4: Privacy Operational Life Cycle: Assess: Data Assessments Flashcards
What is a data assessment?
inventory, manage and track information
determine the impact organizational systems and processes will have on privacy
Tools to help organizations identify privacy risks
Examples of data assessment tools?
PIA’s
DPIA (data protection impact assessments)
Data Inventories (aka data-mapping assessments)
Three Lines Model wrt enterprise risk management
1: Periodic privacy risk assessments
2:compliance or privacy function
3: internal audit function
Data Governance Framework
framework provides the approach to collect, manage, secure and store data
Ten Data management areas
- Data Architecture
- Data Modeling and Design
- Data Storage and Operations
- Data Security
- Data integration and interoperability
- Documents and content
- Reference and master data
- Data warehousing and BI
- Metadata
- Data quality
Data Governance within an organization (at what levels)?
Strategic - a data steering committee with C level individuals. Steers and approves corporate data strategy, data governance, and data policies
Managerial - data owners, business leads responsible for data domain or data asset. Accountable for delivering data
Operational - data stewards, SMEs in a data domain or data asset responsible for the day-to-day management
Required for Article 30 of GDPR
Purpose of a Data Inventory (Map)
Where does the data reside? how is it used? why is it important? how does it move across systems? how is it shared and organized? where is it physically located?
What should a Data Inventory include?
- the nature of the repository (context and purpose?)
- the owner of the repository
- legal entity of the processing
- volume of information in the repository
- format of the information
- use of the info
- data retention
- types of info
- where is it stored?
- where is it accessed?
- international transfers (where does the data flow)?
- whom is the data shared with?
- transfer mechanisms
Processing Activities (Art 30 GDPR)
- the name of the controller/processor, DPO or data protection rep
- name and contact of joint controllers
- purpose for processing
- categories of personal data and data subjects
- categories of recipients
- any international transfers to other countries
- safeguards for exceptions transfers of PI to third countries or international orgs
- retention periods
- general description of the technical and org security measures
How to gather info to create a data inventory
- identify and interview data owners, or functional leads if owners unknown
- records or data team (data custodians - holders of the data)
- digital marketing team
- corporate counsel team
- IT (DBA’s, back ups and continuity (what is retained, what needs to be restored))
- software team
- compliance team
- Administrator who handles DSARs
Gathering info for data inventory - other things to consider
- how is the data processed
- type of encryption used
- retention periods
- who has access
- who is it disclosed to
- legal basis for processing the data
Three types of assessments and impact assessments…
- Privacy assessment
- Privacy Impact Assessment
- Data Protection Impact Assessment
Privacy Assessment
- measuring compliance with laws, regulations, adopted standards, internal policies and procedures
- scope: education and awareness, monitoring and responding to regulatory environment; data, systems and process assessments; risk assessments; incident response; contracts; remediation; program assurance (incl audits)
- may be internal or external
Privacy Impact Assessment
analysis of privacy risks associated with processing PI in relation to a project, product or service
should suggest or provide remedial action or mitigations to avoid/reduce risks
PIAs help facilitate PbD
Best time for a PIA?
- early
- during the ideation or scoping stage
- with new or revised industry standards, org policies or laws and regs
- when new privacy risks are created with changes in handling of PI
Triggers for a PIA?
- re-identification of information
- conversions of records from paper to electronic
- significant merging, matching and manipulation of multiple DB containing PI
- Application of MFA
- new uses or application for technologies
- retiring systems that held PI
- adding PI into existing DB
- projects with a third-party service provider
ISO & PIA’s (5 steps)
- Identifying information flow of PII
- Analyzing the implications of the use case
- Determining the relevant privacy - safeguarding requirements
- Assessing privacy risk using steps of risk identification, risk analysis and risk evaluation
- Prep to treat privacy risk using a privacy risk treatment option; determine controls and privacy risk treatment plans
Follow up phase:
prep and publish PIA report
implement the privacy risk treatment plan
review the PIA and reflect changes to the process
DPIA - purpose
a process designed to identify risks arising out of the processing of personal data and to minimize the risks as much and as early as possible
tool to negate risks and demonstrate compliance with GDPR
When is a DPIA required?
when processing is “likely to result in a high risk to the rights and freedoms of natural persons”
- automated processing, incl profiling, produce legal effects
- large scale of special categories of data or data related to criminal convictions
- systematic monitoring of a publicly accessible area on a large scale
What should a DPIA include?
- description of the processing, incl purpose and legitimate interest
- necessity of the processing, proportionality and risks to data subjects
- ## measures to address identified risks
AI Privacy Challenges
Lawfulness, fairness and transparency
- AI inherits makers’ bias, algo might be unfair, algo may not be able to be disclosed (trade secret, IP), difficult to understand how the info is correlated and used
Data minimization and purpose limitation
- often takes huge amounts of PI
- not possible to predict what the algo will learn
- purpose may change as the algo learns
Integrity and confidentiality (security)
- large sets of training and testing data required, have to be copied and imported, shared and stored
- PI used to train AI system could be inferred (model inversion attacks and membership inference attacks)
Privacy Awareness Education Program
Ensures employees are familiar with privacy concepts, risks, policies and procedures
More advanced employee education includes:
role-based training, to equip employees to perform specific functions within the privacy program
i.e. teach managers how to assess privacy program compliance
Ongoing Assessments
- check that employees comply with program requirements
- inspect systems that store and process data
- verify compliance with external regulations
Data minimization
ensure that data are only collected, processed, shared and stored as needed
Records management policies
DLM
Data Lifecycle Management
- framework for managing data as it move thru out an org
DLM goals (3)
- data security and confidentiality
- data integrity
- data availability
DLM Stages
- Data Collection, acquisition or creation
- Data Storage, organization and backup/recovery
- Data Usage, Sharing and Processing
- Data Archiving
- Data Destruction
Risk Assessment Methods
PTA - privacy threshold analysis
PIA - Privacy impact analysis
DPIA - data protection impact analysis
LIA - Legitimate interest analysis
TIA - transfer impact analysis
Evaluation of Processors and Third-Party Vendors
questionnaires for vendors
- Privacy and information security policies
- Access controls
- where PI is being held
3rd party assessments - sources of info include:
- internal audit (Program Assurance)
- information and physical security - should compliment the privacy program
- Data protection authority
other considerations for 3rd party assessments:
- risk assessment
- technologies and processing methods
- legal compliance
- contractual requirements (incident response, etc)
- cross border transfers
Things to consider for Mergers, Acquisitions and Divestitures
- due diligence
- contractual and data sharing obligations
- risk assessment and alignment
- post-integration planning and risk mitigation
