Clinic IA PDPA for Internal auditors

30.5.2563

ISACA Bangkok Chapter คณ สมชย แพทยวบลย

คณกสล ปนมข

พรบ คมครองขอมลสวนบคคล

• หมวด 1 คณะกรรมการคมครองขอมลสวนบคคล

• หมวด 2 การคมครองขอมลสวนบคคล

• หมวด 3 สทธของเจาของขอมล

• หมวด 4 ส านกงานคณะกรรมการคมครองขอมลสวนบคคล

• หมวด 5 การรองเรยน

• หมวด 6 การรบผดทางแพง

• หมวด 7 บทก าหนดโทษ

• บทเฉพาะกาล

PDPA ไมบงคบใชกบใคร?

บงคบใชกบผควบคมขอมล ผประมวลผลขอมล อยนอกราชอาณาจกรหรอไม

• https://www.etda.or.th/download-publishing/139/

Cobit 5 7 enablers

The Role of Internal Audit and Risk Management

• The internal audit and risk management functions are well placed to provide insight about PDPA through assurance to boards and senior management, as well as to other stakeholders. They can assist the understanding of the various risks of non-compliance, which go beyond the potentially significant fines.

• The importance of a strong corporate governance remains a key aspect to comply with the regulation.

What role can internal auditors play in PDPA compliance? • As a function that has a holistic view of the organization

• Internal audit plays a role in evaluating the organization’s PDPA compliance

• By taking up the role of a strategic partner of the data protection officer

• Internal auditors can help to guide the company strategy, raise awareness, assess the potential risks, identify gaps, and test the remediated procedures.

The internal audit and the data protection officer: The perfect allies

• The DPO will have to rely on the input and collaboration of the other functions within the organization. Picking internal audit as an ally makes sense, as both functions have the same objective: to minimize the risk

• IA performs independent assessments and reports on the effectiveness of implemented measures through the testing of controls as defined in the internal audit plan.

• the identification of potential weaknesses provides information to the DPO in order to orchestrate the next steps to achieve PDPA compliance.

• The alliance is also beneficial for IA: Auditors can leverage the expert knowledge of the DPO to signal the organizational risks related to the PDPA as well as to define the controls of the internal audit.

How can IA enable PDPA compliance? • IA has the unique position to fulfill an awareness-creating function from

start to end of a PDPA compliance exercise.

• IA has the responsibility to highlight that noncompliance can heavily impact the assets of the organization

• IA’s findings are an effective management tool to advocate the adoption of a proactive and best practice approach toward PDPA compliance.

• After the implementation of a PDPA program, IA can install confidence by performing an independent review of the effectiveness of measures as a part of the internal audit controls.

• The findings serve as an objective risk and compliance assurance to the board and management.

Demonstrating compliance • During a "test of design," IA reviews whether all documentation

(framework, policies, procedures, etcetera) are available and whether they meet the requirements of the PDPA.

• The DPO can provide assistance to determine which documentation is relevant in the organizational-specific environment.

• Once the relevant documentation is in place, a test of effectiveness can be developed where the IA will test whether the departments, functions and/or processes effectively implemented the controls.

• In cases where the organization considers an area as nonapplicable for testing, the reasoning should also be recorded.

How to set up an audit plan: Determine the scope and priorities • IA starts off with a full risk assessment of there being a personal data

breach.

• This assessment provides the main guidance on which departments, functions and/or processes should be audited, which one gets priority, and how often each should be audited.

• The outcome of the risk assessment will depend on the likelihood of occurrence, the impact, and the mitigating controls.

• In order to test the effectiveness of implemented policies and processes. IA will audit the policies, processes and supporting IT systems for the entire data life cycle used by the team or department.

Approaches to compliance

• “Compliance” based compliance

• “Risk” based compliance

• “Ethics” based compliance

The Compliance based approach

• “Can We?” • We can • We cannot

• If you breach this rule, you are not compliant and may suffer the consequence

• Letter of the law, not the spirit

• These regulatory compliance requirements reflect the risk appetite of society in which we operate.

• “We have no appetite or tolerance to not comply with all applicable external regulatory and contractual compliance requirements”.

The Risk based approach

• the risks and rewards

• This is the “Should We?” question

• What is cost and what is benefit?

