Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
PON Congres 13 Oktober 2016
Everything you always wanted to know about
privacy impact assessments but where afraid to
ask
Albert Holl
Copyright © 2016 Capgemini Consulting. All rights reserved.
Introduction
Canada
United States
Mexico
Brazil
Argentina
All over Europe
Morocco
Australia
People’s Republicof China
India
Chile
Guatemala
Singapore
Philippines
Taiwan
Vietnam
UnitedArab Emirates
Malaysia
New Zealand
Japan
South Africa
Colombia
2
2,500+ Capgemini resources worldwide with Cybersecurity skills
Cybersecurity awareness & training
Security transformation, operating model implementation,
program management
Implementation of security solutions & managed security
services (e.g. SOC)
Digital security assessment & strategy and
risk management
Strategy, Governance, & People
Application security testing & technical security testing
(e.g. SCADA)
Transformation
Build & Operations
Agenda:
• Introduction to Privacy Impact Assessments (PIA)
• Privacy impact assessment of the organization
• PIA tooling during implementation and operation
• PIA & Privacy-by-design as an enabler for new digital initiatives
Copyright © 2016 Capgemini Consulting. All rights reserved.
What is a Privacy Impact Assessment? There is a lot of confusion in the market on when and how to conduct a PIA.
In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. […]
GDPR recital 84
[…] types of processing […] involve using new technologies […] In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk.
GDPR recitals 89, 90
3
Literally, the GDPR defines the PIA (data protection impact assessment) as the assessment of new technologies of personal data processing (art.35), while recitals put it in the broader context of compliance management.
Copyright © 2016 Capgemini Consulting. All rights reserved.
Privacy Impact Assessments (PIA’s) can be performed for various purposes and therefore different approaches are needed in particular contexts
1. PIA on organization - scope: privacy governance & policies
The organizational privacy impact assessment reviews basically all GDPR articles and gives insight to define the organizations privacy governance and policy framework.
2. PIA on operations – scope: business processes, systems & people
The operational privacy impact assessment is very much related to the responsibility of the controller (art.24, GDPR). It reviews the technical & organizational measures of the existing operations to be compliant with the GDPR.
3. PIA on new business initiatives – scope: new product & service development, marketing programs, campaigns, etc.
Data protection impact assessment (as described in art.35, GDPR) are required, where the usage of new technologies is likely to result in a high risk to the rights and freedoms of natural persons. Risk mitigating measures have to be designed into products by default (art.25, GDPR).
Three different PIA approaches are presented
4
1. Organizational PIA
Stepping stone to create a comprehensive GDPR governance & policy framework
Copyright © 2016 Capgemini Consulting. All rights reserved.
The Organizational PIA is based on the new EU data privacy regulation, common industry standards and best practices.
Organizational PIA
The main objective of the Organizational PIA is to determinethe needed measures to make the organization privacycompliant at a governance and policy level.
In practice, the NYMITY standard provides a good frameworkto perform the assessment, it contains 55 compliancecontrols and 84 optional performance indicators. TheOperational PIA is clustered in the following 13 privacymanagement categories:
1. Governance Structure
2. Personal Data Inventory
3. Privacy Policy
4. Privacy Into Operations
5. Training & Awareness
6. Information Security Risk
7. Manage Third-Party Risk
8. Maintain Notices
9. Right of Individuals
10. New Operational Practices
11. Data Breach Management
12. Data Handling Monitoring
13. Track External Criteria
Deliverables & Reporting
Reporting is arranged according to the NYMITY privacymanagement categories and based on the individualcompliance and performance indicators.
6
The Organizational PIA delivers the following output:
Compliance report vs. GDPR baseline
GDPR readiness benchmark vs. industry peers
Roadmap of GDPR measures to reach GDPR compliance
Copyright © 2016 Capgemini Consulting. All rights reserved.
Proposal for a phased program approach towards GDPR compliance
Organizations are requested to be GDPR compliant by May 25, 2018 . A phased program approach is advisable to ensure in-time implementation completion.
Organizational PIA Concept Roll-out
Phase 2 Phase 4
±6 month±6 month1-3 month
Activities are detailed, based on the Organizational PIA
Typical activities
1. Conduct stakeholder analysis.
2. Create data protection & privacy target picture 2018.
3. GDPR gap-analyse (as-is / to-be).
4. Formulate transition planning and roadmap 2017/18.
5. Define operating model, program structure and planning for the next phases.
6. Develop Business Case to justify investments in data protection & privacy.
early 2017 25-05-18
Implementation
Phase 3mid 2017 end 2017
±6 month
Data Protection & Privacy Program
Development of GDPR policy framework and operating model-Design of data protection and privacy assets
Pilot & organisation-wide Roll-out
Phase 1
Budget cycle 2017
7
2. Operations PIA
Embedding GDPR requirements in current processes, systems and the hearts & minds of people
Copyright © 2016 Capgemini Consulting. All rights reserved.
