[PPT] - Conducting DPIAs to Reduce Business Risk Lecio de Paula Director PowerPoint Presentation

SLIDE 1

Conducting DPIA’s to Reduce Business Risk

Lecio de Paula

Director of Data Privacy, FIP, CIPP/E, CIPP/US, CIPP/C, CIPM, AWS Certified

SLIDE 2

Discuss benefits of conducting data privacy impact assessments
Why regulatory compliance isn’t the only benefit
Best practices and examples
Common DPIA mistakes and how to avoid them
Privacy & security risks of engaging in new processing

Today’s Presentation

2

SLIDE 3

Introduction To DPIA

3

SLIDE 4

Are to be conducted before the start of a new process or project
Identify the who, what, how, where, when
Identify the risks of processing
How to mitigate those risks to an acceptable level
Identify the Implications of the new processing activity
Also conducting “Lite” DPIAs
Data Protection = privacy + security

Introduction to Data Privacy Impact Assessments

4

SLIDE 5

Various laws require DPIA to be

conducted in “high risk” processes

Most common one - GDPR
PDPA, LGPD, Canadian Privacy Laws

etc.

Not only beneficial from a compliance

standpoint

Laws requiring DPIA’s

5

SLIDE 6

Complying with the law and reducing the risk of receiving a fine
Provide recommendations on the new project
Makes privacy by design (PbD) easier
How to mitigate those risks to an acceptable level
Establish legal basis for processing
Helps maintain your record of processing activities on a granular level
Providing trust to your employees and customers

What are the benefits?

6

SLIDE 7

Headlines

7

SLIDE 8

Data Protection concerns every

department

HR, Marketing, Sales, Product Development

etc.

Each one will process data differently
Different collection points, vendors etc.
But how can you scale?
Let’s go over different processes that will

require a DPIA

It is for ALL processes

8

SLIDE 9

Product Development
Creating new feature for end users
New products and services
Using data for analytics and benchmarking
Living document
M&A
Holistic Approach
Create a questionnaire
Need to thoroughly understand how the
rganization functions
KnowBe4 has had 7 acquisitions to date

Two very different DPIA’s

9

SLIDE 10

Create various DPIA templates for different organizational functions
The more tailored your questions are to a specific function, the better information you can

gather

Creating data flow diagrams is very helpful
Ensure there are policies in place for conducting DPIA’s. Must be clear, concise, and

repeatable

Automate where you can using preferred GRC tool
Many times these will be “living documents” and need to be revisited

Quick Tips

10

SLIDE 11

Not involving other functions or departments
Not performing the DPIA at the start of the project
“Hopeful” documentation - not an accurate reflection of your practices
Not revisiting the DPIA (setting automated tasks to revisit)
Using it just for compliance

DPIA Mistakes

11

SLIDE 12

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality

Data Protection Principles

12

SLIDE 13

Nature, Scope, context and purpose of processing

13

SLIDE 14

Think carefully about the “personal data lifecycle”
How you collect, store, use, access, share the data?
What are the technical security measures? Retention period?
Will you be using a new vendor? (could potentially be a subprocessor, require notification)
How will end users manage their privacy rights?
What are our contractual and legal obligations? Does this conflict with our data protection

notices?

What are the key questions?

14

SLIDE 15

New Feature

Your development team is creates a project plan to

develop a new feature that collects new categories

f data from end users
The feature will prompt the users and ask them to collect

demographic information to provide better information of the potential value of their home in the near future. Data will be stored in separate cloud database

The team plans on storing this data and potentially using it

for other purposes such as analytics etc.

15

SLIDE 16

How will the company collect, use, store, and delete data?
Collecting information directly from the end user such as zip code, home address,

home value, household income, level of education completed in order to estimate home value based on the neighborhood. Data will be stored at rest and in transit in an Amazon AWS cloud DB.

Will data be shared with any third parties?
No data will be shared with third parties and existing sub processors will be leveraged

Nature of data processing

16

SLIDE 17

What is the nature of the data and will sensitive information be collected?
Some sensitive financial information will be collected and will be treated that way.
The team plans on storing this data and potentially using it for other purposes
How many individuals data are you collecting and what laws are in scope?
Data will be collected in US, UK, and France. Putting various laws in scope such as

GDPR, CCPA etc.

How long will data be stored for and what security controls are in place?
Currently no data retention period
Industry standard controls will be in place, following secure coding practices, standard

encryption

Scope of the data processing

17

SLIDE 18

Whose data are you collecting?
Current and potential new customers
How will they invoke their data subject access rights under EU/US laws?
Development team has no plans on creating an automated system for users to invoke

their data subject access rights. The current process has been manual and requires a lot of work on the backend to fulfill the request

Do individuals expect their data to be used this way?
Product team believes that the current privacy notice covers it

Context and purpose of the data processing

18

SLIDE 19

Current privacy notice does not cover the categories of data that will be collected
Privacy team will work with legal to amend the notice and send notification
No plans on automated data subject access rights tool
To comply with the law the DPIA team will recommend the development team create

these tools

No retention policy
DPIA team will recommend the development team establish a retention period

Document, Document, Document

Risks

19

SLIDE 20

M&A

20

SLIDE 21

Audit each individual sector - HR, Marketing, Product Development etc.
Requires gaining knowledge of org chart and organizational hierarchy
Closely align with InfoSec & legal
Create a questionnaire to gather this information and perform further inquiries
Use a controller vs processor approach

Quick Tips

21

SLIDE 22

What privacy notices does the organization have?
What countries does the target company operate in? What are the applicable laws?
What are the companies marketing practices?
Data security practices?
Who are its third parties, vendors, and subcontractors?
What employee policies and agreements are in place?
Has the company been subject to any breaches?
Cyber liability insurance?

Key Questions - Controller approach

22

SLIDE 23

Who are its customers?
What agreements do they have in place with their customers?
What are its products and services? How do they collect data?
What vendors do they leverage that process customer data?
Has production level software used by customers been audited by a third party?
Are they in compliance with their agreements?

From a Processor approach

23

SLIDE 24

No information security and privacy policies
Vulnerabilities in software
Lack of agreements with vendors
Accepting stringent terms from customers
Lack of change control for different processes
Unaware of applicable regulations

What to watch out for

24

SLIDE 25

Can use google drive, excel sheet, smartsheets
GRC tools are also very helpful
Internally we use KCM GRC
Can map to existing product controls, create tasks to revisit a DPIA

How to manage DPIA’s

25

SLIDE 26

Know more about KnowBe4. Contact: Lecio de Paula, FIP (727) 230-6832 leciod@knowbe4.com