Conducting DPIAs to Reduce Business Risk Lecio de Paula Director - PowerPoint PPT Presentation

Conducting DPIA’s to Reduce Business Risk Lecio de Paula Director of Data Privacy, FIP, CIPP/E, CIPP/US, CIPP/C, CIPM, AWS Certified

Today’s Presentation • Discuss benefits of conducting data privacy impact assessments • Why regulatory compliance isn’t the only benefit • Best practices and examples • Common DPIA mistakes and how to avoid them • Privacy & security risks of engaging in new processing 2

Introduction To DPIA 3

Introduction to Data Privacy Impact Assessments • Are to be conducted before the start of a new process or project • Identify the who, what, how, where, when • Identify the risks of processing • How to mitigate those risks to an acceptable level • Identify the Implications of the new processing activity • Also conducting “Lite” DPIAs • Data Protection = privacy + security 4

Laws requiring DPIA’s • Various laws require DPIA to be conducted in “high risk” processes • Most common one - GDPR • PDPA, LGPD, Canadian Privacy Laws etc. • Not only beneficial from a compliance standpoint 5

What are the benefits? • Complying with the law and reducing the risk of receiving a fine • Provide recommendations on the new project • Makes privacy by design (PbD) easier • How to mitigate those risks to an acceptable level • Establish legal basis for processing • Helps maintain your record of processing activities on a granular level • Providing trust to your employees and customers 6

Headlines 7

It is for ALL processes • Data Protection concerns every • But how can you scale? department • Let’s go over different processes that will • HR, Marketing, Sales, Product Development require a DPIA etc. • Each one will process data differently • Different collection points, vendors etc. 8

Two very different DPIA’s • Product Development • M&A • Creating new feature for end users • Holistic Approach • New products and services • Create a questionnaire • Using data for analytics and benchmarking • Need to thoroughly understand how the organization functions • Living document • KnowBe4 has had 7 acquisitions to date 9

Quick Tips • Create various DPIA templates for different organizational functions • The more tailored your questions are to a specific function, the better information you can gather • Creating data flow diagrams is very helpful • Ensure there are policies in place for conducting DPIA’s. Must be clear, concise, and repeatable • Automate where you can using preferred GRC tool • Many times these will be “living documents” and need to be revisited 10

DPIA Mistakes • Not involving other functions or departments • Not performing the DPIA at the start of the project • “Hopeful” documentation - not an accurate reflection of your practices • Not revisiting the DPIA (setting automated tasks to revisit) • Using it just for compliance 11

Data Protection Principles • Lawfulness, fairness and transparency • Purpose limitation • Data minimisation • Accuracy • Storage limitation • Integrity and confidentiality 12

Nature, Scope, context and purpose of processing 13

What are the key questions? • Think carefully about the “personal data lifecycle” • How you collect, store, use, access, share the data? • What are the technical security measures? Retention period? • Will you be using a new vendor? (could potentially be a subprocessor, require notification) • How will end users manage their privacy rights? • What are our contractual and legal obligations? Does this conflict with our data protection notices? 14

• Your development team is creates a project plan to develop a new feature that collects new categories of data from end users • The feature will prompt the users and ask them to collect demographic information to provide better information of New Feature the potential value of their home in the near future. Data will be stored in separate cloud database • The team plans on storing this data and potentially using it for other purposes such as analytics etc. 15

Nature of data processing • How will the company collect, use, store, and delete data? • Collecting information directly from the end user such as zip code, home address, home value, household income, level of education completed in order to estimate home value based on the neighborhood. Data will be stored at rest and in transit in an Amazon AWS cloud DB. • Will data be shared with any third parties? • No data will be shared with third parties and existing sub processors will be leveraged 16

Scope of the data processing • What is the nature of the data and will sensitive information be collected? • Some sensitive financial information will be collected and will be treated that way. • The team plans on storing this data and potentially using it for other purposes • How many individuals data are you collecting and what laws are in scope? • Data will be collected in US, UK, and France. Putting various laws in scope such as GDPR, CCPA etc. • How long will data be stored for and what security controls are in place? • Currently no data retention period • Industry standard controls will be in place, following secure coding practices, standard encryption 17

Context and purpose of the data processing • Whose data are you collecting? • Current and potential new customers • How will they invoke their data subject access rights under EU/US laws? • Development team has no plans on creating an automated system for users to invoke their data subject access rights. The current process has been manual and requires a lot of work on the backend to fulfill the request • Do individuals expect their data to be used this way? • Product team believes that the current privacy notice covers it 18

Risks • Current privacy notice does not cover the categories of data that will be collected • Privacy team will work with legal to amend the notice and send notification • No plans on automated data subject access rights tool • To comply with the law the DPIA team will recommend the development team create these tools • No retention policy • DPIA team will recommend the development team establish a retention period Document, Document, Document 19

M&A 20

Quick Tips • Audit each individual sector - HR, Marketing, Product Development etc. • Requires gaining knowledge of org chart and organizational hierarchy • Closely align with InfoSec & legal • Create a questionnaire to gather this information and perform further inquiries • Use a controller vs processor approach 21

Key Questions - Controller approach • What privacy notices does the organization have? • What countries does the target company operate in? What are the applicable laws? • What are the companies marketing practices? • Data security practices? • Who are its third parties, vendors, and subcontractors? • What employee policies and agreements are in place? • Has the company been subject to any breaches? • Cyber liability insurance? 22

From a Processor approach • Who are its customers? • What agreements do they have in place with their customers? • What are its products and services? How do they collect data? • What vendors do they leverage that process customer data? • Has production level software used by customers been audited by a third party? • Are they in compliance with their agreements? 23

What to watch out for • No information security and privacy policies • Vulnerabilities in software • Lack of agreements with vendors • Accepting stringent terms from customers • Lack of change control for different processes • Unaware of applicable regulations 24

How to manage DPIA’s • Can use google drive, excel sheet, smartsheets • GRC tools are also very helpful • Internally we use KCM GRC • Can map to existing product controls, create tasks to revisit a DPIA 25

Know more about KnowBe4. Contact: Lecio de Paula, FIP (727) 230-6832 leciod@knowbe4.com