
Privacy Shield a US jump-start on fulfilling the
requirements of GDPR
Privacy Shield provides for the European Commission to
conduct periodic reviews in order to assess the level of
protection provided by the Privacy Shield
9
10
6. 5/19/2020
6
PRIVACY SHIELD
Privacy Shield was introduced in 2016
• Commerce Department’s International Trade Administration
Voluntary (GDPR is not)
U.S.-based organization is required to self-certify to the
Department of Commerce
Publicly commit to comply with the Framework’s
requirements
U.S. companies cannot simply rely on the Privacy Shield
Framework to satisfy the EU on data privacy
• Alexander Stern
Alternative
• Form a new company that handles all operations within the
EU but nowhere else
PRIVACY SHIELD ADVANTAGES
Provides a legal basis for the transfer of EU citizens’ personal
data to and from the U.S.
Many of the certification requirements under Privacy Shield
match GDPR requirements although not total compliance
On top of Privacy Shield you may need to complete all the GDPR
privacy requirements
In general, you can't GDPR self-certify with the Privacy Shield
Only organizations subject to the enforcement authority of the
Federal Trade Commission or the Department of Transportation
are eligible to participate
Should only be bad news for those companies that buy and trade
in user data, or those companies that consistently fail to protect
personal data
11
12
7. 5/19/2020
7
PROPOSED CHANGES
“Privacy Shield works well, but there is some room for
improving its implementation” (first review)
More proactive and frequent monitoring by the Department
of Commerce of self-certified companies
During the first year of implementation, only three
enforcement actions were reported
Increased attention to making EU data subjects aware of
how to exercise their rights under the Privacy Shield,
including how to lodge complaints
PROPOSED CHANGES
Increased cooperation between the Department of Commerce, the
Federal Trade Commission, and the EU Data Protection Authorities
(DPAs)
Federal legislation to make permanent the protection for non-
Americans offered by Presidential Policy Directive 28 (PPD-28)
PPD-28 is an Obama-era limitation on the collection of signals
intelligence that requires appropriate safeguards for all personal
information, regardless of whether they are U.S. or foreign
The appointment of a permanent Privacy Shield Ombudsman at the
U.S. State
The filling of 4 vacancies on the Privacy and Civil Liberties Oversight
Board (PCLOB) (now completed)
13
14
8. 5/19/2020
8
2019 REVIEW
“As regards the commercial aspects, the absence of substantial
checks remains a concern of the EDPB”
“As regards the collection of data by public authorities, the EDPB can
only encourage the PCLOB to issue and publish further reports”
“The EDPB is still not in a position to conclude that the
Ombudsperson is vested with sufficient powers to access information
and to remedy non-compliance. Thus, it still cannot state that the
Ombudsperson can be considered an “effective remedy before a
tribunal” in the meaning of Art.47 of the EU Charter of Fundamental
Rights”
EU REGULATORS
Local data protection authorities, (supervisory authorities)
will continue to exist
Have to co-operate with each other and the European
Commission
Roles
Appointment of supervisory authorities
Competence, tasks and powers
Co-operation and consistency between supervisory
authorities
European Data Protection Board
15
16
9. 5/19/2020
9
CERTIFYING FOR GDPR
Particularly relevant in the context of cloud computing and
other forms of multi-tenancy services
GDPR makes provision for the approval of codes of
conduct (“Codes”) and the accreditation of certifications,
seals and marks
GDPR certification is voluntary, as explicitly provided in
Article 42(3) of the GDPR BUT
If a controller or processor applies to an accredited
certification body for certification and successfully goes
through the certification process, there is a contractual
relationship (certification agreement) established between
the certification body and the controller/processor
EDPB
The EDPB (European Data Protection Board) has the status of an
EU body
Legal personality
Extensive powers to determine disputes between national supervisory
authorities
Give advice and guidance
Approve EU-wide codes and certification
17
18
10. 5/19/2020
10
CERTIFYING FOR GDPR
What is certified under the data protection certification mechanisms
• Processing activities
Data Protection Officers are not included in the scope of Article 42
Products and systems cannot be certified as such for being GDPR
compliant, but they are part of the evaluation for awarding the
certification for data-processing activities
Once a controller/processor has its processing certified under a
data protection certification mechanism, there is still no presumption
of conformity with the legal obligations
Assessment by the certifying body not a definite assessment of
compliance with the GDPR
THE POWERS OF
SUPERVISORY AUTHORITIES
Independent European body whose purpose is to ensure
consistent application of the General Data Protection
Regulation
Guidelines
Recommendations
Best practices
Opinions
Binding decisions
Enforcement lies with the EEA SAs
EDPB normally decides matters by a simple majority, but
rules of procedure and binding decisions (in the first instance)
are to be determined by a two-thirds majority
19
20
11. 5/19/2020
11
Graduated approach - up to 4% worldwide turnover maximum.