• Focused on the risks and rewards to the shareholder

The Ethics based approach

• An ethics based approach is an extension of the risk based approach. It now adds consideration of the risks and rewards of all stakeholders including customers, shareholders, society, environment, regulators, members, suppliers and so on.

• This is the “Would I?” test. Would I travel this fast with my baby in the car? In business, this adds a further layer of risk appetite based on the risks of all stakeholders. For a Financial Institution some “Would I?” questions might be “Would I sell this insurance to my Mother?”, “Would I sell this loan to my Father?”

• It is now focusing on the full spirit and not just the letter of the law.

Privacy Audit Benefits

• Measures and helps improve compliance with the organization’s data protection system.

• Increases the level of data protection awareness among management and staff.

• Provides information for a data protection system review.

• Improves customer satisfaction by reducing the likelihood of errors leading to a complaint.

Internal audit results may lead to:

• Measuring maturity.

• Raising awareness and influencing commitment.

• Assessing policies and procedures.

• Performing or supporting risk assessments.

• Recommending the establishment of a privacy officer.

• Compliance audits.

• Evaluation of functions, processes, controls, products, and services.

• Establishment and/or validation of self-assessments.

• Recommendations, action plans, and implementation monitoring.

An effective privacy program that includes:

• Privacy governance and accountability.

• Written policies and procedures.

• Controls and processes.

• Roles and responsibilities.

• Training and education of employees.

• Monitoring and auditing.

• Information security practices.

• Incident response plans.

• Plans for responding to detected problems and corrective action.

Specific activities internal auditors

• Working with legal counsel to determine what privacy legislation and regulations would be applicable to the organization.

• Working with information technology management and business process owners to assess whether information security and data protection controls are in place and are reviewed regularly.

• Conducting privacy risk assessments, or reviewing the effectiveness of privacy policies, practices, and controls across the organization.

• Identifying the types of personal information collected, the collection methodology used, and whether the organization’s use of the information is in accordance with its intended use.

• Reviewing policies, procedures, and guidelines governing data flows and handling procedures designed to safeguard the privacy of personal information, with a focus on identifying potential opportunities to standardize data protection practices across the organization.

• Conducting an assessment of service providers’ interactions, including a review of procedures and controls over providers who manage personally identifiable information or sensitive data on behalf of the organization.

• Reviewing current training practices and materials, and inventorying the privacy awareness and training materials available and needed.

Typical areas that internal auditing may review include

• Management oversight.

• Privacy policies and controls.

• Applicable privacy notices.

• Types and appropriateness of information collected.

• Systems that process personal information.

• Collection methodologies.

• Uses of personal information according to stated intent, applicable laws, and other regulations.

• Security practices covering personal information.

Key Privacy Risks and Actions

Privacy Impacts

• Threats to Organizations

• Threats to Stakeholders

• Threats to Individuals

• Threats to Society

Good privacy management • Performing adequate and regular privacy risk assessments.

• Establishing a privacy officer to be available to act as the focal point for the coordination of privacy-related activities and the handling of complaints and issues.

• Developing awareness around key data handling and identity theft risks.

• Masking personal identification numbers, such as Social Security numbers, and other sensitive information when possible.

• Supervising and training call center staff to prevent social engineering and similar risks.

• Managing marketing lists and all third-party vendor relationships effectively.

• Creating awareness of Web, and e-mail vulnerabilities.

• Developing record retention and destruction policies.

• Implementing a data classification scheme based on the sensitivity and data mapping.

• Conducting risk assessments of access controls, physical security access restrictions, and change controls.

• Implementing intrusion detection and prevention technologies.

• Completing penetration testing and independent testing/review of key controls, systems, and procedures.

Four major areas of risk

• Legal and Organizational Risks

• Infrastructure Risks (CIA)

• Application Risks

• Business Process Risks

ประเทศไทยอยในล าดบเทาไร?

PDPA จะตองบนทกขอมลอะไรบาง?

ถายรป ถาย VDO ไดไหม ?

บทลงโทษเปนอยางไร?

• โทษทางอาญา จ าคกสงสด 1 ปและปรบสงสด 1 ลานบาท

• โทษทางแพง จายสนไหม ไมเกน 2 เทาของสนไหมทแทจรง

• โทษทางปกครอง ปรบไมเกน 5 ลานบาท

• GDPR

• Companies or Organization who doesn’t comply with the GDPR may face Penalties and Sanctions up to 4% of global annual turnover or €20 Million (whichever is greater)

การท าขอมลนรนามคออะไร?

• การจดทาขอมลนรนาม (data anonymization) นนอาจมองไดวาเปนการรกษาความมนคงปลอดภยของขอมล (data security) เพอใหบรรลวตถประสงคในแงของการรกษาความลบของขอมล (confidentiality)

•

ความแตกตางระหวาง Anonymization กบ Pseudonymization • Anonymization irreversibly destroys any way of identifying the data

subject.

• Pseudonymization substitutes the identity of the data subject in such a way that additional information is required to re-identify the data subject.

วธการจดทาขอมลนรนามทไดรบความนยม • Scrambling การผสมขอมล เปนการสลบลาดบของตวอกษรในขอมลดวย

กฎเกณฑหนง ๆ

• Masking

• Hashing

• Blurring or Noising

ตวอยาง สภาพแวดลอมในการ aggregation

• หลงจากการลบขอมลชบงตวบคคล

• แตหากผเขาถงขอมลทราบไดแนนอนวาเจาของขอมลนนอยในกลมตวอยางทถกเกบขอมล และทราบคณลกษณะบางอยาง เชน เปนเพศชาย

• และหากมการเปดเผยขอมลดงกลาว และทกคนทเปนเพศชายนนมลกษณะใดลกษณะหนงทเหมอนกน เชน มกรปเลอด AB เหมอนกนหมด เชนนกตองถอวามการเปดเผยขอมลสวนบคคลแลว ถงแมวาผเขาถงขอมลจะไมทราบไดวาเจาของขอมลนนเปนคนใดในกลมตวอยางกตาม

ก อยในกลมตวอยางนกเรยนเพศชาย

นกเรยนเพศชาย ทงหมด มอยเลอด AB

ก มหมเลอด AB

Example

• Every morning, Monday through Friday, Bob goes to the same coffee shop and buys the same coffee and scone for breakfast. He always uses his debit card. On Friday night, he always withdraws $200 from the ATM next to his office, because it’s poker night with his buddies.

• Even if the organization has “anonymized” Bob’s personally identifiable data (destroyed his name, address, etc.), his behavior allows us to indirectly re-identify him (all of these transactions reference the same person, because we can identify his predictable behavior). Therefore, the data set has not been properly anonymized.

• To properly anonymize this data, we might have to use additional methods to ‘hide’ individual behavior. For example, we might only store records based on some kind of grouping.

• “50 people went to this coffee shop every morning.” “100 people got money from this ATM every Friday.” “A total of $100,000 was taken from this ATM on Friday.” “30 people bought scones today”

• Now the data has been anonymized, because we have no way of seeing Bob’s predictable pattern of behavior

Are IP addresses generated when users visit websites personal information? • Under the EU General Data Protection Regulation and EU case law, IP

addresses (both static and dynamic) are considered personal data, while definitions of personal information in the U.S. Privacy Act and many state privacy laws do not include IP addresses, as well as other HTTP header information that website hosts regularly collect about their visitors.

คกก Consent ตองแบบ GDPR หรอไม

• GDPR and the CJEU ruling on valid consent in the European Union has cemented the legal fact that websites must obtain the specific, explicit and actively-given consent from user before any activation of cookies and collection or processing of personal data can take place.

อนๆ

• Data subject verification? ตองท าอยางไร

• Controller และ Processor ตางกนอยางไร?

• Notification notice มาตรา 23 มาตรา 92 เหมอนหรอตางกนอยางไร?

• อ านาจหนาทของ DPO มอะไรบาง?

• ระบบ consent system ตองมการควบคมอยางไร?

• การถายภาพฝงชน เดก จะควบคมอยางไร?

• ไมก าหนด retention วาเกบนานเทาไร ดหรอไม?

• Privacy policy ครอบจกรวาล ดหรอไม?

• คคาไมรบ notification, หรอปฏเสธทจะท า จะ enforce ขาเดยวไดหรอไม?