Webinar: Deep Dive into Risk, High Risk and Risk Assessments in the GDPR

Similar documents
Appropriate Policy Document

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

There are many definitions of risk and risk management.

NHS North Somerset Clinical Commissioning Group Risk Management Strategy and Framework

All Sorts UK Limited Data Protection Policy 17 th May 2018

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

FRAMEWORK FOR CONSUMER PRIVACY LEGISLATION

Risk Management Policy

Energize Your Enterprise Risk Management

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Procedure: Risk management

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

RISK MANAGEMENT POLICY

RISK MANAGEMENT FRAMEWORK

Goodman Group. Risk Management Policy. Risk Management Policy

Risk Management Strategy Highland Council Pension Fund

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

RISK MANAGEMENT FRAMEWORK

The New EU General Data Protection Regulation (GDPR)

Privacy Policy Statement

Perpetual s Risk Management Framework

Information security policy

Understanding Enterprise Risk Management: An Overview

CUSTOMER DATA PROCESSING ADDENDUM

Pension Trustees. Final Countdown to the GDPR

Amadeus Global Report 2016 A business, financial and sustainability overview. Corporate risk management

Scouting Ireland Risk Management Framework

Revised Ethical Standard 2016

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Risk Management at the Deutsche Bundesbank March 2011

Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

Chapter 7: Risk. Incorporating risk management. What is risk and risk management?

Man and Machine - Data Protection Policy

RISK MANAGEMENT POLICY AND STRATEGY

GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

2018 Australian privacy outlook

AUSTRAC Guidance Note. Risk management and AML/CTF programs

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Integrated Risk Management Framework Sept Page 1 of 17

Pension Trustees Final Countdown To GDPR

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

Amgen Binding Corporate Rules (BCRs) Public Document

Risk Management Policy Adopted by:

Housing Risk Management

Desjardins Trust Inc. Financial Information and Information on Risk Management (unaudited)

The Race to GDPR: A Study of Companies in the United States & Europe

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Tax transparency to whom and for what purpose? June 2018

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

16 th Karnataka IS Audit Conference. PII Risk Management. Srinivasan S K CISA, CISM, President, SKS Consulting

Section Defining Risk Management. 11. Principles of Risk Management

RISK MANAGEMENT FRAMEWORK OVERVIEW

Risk Management Framework

GDPR Data Processing Addendum

What U.S.- Based Investment Advisers Should Know

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

Risk Management Policy (v7.0)

CHILDREN S RIGHTS STRATEGY EXPECTATIONS TOWARDS COMPANIES

European Union General Data Protection Regulation

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

DATA PROCESSING TERMS DEFINITIONS

Risk Management Policy and Framework

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

Practical aspects of determining and applying a risk appetite for SMEs

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Anti - Fraud and Corruption Policy

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

28 July May October 2016

Enterprise Risk Management in WFP

Basel II Briefing: Pillar 2 Preparations. Considerations on Pillar 2 for Subsidiary Banks

Privacy Statement v 1.1

RISK MANAGEMENT STRATEGY Version 3

RISK MANAGEMENT POLICY October 2015

RISK ANALYSIS VERSUS RISK ASSESSMENT:

Data Processing Addendum

Approved by: Diocesan Council 17 December 2015

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Applying COSO s Enterprise Risk Management Integrated Framework

Ashmore Group plc Pillar 3 Disclosures as at 30 June 2018

ITrade Global (CY) Ltd Regulated by the Cyprus Securities and Exchange Commission License no. 298/16

Requirements of explicit consent

Moxtra, Inc. DATA PROCESSING ADDENDUM

University Risk Management Policy

Bournemouth Primary MAT Risk Management Policy

Risk Management Policy

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Risk Management Strategy

ETHICAL STANDARD FOR AUDITORS (IRELAND) APRIL 2017

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Risk-based approach and the risk management and compliance programme. Presented by Ashleigh Mooij 11 September 2018

