4: Privacy Operational Life Cycle: Assess: Data Assessments

Question 1

What is a data assessment?

Answer 1

inventory, manage and track information
determine the impact organizational systems and processes will have on privacy
Tools to help organizations identify privacy risks

Question 2

Examples of data assessment tools?

Answer 2

PIA’s
DPIA (data protection impact assessments)
Data Inventories (aka data-mapping assessments)

Question 3

Three Lines Model wrt enterprise risk management

Answer 3

1: Periodic privacy risk assessments
2:compliance or privacy function
3: internal audit function

Question 4

Data Governance Framework

Answer 4

framework provides the approach to collect, manage, secure and store data

Question 5

Ten Data management areas

Answer 5

1. Data Architecture
2. Data Modeling and Design
3. Data Storage and Operations
4. Data Security
5. Data integration and interoperability
6. Documents and content
7. Reference and master data
8. Data warehousing and BI
9. Metadata
10. Data quality

Question 6

Data Governance within an organization (at what levels)?

Answer 6

Strategic - a data steering committee with C level individuals. Steers and approves corporate data strategy, data governance, and data policies
Managerial - data owners, business leads responsible for data domain or data asset. Accountable for delivering data
Operational - data stewards, SMEs in a data domain or data asset responsible for the day-to-day management

Required for Article 30 of GDPR

Question 7

Purpose of a Data Inventory (Map)

Answer 7

Where does the data reside? how is it used? why is it important? how does it move across systems? how is it shared and organized? where is it physically located?

Question 8

What should a Data Inventory include?

Answer 8

• the nature of the repository (context and purpose?)
• the owner of the repository
• legal entity of the processing
• volume of information in the repository
• format of the information
• use of the info
• data retention
• types of info
• where is it stored?
• where is it accessed?
• international transfers (where does the data flow)?
• whom is the data shared with?
• transfer mechanisms

Question 9

Processing Activities (Art 30 GDPR)

Answer 9

• the name of the controller/processor, DPO or data protection rep
• name and contact of joint controllers
• purpose for processing
• categories of personal data and data subjects
• categories of recipients
• any international transfers to other countries
• safeguards for exceptions transfers of PI to third countries or international orgs
• retention periods
• general description of the technical and org security measures

Question 10

How to gather info to create a data inventory

Answer 10

• identify and interview data owners, or functional leads if owners unknown
• records or data team (data custodians - holders of the data)
• digital marketing team
• corporate counsel team
• IT (DBA’s, back ups and continuity (what is retained, what needs to be restored))
• software team
• compliance team
• Administrator who handles DSARs

Question 11

Gathering info for data inventory - other things to consider

Answer 11

• how is the data processed
• type of encryption used
• retention periods
• who has access
• who is it disclosed to
• legal basis for processing the data

Question 12

Three types of assessments and impact assessments…

Answer 12

1. Privacy assessment
2. Privacy Impact Assessment
3. Data Protection Impact Assessment

Question 13

Privacy Assessment

Answer 13

• measuring compliance with laws, regulations, adopted standards, internal policies and procedures
• scope: education and awareness, monitoring and responding to regulatory environment; data, systems and process assessments; risk assessments; incident response; contracts; remediation; program assurance (incl audits)
• may be internal or external

Question 14

Privacy Impact Assessment

Answer 14

analysis of privacy risks associated with processing PI in relation to a project, product or service
should suggest or provide remedial action or mitigations to avoid/reduce risks
PIAs help facilitate PbD

Question 15

Best time for a PIA?

Answer 15

• early
• during the ideation or scoping stage
• with new or revised industry standards, org policies or laws and regs
• when new privacy risks are created with changes in handling of PI

Question 16

Triggers for a PIA?

Answer 16

• re-identification of information
• conversions of records from paper to electronic
• significant merging, matching and manipulation of multiple DB containing PI
• Application of MFA
• new uses or application for technologies
• retiring systems that held PI
• adding PI into existing DB
• projects with a third-party service provider

Question 17

ISO & PIA’s (5 steps)

Answer 17

1. Identifying information flow of PII
2. Analyzing the implications of the use case
3. Determining the relevant privacy - safeguarding requirements
4. Assessing privacy risk using steps of risk identification, risk analysis and risk evaluation
5. Prep to treat privacy risk using a privacy risk treatment option; determine controls and privacy risk treatment plans
   Follow up phase:
   prep and publish PIA report
   implement the privacy risk treatment plan
   review the PIA and reflect changes to the process

Question 18

DPIA - purpose

Answer 18

a process designed to identify risks arising out of the processing of personal data and to minimize the risks as much and as early as possible
tool to negate risks and demonstrate compliance with GDPR

Question 19

When is a DPIA required?

Answer 19

when processing is “likely to result in a high risk to the rights and freedoms of natural persons”
- automated processing, incl profiling, produce legal effects
- large scale of special categories of data or data related to criminal convictions
- systematic monitoring of a publicly accessible area on a large scale

Question 20

What should a DPIA include?

Answer 20

• description of the processing, incl purpose and legitimate interest
• necessity of the processing, proportionality and risks to data subjects
• ## measures to address identified risks

Question 21

AI Privacy Challenges

Answer 21

Lawfulness, fairness and transparency
- AI inherits makers’ bias, algo might be unfair, algo may not be able to be disclosed (trade secret, IP), difficult to understand how the info is correlated and used
Data minimization and purpose limitation
- often takes huge amounts of PI
- not possible to predict what the algo will learn
- purpose may change as the algo learns
Integrity and confidentiality (security)
- large sets of training and testing data required, have to be copied and imported, shared and stored
- PI used to train AI system could be inferred (model inversion attacks and membership inference attacks)

Question 22

Privacy Awareness Education Program

Answer 22

Ensures employees are familiar with privacy concepts, risks, policies and procedures

Question 23

More advanced employee education includes:

Answer 23

role-based training, to equip employees to perform specific functions within the privacy program
i.e. teach managers how to assess privacy program compliance

Question 24

Ongoing Assessments

Answer 24

• check that employees comply with program requirements
• inspect systems that store and process data
• verify compliance with external regulations

Question 25

Data minimization

Answer 25

ensure that data are only collected, processed, shared and stored as needed
Records management policies

Question 26

DLM

Answer 26

Data Lifecycle Management
- framework for managing data as it move thru out an org

Question 27

DLM goals (3)

Answer 27

1. data security and confidentiality
2. data integrity
3. data availability

Question 28

DLM Stages

Answer 28

1. Data Collection, acquisition or creation
2. Data Storage, organization and backup/recovery
3. Data Usage, Sharing and Processing
4. Data Archiving
5. Data Destruction

Question 29

Risk Assessment Methods

Answer 29

PTA - privacy threshold analysis
PIA - Privacy impact analysis
DPIA - data protection impact analysis
LIA - Legitimate interest analysis
TIA - transfer impact analysis

Question 30

Evaluation of Processors and Third-Party Vendors

Answer 30

questionnaires for vendors

• Privacy and information security policies
• Access controls
• where PI is being held

Question 31

3rd party assessments - sources of info include:

Answer 31

• internal audit (Program Assurance)
• information and physical security - should compliment the privacy program
• Data protection authority

Question 32

other considerations for 3rd party assessments:

Answer 32

• risk assessment
• technologies and processing methods
• legal compliance
• contractual requirements (incident response, etc)
• cross border transfers

Question 33

Things to consider for Mergers, Acquisitions and Divestitures

Answer 33

• due diligence
• contractual and data sharing obligations
• risk assessment and alignment
• post-integration planning and risk mitigation