Due regard is to be given to:
the nature, gravity and duration of the infringement;
the intentional character of the infringement;
degree of responsibility (e.g. data protection by design or by
default) or any relevant previous infringements;
cooperation with the supervisory authority (and the manner
in which supervisory authority learned of infringement);
categories of personal data affected;
other aggravating or mitigating factors (e.g. financial
benefits, etc.)
Deceber 22, 2015 6
SIZE OF FINES
EDPB CONSISTENCY
OPINIONS
Most distinctive new role is to conciliate and determine disputes
between national supervisory authorities
Between May 25, 2018, and December 31, 2019, the EDPB
adopted consistency opinions, including:
• 31 opinions regarding the national lists of processing subject to a
data protection impact assessment (DPIA);
• Two positive opinions on Binding Corporate Rules (“BCRs”), while
more than 40 BCRs are in the pipeline for approval, half of which
could be expected to be approved by the end of 2020;
• Two opinions on the draft accreditation requirements for a code of
conduct monitoring body pursuant to Article 41 of the GDPR; and
• One opinion on draft SCCs between data controllers and data
processors according to Article 28(8) of the GDPR.
21
22
12. 5/19/2020
12
ENFORCEMENT AT THE
NATIONAL LEVEL
In its first year
Approximately 275,557 complaints
785 administrative fines
160,040 personal data breaches notified
Updated its Binding Corporate Rules referrentials for controllers
and processors in light of the GDPR
3 positive Opinions on national decisions approving BCRs while
more than 40 BCRs are in the pipeline
Codes of Conduct and Certification
Currently preparing guidelines
Legally binding instruments and administrative arrangements,
Preparing guidelines for public authorities and bodies wishing to
transfer personal data to public entities outside the EEA
ONE-STOP SHOP
The ‘one-stop-shop’ concept
where a business is established in more than one Member State,
it will have a ‘lead authority’,
determined by the place of its ‘main establishment’ in the EU
A supervisory authority which is not a lead authority may also
have a regulatory role
where processing impacts on data subjects in the country of
that supervisory authority
23
24
13. 5/19/2020
13
LEAD SUPERVISORY AUTHORITIES
Lead Supervisory Authority is the main data protection regulator
and the entity that has primary responsibility for dealing with
cross-border data processing
Single point of contact
One-stop shop for all matters related to GDPR
In year one:
1,346 procedures were initiated to identify the lead DPA and the
concerned DPAs
807 cross-border cases registered
Lead DPAs issued 141 draft decisions to the concerned DPAs
USA AND SUPERVISORY
AUTHORITIES
Supervisory Authority is the entity that must be
notified in the event of a breach of personal data of
data subjects
Lead Supervisory Authority is the main data
protection regulator and the entity that has primary
responsibility for dealing with cross-border data
processing
Companies that operate in multiple EU member
states, the lead supervisory authority would normally
be the supervisory authority in the country where the
company’s headquarters is or where its main
business location is in the EU
25
26
14. 5/19/2020
14
THE USA
A U.S. company that does not have a base in an EU
member state has a problem. If it does not have a base in
an EU member state where data procession decisions are
made, it will not benefit from the one-stop-shop
mechanism
Even if a company has a representative in an EU member
state
Company must deal with the supervisory authority in
every member state where the company is active
There would not be any lead supervisory authority
May revert to the Privacy Shield
REMEMBER
GDPR creates direct obligations and liability for processors,
including those based in the U.S
Rebalances obligations between companies requesting services
(controllers) and companies offering services (processors)
Information such as log-in information, IP addresses, and vehicle
identification numbers, though not enabling direct identification of
individuals, allow for identification of individuals indirectly and are
therefore considered to be personal data
Effectively, most services and/or projects will be considered to
involve processing of personal data
Article 48 of the GDPR could impede a company’s ability to
comply with the U.S. legal process requiring the production of EU
personal data
27
28
15. 5/19/2020
15
CONTROLLERS VS
PROCESSORS
Controller, acting alone or together with others, “determines the
purposes and means of the processing of personal data.”
Processor, on the other hand, “processes personal data on behalf
of the controller
Controller or Processor that maintains an “establishment” in the EU
will be subject to the GDPR if it processes personal data “in the
context of” that EU establishment, regardless of whether the
processing actually takes place in the EU
Controller or Processor not established in the EU will be subject to
the GDPR “where the processing activities are related to offering
goods or services to data subjects in the Union,” even when the
goods and services are offered for free
CONTROLLERS VS
PROCESSORS
Controller or Processor not established in the EU will be subject to
the GDPR if it processes the personal data of data subjects in the
EU and that processing is related to the “monitoring” in the EU of
the “behavior” of data subjects as their behavior takes place within
the EU
In the event of a data breach, the controller must notify the
supervisory authority “without undue delay” and within 72 hours of
discovering the breach, where feasible
• Reasoned justification in case breach is not notified within 72
hours
• Data subjects shall be notified without undue delay if the breach is likely to
result in a high risk for the rights and freedoms of individuals to allow them to
take the necessary precautions
• Communication to the data subject is not required in certain cases
29
30
16. 5/19/2020
16
Direct claims: data subject can lodge a complaint directly against
a Processor (administrative as well as judicial).
Qualified liability: A Processor shall be liable for the damage caused by
the processing only where it has not complied with obligations of
this Regulation specifically directed to Processors or acted outside or
contrary to lawful instructions of the Controller.
Burden of proof: A Controller or Processor shall be exempted from liability if it
proves that it is not in any way responsible for the event giving rise
to the damage.
Liable for sub-processors: Where that other Processor fails to fulfill its
data protection obligations, the initial Processor shall remain fully liable to
the Controller for the performance of that other processor's obligations.
18
LIABILITIES
18
RIGHTS AGAINST CONTROLLERS
AND PROCESSORS
The right to lodge a complaint with supervisory
authorities where their data have been processed in a
way that does not comply with the GDPR
The right to an effective judicial remedy where a
competent supervisory authority fails to deal properly
with a complaint;
The right to an effective judicial remedy against a
relevant controller or processor;
The right to compensation from a relevant controller or
processor for material or immaterial damage resulting
from infringement of the GDPR
31
32
17. 5/19/2020
17
18
RIGHTS AGAINST CONTROLLERS
AND PROCESSORS
Both natural and legal persons have the right of appeal
to national courts against a legally binding decision
concerning them made by a supervisory authority
Individuals can bring claims for non-pecuniary loss, not
just for compensation
The potential for group actions to be brought is
facilitated
Judicial remedies and liability for compensation extend
to both data controllers and data processors who
infringe the Regulation
18
ACTIONS FOR CONTROLLERS
AND PROCESSORS
Controllers and their processors should ensure that
data processing agreements and contract
management arrangements clearly specify:
the scope of the processor’s responsibilities
the agreed mechanisms for resolving disputes
regarding respective liabilities to settle
compensation claims
The agreed process for reporting to other
controllers or processors that are involved in the
same processing, any relevant compliance
breaches and any complaints or claims received
from relevant data subjects
33
34
18. 5/19/2020
18
REPRESENTATIVE BODIES
The GDPR entitles representative bodies, acting on behalf of data
subjects, to lodge complaints with supervisory authorities and seek
judicial remedies against a decision of a supervisory authority or
against data controllers or processors
The provision applies to any representative body that is:
a not-for-profit body, organization or association;
properly constituted according to Member State law;
with statutory objectives that are in the public interest;
active in the field of data protection
QUESTIONS?
Any Questions?
Don’t be Shy!
35
36
19. 5/19/2020
19
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 38
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
37
38