4. Data Assessments, Inventory, & Mapping Flashcards
Data Inventory/Map - Record of all personal information your organization stores, uses, and processes.
Data Inventory Uses:
- Regulatory Risk & Compliance Analysis
- Assessing data, systems and processes
- Inform data assessments, priorities, data life cycle management and data classification.
How to create an Inventory of PII being processed, what questions to ask?
Who creates the data inventory?
Which department my hold/use PII?
What questions should be asked?
Data Life Cycle (CUSAD)
- Collection
- Usage
- Storage
- Archiving
- Destruction
what is a Gap Analysis?
Involves identifying gaps between standards & laws an organization is subject to and the the organization’s current compliance efforts. Best to involve the legal team
Privacy Assessment vs Privacy Impact Assessment
Privacy Assessment - measures an organization’s compliance with laws, regulations, and standards. Involves use of subjective standards and objective standards.
Privacy Impact Assessment - Assesses privacy risks associated with processing PII in relation to a New project, product, or service, Requirements arounds PIA’s may be mandated by industry, organization policy, and laws & regulations.
Triggers for a PIA
- Preparing for the deployment of a project, product, or service that includes the collection of PII.
- New or revised industry standards, organizational policies, or laws & regulations.
- Organizational changes to methods in which PII is handled.
What is a DPIA and what should be included in it?
is a PIA but rather is a mandatory compliance requirement under the General Data Protection Regulation (GDPR).
DPIA’s should include:
1. Description of Processing
2. Purpose of Processing
3. Legitimate Interest being pursued
4. Necessity of Processing
5. Risks to Data Subjects
6. Address Risks Identified
Triggers for DPIA
Processing that is “likely to entail a high risk to the rights and freedoms of natural persons” and the use of new technology
Mergers, Acquisitions, and Diversities Should include a privacy checkpoint, a chance to evaluate:
Should include a privacy checkpoint, a chance to evaluate:
- New Compliance Requirements
- Existing Client Agreements
- New Resources, Technologies, & Processes
- Applicable Laws & Standards
Vendor Management
Vendor Assessment - the evaluation of a vendor for privacy and info sec policies, access controls, where PII is being held, and who has access to it.
Assess Vendor Risk: Privacy/Security Questionnaires and PIAs
New Technology ALWAYS requires an assessment.
What to focus on when Assessing Cloud Computing Vendors
Areas of Focus:
- Review Certifications and Standards
- Service Roadmap
- information security
- subcontractors
- service dependencies
- data policies and protection
Data governance levels (SMO)
- Strategic: data steering committee, c-level
- Managerial: data owners, functional leads
- Operational: data stewards, SMEs
Article 30 (GDPR) - Privacy Records Detail Must Include
Records must include:
- Name and contact details of the controller or processor, DPO, and/or data protection rep
- Name and contact of details of any Joint Controllers
- Purpose for the processing (for controllers)
- Description of categories of personal data and subjects (controllers) or processing (processors)
- Categories of recipients (for controllers)
- International transfers to third countries or multinational orgs
- Where applicable, Safeguards in place for exceptional transfers
- Where possible, retention periods for various categories of personal data (for controllers)
- General description of technical and org security measures.
Must be disclosed to a data authority upon request
Company of 250 employees or more if occasional and not sensitive
Data inventory should include
What is the context and purpose of the repo?
Who is the owner?
Which legal entity?
How much data (personal and sensitive)?
Format (physical or electronic, structured or unstructured)
How is it used?
Data retention
Type of elements and data subjects
Where is it stored?
Where is it accessed?
International transfers
Third party disclosure or sharing?
Transfer mechanisms
