Protecting personal data has been an important issue for many years. The EU GDPR extends the data rights of individuals, and requires organizations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organizational measures. UK organizations have had to comply with the Regulation since 25 May 2018, or potentially face fines of up to 4% of annual turnover or €20 million – whichever is greater. Learning Outcomes: This 10 webinar series is intended to elicit a clear understanding of the core elements of the GDPR, with the ability to gain a deeper understanding by asking the trainer questions during the training. It covers how each aspect of the Regulation can be translated into implementation actions in your organization and the auditor’s role. Webinar 8 • The security of personal data. • An organizational risk management framework. • Legal requirements for a DPIA. • How to conduct a DPIA with a DPIA tool.

1. 8/19/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 8
Risk, DPIA and Tools
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2

2. 8/19/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,200 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4

3. 8/19/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6

4. 8/19/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
• The security of personal data.
• An organizational risk management framework.
• Legal requirements for a DPIA.
• How to conduct a DPIA with a DPIA tool.
7
8

5. 8/19/2020
5
Data subject means an individual who is the subject of personal data. In other
words, the data subject is the individual whom particular personal data is
about.
Data controller means the natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data.
Data processor means a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller.
WHO’S DATA
Personal data means any information relating to an identifiable
natural person (data subject).
An identifiable natural person is one who can be identified, directly
or indirectly, by reference to an identifier such as:
• a name
• location data
• an online identifier
• one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity.
PERSONAL DATA
9
10

6. 8/19/2020
6
Termed special categories of personal data within GDPR.
Sensitive data consists of:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Data concerning health
• Sexual orientation/ sex life
• Genetic data
• Biometric data
SENSITIVE DATA
• Legitimate interest - processing is necessary for the purposes
of the interests pursued by the RSC except where such
interests are overridden by the fundamental rights and
freedoms of the data subject.
• Contract - processing is necessary for the performance of a
contract to which the data subject is party.
• Consent - when the data subject has given explicit consent to
the processing of their personal data for one or more specific
purposes.
BASIS OF PROCESSING
11
12

7. 8/19/2020
7
 Legitimate interests is the most flexible lawful basis for
processing, but you cannot assume it will always be
appropriate
 Legitimate is not centered around a particular purpose and it
is not processing that the individual has specifically agreed
to (consent). Legitimate interest is more flexible and could in
principle apply to any type of processing for any reasonable
purpose
 This puts the onus on you to balance your legitimate
interests and the necessity of processing the personal data
against the interests, rights and freedoms of the individual
taking into account the particular circumstances
LEGITIMATE INTEREST
 You can rely on legitimate interest for marketing activities if you can show
that how you use people’s data is proportionate, has a minimal privacy
impact, and people would not be surprised or likely to object
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the
legitimate interest?
 Do not use legitimate interests if:
 you are using personal data in ways people do not understand
 if you think some people would object if you explained it to them
 If processing that could cause harm
 unless you are confident there is nevertheless a compelling reason to go
ahead which justifies the impact.
LEGITIMATE INTEREST
13
14

8. 8/19/2020
8
 Where consent is the basis for processing, GDPR requires it to be freely
given, specific, informed and unambiguous
 Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other
method of default consent
 Explicit consent requires a very clear and specific statement of consent
 Vague or blanket consent is not enough
 Name any third parties who will rely on the consent
 Make it easy for people to withdraw consent and tell them how
 Keep evidence of consent - who, when, how, and what you told people
CONSENT
ERM DEFINED:
“… a process, effected by an entity's board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
15
16

9. 8/19/2020
9
THE ERM FRAMEWORK
Entity objectives can be viewed in the
context of four categories:
 Strategic
 Operations
 Reporting
 Compliance
THE ERM FRAMEWORK
ERM considers activities at all levels
of the organization:
 Enterprise-level
 Division or
subsidiary
 Business unit
processes
17
18

10. 8/19/2020
10
GDPR RELATIONSHIP TO COSO
INTEGRATED FRAMEWORK
 Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”
 Includes objective setting as a separate component.
Objectives are a “prerequisite” for internal control.
 Expands the control framework’s “Financial
Reporting” and “Risk Assessment.”
INTERNAL AUDIT WITHIN ERM
20
Facilitating the identification and evaluation of risks
Coaching management in responding to risks
Coordinating ERM activities
Consolidating the reporting on risks
Maintaining and developing the ERM framework
Championing establishment of ERM
Developing risk management strategy for board
approval
19
20

11. 8/19/2020
11
ERM POLICIES AND
PROCEDURES
21
Required
 Clear, concise & easy to
understand
 Risk management policy
 Risk management strategy
 Risk management plan
 Risk management toolkit
 (procedures, approach, forms,
templates)
 Risk management technology -
streamline processes
 Supporting policies
 Supporting plans and strategies
 Supporting procedures (controls)
IA Role
 Review ERM Strategy, ERM
policy, ERM procedures for
appropriateness
 Align Audit Plan to RRM Plan
(where possible)
 Audit of systems and processes
to ensure ERM framework is
working
IA ROLES
22
21
22