Transcription:

Webinar: Deep Dive into Risk, High Risk and Risk Assessments in the GDPR Tuesday, 24 May 2016 11:00 AM US EDT #CIPLGDPR 1

Webinar Agenda 1. Introduction 2. Risk, High Risk and Risk Assessments in the General Data Protection Regulation ( GDPR ) 3. Guest Presentations: How you deal with risk in your organisation (e.g. risk methodology, factors which are taken into account during your risk assessment, how do you determine if a processing operation falls within the "risk" or "high risk" category); and Discuss concrete examples on how you approach in the context of (1) data breaches, (2) legitimate interest and (3) data protection impact assessment. 4. Q&A Discussion (*7 Unmute / *6 mute) 2

Speakers Moderator: Bojana Bellamy President Centre for Information Policy Leadership Hilary Wandall AVP, Compliance & CPO Merck & Co., Inc. Emma Butler Senior Director, Privacy and Data Protection RELX Group Maria Chiara Atzori Head Data Privacy Switzerland Novartis 3

Risk-Based Approach in GDPR #CIPLGDPR Horizontal Accountability Obligation More flexibility for controllers to build, implement and demonstrate privacy programme and compliance measures Based on likelihood and severity of risks for individuals Based on nature, scope, context and purposes of processing Specific obligations based on risk Privacy by design Data security Security breach notification to DPAs Appointment of representative of controller or processor established outside the EU Specific requirements only for high risk processing Security breach notification to individuals Data Protection Impact Assessment Prior consultation with DPAs for high risk processing that cannot be mitigated Implied consideration of risk Legitimate interest balancing test Purpose limitation - determining compatibility of subsequent purposes Fair processing Further guidance provided by DPAs, EDPB, codes of conduct and certifications, DPO 4

Definition of Risk in GDPR #CIPLGDPR 1. Personal data processing that may result in physical, material or non-material damage, in particular: Discrimination Identity theft / fraud, financial loss Reputation damage Loss of confidentiality of personal data protected by professional secrecy Unauthorised reversal of pseudonymisation Any other significant economic or social disadvantage Individuals deprived of rights and freedoms, or prevented from exercising control over their data Processing sensitive data, including genetic data Profiling (personal aspects are evaluated (e.g. analyse or predict work performance, economic situation, health, personal preferences, behaviour, location) to create or use personal profiles Processing children s and vulnerable persons data Processing large amounts of data and individuals 2. High risk High likelihood or severity of risks above, or involve use of new technology, or no DPIA carried out before, or time elapsed since initial processing Pre-defined types of high-risk processing automated decision taking; large scale processing of sensitive data or criminal convictions; systematic monitoring of public areas 5

Detailed View of Risk Assessments in the Context of Organisational Privacy Compliance Programs Determines the Program and its elements At Programmatic Level Periodic Program assessment v. internal and external risks Risk Assessment At Legal Requirement Level Adjusting the Program elements DPIA and Privacy by Design for new products, services, technology Legitimate interest processing Purpose limitation Consider benefits of processing and mitigations Security Data breach #CIPLGDPR 6

The Risk Assessment Process Incorporating Risks, Benefits, Mitigations Risk determines privacy program, its elements, levels of requirements and applied controls geographic scope type of activity Risk to individuals Other factors impact the risk type of data Regulated country and prominent enforcement Risks to organisations volume of data Likelihood and severity third party involvement Benefits and mitigations are part of equation 7