An Operations PIA should be performed to assess and consolidate the privacy impact on existing business processes, IT systems and the people involved
Operations PIA
The main objective of the Operations PIA is to measure thegap between the privacy policy framework and the actualoperations (read: processes, systems and the hearts andminds of people).
During the execution of the Operations PIA, an individualpolicy might be applied to hundreds of processes andsystems, engaging with large numbers of individuals in theorganization. Therefore, a practical and (semi-) automatedapproach is needed to manage the Operations PIAprocesses.
Key characteristics of the Operations PIA are:
Assessment of large numbers of processes & systems
Organizational wide engagement with management, policy makers and employees
Risk-based identification of critical assets
Embedded procedure to select processes and systems to perform the Operations PIA’s on
Reporting facilities on GDPR compliance status
Delivery of mitigation proposals
Monitoring of mitigation execution
9
Tooling
There are different tools available to support OperationsPIA’s. Usually these tools are workflow based, offer role-based reporting (e.g. privacy officer, systems owner, etc.)and provide a privacy compliance dashboard.
Two examples of Operations PIA tools are the NYMITYAttestor and the Capgemini SMART PIA. Usage of largenumbers of spreadsheets has proven not to be practical inperforming Operational PIA’s.
9
Copyright © 2016 Capgemini Consulting. All rights reserved.
Tool example: SMART PIA offers an number of standard features and reporting facilities to support Operations PIA’s
Features
The SMART PIA tool allows fast and repeatable OperationsPIA’s on lager numbers of processes and systems. Due to itsautomated workflow, the assessments are efficient and easyto manage. The individual results can be consolidated in thetool.
Build-in questionnaires are based on the GDPR regulation,and can be enriched with other baselines, e.g. BCRs.
Currently the following features are available, or can beprovided through configuration:
Privacy Impact Assessments/BCRs
Workflow to support Business/ IT involvement
Management reporting
Data inventory per systems
Vendor risk management assessments
Business impact assessments
Multi-lingual assessments
Multiple jurisdictions supported
10
Deliverables & Reporting
SMART PIA provides role-based reporting (e.g. privacyofficer, systems owner, etc.) with dashboards on thefollowing topics:
Triage progress
PIA progress
Gap description
Risk description
Proposed mitigations
Overall PIA Impact
Example of an overall PIA impact report
10
3. New Business PIA
The GDPR data protection impact assessment and privacy-by-default
Copyright © 2016 Capgemini Consulting. All rights reserved.
Make the approach easy, so you can ALWAYS perform a New Business PIA !
When is a New Business PIA needed?
12
When do I have to perform a New Business PIA?
Art. 35 says ... still waiting for DPA advice
ALWAYS !
?
EASY !
Copyright © 2016 Capgemini Consulting. All rights reserved.
You want to conduct new business, not be bothered by privacy constraints....
Business drivers
13
New Business PIA characteristics
Large numbers (100+) of initiatives, projects and use cases that need to be assessed
Quick insight provided in risk profile of all new initiatives Short execution lead-times to avoid ROI delay CPO has limited time so primary focus on decision
making and high risk initiatives Build privacy compliance into solutions by default Align with external customer privacy expectations
Source: Privacy Please: Why Retailers Need to Rethink Personalization, Capgemini Consulting research, 2015, http://bit.ly/1PC5Tia
New business initiatives rely more and more on personal data usage, e.g.
Personalization and customization of product & services
Omni-channel customer experience requires consistent view on customer data (incl. permissions given)
Digital Airport Program Schiphol
Marketing ProgramBMW
Copyright © 2016 Capgemini Consulting. All rights reserved.
Set-up a workflow to conduct structural New Business PIA’s on digital transformation programs in a effective and efficient way
14
PIA-Flow Steps
1. Select business use cases / business initiative.
2. Determine privacy impact in Privacy Risk Assessment.
3. Perform legal compliance check against privacy policy.
4. Check initiative against the company’s privacy commitments
5. Determine individual consent requirements (e.g. opt-in).
6. Provide Privacy guidance to business initiative.
7. Derive Privacy requirements for business initiative.
8. Deliver privacy requirements to business initiative.
During the first steps of the workflow the privacy risk will be assessed
Enable the Business to determine Privacy Impact:
Low → Standard set of privacy requirements applies.
Medium → Tailored set of privacy requirements is generated by PIA-Flow.
High → Generate PIA-Flow requirements and involve external stakeholders (e.g. regulators, consumer organizations, NGO’s)
Copyright © 2016 Capgemini Consulting. All rights reserved.
An organization should make clear and concise privacy commitments to its customers and other stakeholders, and keep that promise.
15
PIA-Flow Steps
1. Select business use cases / business initiative.
2. Determine privacy impact in Privacy Risk Assessment.
3. Perform legal compliance check against privacy policy.
4. Check initiative against the company’s privacy commitments
5. Determine individual consent requirements (e.g. opt-in).
6. Provide Privacy guidance to business initiative.
7. Derive Privacy requirements for business initiative.
8. Deliver privacy requirements to business initiative.
The New Business PIA ensures that all initiatives are checked against the privacy commitments
Stakeholder engagement is crucial in the realization of personal-data driven strategies
Research finds that customer privacy charter has great potential to differentiate companies from their competition
Examples of new big data initiatives and profiling made negative headlines (also fully compliant with law) ING (2014); Equens (2013)
Copyright © 2016 Capgemini Consulting. All rights reserved.
Printed FlyerAmsterdam Privacy Conference 2012
Examples of Customer (Privacy) Charters
16
Copyright © 2016 Capgemini Consulting. All rights reserved.
Determine the individual consent requirements that are required and advisable to enable the organizations business initiatives
17
PIA-Flow Steps
1. Select business use cases / business initiative.
2. Determine privacy impact in Privacy Risk Assessment.
3. Perform legal compliance check against privacy policy.
4. Check initiative against the company’s privacy commitments
5. Determine individual consent requirements (e.g. opt-in).
6. Provide Privacy guidance to business initiative.
7. Derive Privacy requirements for business initiative.
8. Deliver privacy requirements to business initiative.
The New Business PIA provides a consistent permission management framework
Individual consent is a great opportunity for processing if personal data
User consent allows processing of personal data in most of the cases.
Be aware: consents-based relationships require sustainable customer value creation.
Consent is a powerful instrument to reinforce the legitimate business purpose chosen for the processing of personal data (…does customer really agree that this is a legitimate business purpose…).
Copyright © 2016 Capgemini Consulting. All rights reserved.
Example of a permission management matrix, to determine the required means of consent for the various business purposes.
Determine appropriate measures for obtaining individual consent (e.g. from customers)
Means of consent
Transactional
Opt-in
Opt-in
Opt-out
Transparency
note
No use
Business purpose
Natu
re o
f pers
onal data
Increasing
sensitivity
of data
Privacy
intruding
Nature of
personal data:
e.g. customer
account data,
traffic data,
browsing
behavior,
financial data,
health data, etc.
Business purpose: delivery of service, logistics optimization, product development,
advertising, location based services, etc.
18
Copyright © 2016 Capgemini Consulting. All rights reserved.
The New Business PIA provides privacy guidance and delivers privacy requirements to the business initiatives
19
PIA-Flow Steps
1. Select business use cases / business initiative.
2. Determine privacy impact in Privacy Risk Assessment.
3. Perform legal compliance check against privacy policy.
4. Check initiative against the company’s privacy commitments
5. Determine individual consent requirements (e.g. opt-in).
6. Provide Privacy guidance to business initiative.
7. Derive Privacy requirements for business initiative.
8. Deliver privacy requirements to business initiative.
Deliver a tailored set of privacy requirements during the project starting phase
Deliver privacy requirements to the business initiatives
Support privacy-by-design principle by delivering tailored set of requirements to the business initiatives.
Build privacy compliance into solutions right from the start.
Consider for high-impact projects to perform design & test audits during the development phase, to ensure privacy requirements are actually implemented.
Copyright © 2016 Capgemini Consulting. All rights reserved.
Recap: Three types of Privacy Impact Assessments (PIA’s) can be performed
1. Organizational PIA - objective: mature the privacy governance & policy framework.
2. Operations PIA – objective: close the gap between the privacy governance & policy framework and the operations (business processes, systems & people).
3. New Business PIA – objective: enable new business initiatives that increasingly rely on personal data usage.
Different PIA approaches are needed to reach the desired objectives
20
Contact details
Thank you
21
Primary contact person
Albert HollPrincipal Manager Privacy
Reykjavikplein 1P.O. Box 2575, 3500 GN UtrechtThe Netherlands
Phone: +31 645 886784E-Mail: [email protected]