12. 8/19/2020
12
GDPR GAP ANALYSIS
Phase I
Information Gathering
• Conduct interviews /
gather information
• Identify risk universe
• Define and develop
cost of risk data
• Conduct gap analysis
Phase II
Setting the Stage
• Develop overall
risk management
vision
• Create risk
management
scorecard / Gap
analysis
• Identify key risk
projects /
activities needed
to achieve risk
management
excellence
• Understand cost /
benefit of
potential risk
management
strategies
Phase III
Executive Support
• Obtain support of
risk management
leaders
• Present overall
objectives and
plan to senior
management
• Develop teams
and tools
• Get moving
• Deliver defined
projects
• Update progress
toward overall
vision
• Measure
performance
• Create linkage to
next steps
• Build feedback loop
to ensure
continued progress
toward goals
Phase IV
Implementation
LEGAL REQUIREMENTS FOR
A DPIA
 A DPIA is a process designed to help you systematically analyze,
identify and minimize the data protection risks of a project or plan
 A Data Protection Impact Assessment (DPIA) within GDPR is a
process to help you identify and minimize the data protection risks of
a project
 Conducting a DPIA is a legal requirement for any type of
processing, including certain specified types of processing that are
likely to result in a high risk to the rights and freedoms of individuals
 Should be carried out “prior to the processing” (GDPR Articles 35(1)
and 35(10)
23
24

13. 8/19/2020
13
GDPR SAYS YOU MUST DO A
DPIA
 If you plan to:
 use systematic and extensive profiling with significant
effects;
 process special category or criminal offence data on a
large scale; or
 systematically monitor publicly accessible places on a
large scale
 use innovative technology (in combination with any of the
criteria from the European guidelines)
 use profiling or special category data to decide on access to
services
 profile individuals on a large scale
 process biometric data (in combination with any of the criteria
from the European guidelines)
GDPR SAYS YOU MUST DO A
DPIA
 If you plan to:
 process genetic data (in combination with any of the criteria
from the European guidelines)
 match data or combine datasets from different sources
 collect personal data from a source other than the individual
without providing them with a privacy notice (‘invisible
processing’) (in combination with any of the criteria from the
European guidelines)
 track individuals’ location or behavior (in combination with any
of the criteria from the European guidelines)
 profile children or target marketing or online services at them
 process data that might endanger the individual’s physical
health or safety in the event of a security breach
25
26

14. 8/19/2020
14
WHAT’S IN A DPIA
 Your DPIA must:
 describe the nature, scope, context and purposes of the
processing
 assess necessity, proportionality and compliance measures
 identify and assess risks to individuals
 identify any additional measures to mitigate those risks
WHEN TO CONDUCT A DPIA
If we plan to carry out any:
 evaluation or scoring;
 automated decision-making with significant effects;
 systematic monitoring;
 processing of sensitive data or data of a highly personal nature;
 processing on a large scale;
 processing of data concerning vulnerable data subjects;
 innovative technological or organizational solutions;
 processing that involves preventing data subjects from exercising a right
or using a service or contract.
27
28

15. 8/19/2020
15
CONDUCTING THE DPIA
 Data Protection Impact Assessment (DPIA) Fact Sheet
https://www.snowflake.com/wp-content/uploads/2020/08/DPIA-Fact-
Sheet.pdf
 Gydeline Simple DPIA Template
https://gydeline.com/grc/compliance/regulations/simple-dpia-template/
 DPIA Tools
 OneTrust
 Vigilant Software
 Others
https://www.g2.com/categories/privacy-impact-assessment-pia
ONETRUST
 OneTrust is the #1 most widely used privacy, security and trust
technology. More than 6,000 customers, including half of the Fortune
500, use OneTrust to build integrated programs that comply with the
CCPA, GDPR, LGPD, PDPA, ISO27001 and hundreds of the world’s
privacy and security laws. The OneTrust platform is powered by the
OneTrust Athena™ AI and robotic automation engine
https://www.onetrust.com/products/assessment-automation
29
30

16. 8/19/2020
16
VIGILANT SOFTWARE
 Vigilant Software
 DPIA Tool – Conduct a data protection impact assessment in six
simple steps
 Assess and treat data security risks for every process in your
organization.
 Easily demonstrate measures taken for GDPR (General Data
Protection Regulation) compliance, essential to help you meet Article
35 requirements.
 Avoid unnecessary work with screening questions to determine if a
DPIA (data protection impact assessment) is necessary.
 Export reports, and share findings with stakeholders and third parties.
 Avoid errors and ensure completeness with a proven tool, aligned with
the GDPR and ICO’s (Information Commissioner’s Office)
requirements.
 Review, update and maintain DPIAs year after year.
https://www.vigilantsoftware.co.uk/topic/dpia
QUESTIONS?
Any Questions?
Don’t be Shy!
31
32

17. 8/19/2020
17
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 34
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
33
34