Guest Speaker Hilary Wandall AVP, Compliance & CPO Merck & Co., Inc. 8

Our Approach Our global Privacy Program supports our company mission of saving and improving lives by promoting and assuring a culture of privacy accountability where four privacy values are embedded into the way we work and how we engage people everywhere we operate Respect Trust Prevent Harm Comply We recognize that privacy concerns often relate to the essence of who we are, how we view the world, and how we define ourselves, so we strive to respect the perspectives and interests of individuals and communities and to be fair and transparent in how we use and share information about them We know that trust is vital to our success, so we strive to build and preserve the trust of our customers, employees, patients and other stakeholders in how we respect privacy and protect information about people We understand that misuse of information can create both tangible and intangible harms for individuals, so we seek to prevent physical, financial, reputational, and other types of privacy harms to individuals We have learned that laws and regulations cannot always keep pace with rapid changes in technologies, data flows, and associated shifts in privacy risk and expectations, so we strive to comply with both the spirit and the letter of privacy laws in a manner that drives consistency and efficiency for our global business operations 9

Our Risk Practices Merck & Co., Inc. (MSD) Risk Management Practice Process-level risk evaluation (Respect, Prevent Harm) Privacy impact assessment Inherent risk and benefit determination during scope/threshold analysis (Fairness principle) Control effectiveness analysis Residual risk analysis Scientific research Ethics committee/irb waiver of consent for minimal risk Breach notification Where not expressly required by law, where risk of harm warrants notification, or, as applicable (e.g., HIPAA) where risk assessment shows greater than low probability of data compromise Program-wide risk evaluation (Comply) External factors (e.g., laws, policy trends) analyzed by mapping to applicable control effectiveness categories Alignment to GDPR Article 25 Article 35 Article 36 Article 9 Article 89 Article 33 Article 24 10

Privacy Risk in Practice potential threats proxies Impact on the Individual (data sensitivity, activity sensitivity, volume) Likelihood of Occurring (third party involvement, geographic scope, incident and audit history) Determines form of assessment required Inherent Privacy Risk Anticipated benefits based on purpose Privacy Control Effectiveness 8 CE Categories encompassing more than 50 controls Higher inherent risk requires demonstration of more comprehensive set of controls Effectiveness ratings based on demonstration of control Consistent Quantitative Scale Enables Program-Wide Comparisons Residual Privacy Risk Impact = reduction in inherent privacy risk impact after application of controls Residual Privacy Risk Likelihood = reduction in inherent privacy risk likelihood after application of controls Residual Privacy Risk Low likelihood of affecting fundamental rights and freedoms of individuals 11

Application 2 Projects #CIPLGDPR Impact Factors Likelihood Factors -- Consumer Health App Risk Factor Analysis Risk Level Data Sensitive High Activity/Context Sensitive High Data Volume > 10,000 users Medium Data Subjects Consumers Medium Third Parties Yes, Multiple In country Medium Third Countries Other Region High Applicable Law Yes Recent Enforcement High Incident History 1 Instance Medium Overall Assessment Threshold Scope Analysis Inherent Privacy Risk Medium-High Employee Expense App Risk Factor Analysis Risk Level Data Confidential Medium Activity/Context Confidential Medium Data Volume Pilot (<1,000) Low Data Subjects Employees Medium Third Parties No Low Third Countries No Low Applicable Law Yes Past Enforcement Incident History No Low Overall Assessment Medium-High Medium Impact Factors Likelihood Factors 12

Application 2 Projects Applying Inherent Privacy Risk Analysis to Controls Assessment 6 of 8 Control Effectiveness Categories Assessment Criteria Consumer Health App Employee Expense App Personnel Expertise Expert (Privacy Office) Advanced (Steward w/ Privacy Office) Assessment Documentation Global Privacy System Local Inventory and Records In Scope of Annual Management Certification Yes (Functional Leader) Yes (Country Leader) Evidence Yes, in Global Privacy System Yes, in Local Records Transparency Analysis Yes Yes Governance Analysis Yes Yes Individual Rights Analysis Yes Yes Security Analysis Yes Yes Incident Management Analysis Enhanced Yes Third Party Analysis Yes No More Stringent Local Law Analysis Yes Online Privacy Certification/Seal Yes No No 13

Comparing 2 Projects Evaluating the Effectiveness of Privacy Controls and Program Risk Risk Impact Risk Likelihood Standard Quantitative Measures Enable Program-Wide Averages and Trending 14

Guest Speaker Emma Butler Senior Director, Privacy and Data Protection RELX Group 15

Determination and Practical Articulation of Risk Appetite #CIPLGDPR Confidential, for internal use only 16

Risk Management and Internal Control Framework Confidential, for internal use only 17

Practical Examples Practical example: legitimate interests Article 29 opinion WP 217 Are the interests legitimate? Company (sometimes customer interests); individuals. Is the processing necessary to achieve the interests pursued? Do the rights of the individual override company interests? Are there safeguards we can put in place? Data minimisation, technical and organisational measures, privacy by design, transparency Assessment also covers: broader societal impacts; benefits to individuals / society; risks of not doing the processing. Practical example: data protection impact assessments Data types: some flagged as needing more attention. Assessment against 8 UK DP Act principles. Considers: fairness (transparency); fairness (proportionality and reasonable expectations of consumers). Risks identified that could lead to questions about compliance with a particular principle. Risks and mitigation factors / solutions granular and specific to project. 18

Guest Speaker Maria Chiara Atzori Head Data Privacy Switzerland Novartis 19

Privacy Risk Assessment at Novartis Maria Chiara Atzori, Head Data Privacy Switzerland Basel, 24 May 2016

Robust approach to increase control while reducing bureaucracy and combining different assessments From: Different Privacy Assessments Swiss Privacy Inventory 30 questions (Online questionnaire) To: One user friendly tool 12 questions for the Business Owner 6 questions for Information Manager Privacy Impact Assessment (PIA) 80+ questions (Word document) Business Impact Assessment (BIA) 28 privacy questions (Excel spreadsheet) 21

Novartis current privacy risk assessment towards its further evolution Classification of risk? Need to review the distinction between risk and high risk processing of data Increase focus on likelihood and severity of the risk to the individuals Balancing risks Need to improve understanding of data privacy risks and its implications in the context of business initiatives Absence of an assessment of the processing benefits Mitigation options Not context related and not sector-specific Unilateral mitigation of risks Establish new set of safeguards to achieve strong protection GDPR opened gaps Consultation of DPAs for high risk processing Legitimate interest balancing Purpose limitation (e.g. secondary use of data) 22

Develop a sound privacy risk assessment to build trust and confidence Be able to solve the tension between data availability and harm to individual Identification of gaps between industry and patients interests and potentially threatening activities in public perception Sound assessment of privacy risk and fit for purpose mitigation of gaps Build trust and confidence Future use cases (e.g., RWE) depend on patients entrusting industry with personal data and content for far reach analyze Sound privacy risk assessment as a cornestone of accountability 23

Q&A Discussion If you would like to ask a question, please hit *7 (star 7) to unmute your phone. Please hit *6 (star 6) to mute your phone again. Bojana Bellamy President Centre for Information Policy Leadership Hilary Wandall AVP, Compliance and CPO Merck & Co., Inc. Emma Butler Senior Director, Privacy and Data Protection RELX Group Maria Chiara Atzori Head Data Privacy Switzerland Novartis 24

Contacts Bojana Bellamy President Centre for Information Policy Leadership bbellamy@hunton.com Emma Butler Senior Director, Privacy and Data Protection RELX Group emma.butler@relx.com Hilary Wandall AVP, Compliance and CPO Merck & Co., Inc. hilary.wandall@merck.com Maria Chiara Atzori Head Data Privacy Switzerland Novartis International maria_chiara.atzori@novartis.com Centre for Information Policy Leadership Hunton & Williams Privacy and Information Security Law Blog www.huntonprivacyblog.com FOLLOW US ON linkedin.com/company/centre-for-information-policy-leadership FOLLOW US ON TWITTER @THE_CIPL 25

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback