Agenda
Privacy legislation main points Key terms and privacy principles
Rights of the PII principal Data protection officer and privacy impact assessments
International data transfers How we comply Helping us stay compliant Summary and questions
Privacy legislation
Concerns the protection of Personally Identifiable Information (PII)
Usually applies to all organizations processing PII from a relevant place
Mandatory breach notification and financial penalties
Privacy legislation examples
The EU
USA
Key terms
Personally Identifiable Information (PII)
“… any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal.”
ISO/IEC 29100:2011
PII examples
Name Address Phone number Email address Date of birth Marital status Tax code
Bank details Passwords Driving licence Passport number Purchase history IP address Mobile phone serial number
Special categories of PII
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Health data
Data concerning sex life
Sexual orientation
Specialcategory PII
What kinds do we process?
Key terms
PII Principal
“… natural person to whom the personally identifiable information (PII) relates.”
ISO/IEC 29100:2011
Key terms
Processing of PII
“… operation or set of operations performed upon personally identifiable information (PII).
• Note 1 to entry: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII.”
ISO/IEC 29100:2011
Processing examples
Taking an order from a customer Arranging delivery of goods
Employee payroll
Recording CCTV
Processing examples
Sending marketing emails Recording details in a CRM system
Keeping training records Answering customer enquiries
Key terms
PII Controller
“… privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes.”
ISO/IEC 29100:2011
Key terms
PII Processor
“… privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.”
ISO/IEC 29100:2011
Privacy principles
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Rights of the PII Principal
All PII principals have the right to…
Information Access
Erasure (right to be forgotten)
Rectification
Restriction of processing Notification of rectification or erasure
Data portability Object Object to automated decision making
The data protection officer
Not required for all organizations
May be a part-time or shared external resource Requires knowledge and experience of data protection law Reports to top management Must remain independent and protected Monitors compliance and provides advice on data protection issues
Primary contact point with relevant supervisory authorities
Contractual changes
For controller-processor relationships, there must be a contract
These contracts must include specific information about processing of PII
New terms must also be included Existing contracts must be amended Applies to contracts with suppliers, and with customers These changes are often mandatory
Privacy impact assessments
A key process mandated by privacy legislation where PII is to be processed, particularly when using new technologies
Issues a PIA should consider include:
Privacy impact assessments
Systematic description of processing
Legal basis of the processing, such as legitimate interest
Necessity and proportionality
Privacy impact assessments
Other issues a PIA should consider include:
Risks to rights and freedoms
Controls to treat unacceptable risks
Consultation with PII principals, where appropriate
International data transfers
Only transfer PII to nations deemed “adequate” Safeguards must be agreed and in place prior to transfer Binding corporate rules may be used within an international organization Standard contractual clauses are published by the relevant authority, such as the EU for the GDPR
How we comply
We have…
Implemented a PIMS based on ISO/IEC 27701
Defined our data protection policy Communicated the changes to all staff
Defined roles and provided training Identified the PII we process Established the lawful basis of our processing
Provided the required privacy information to the PII principal
How we comply
We have…
Obtained consent, where required
Put in place procedures for PII principal access requests Minimised our holding of PII Begun keeping required records of processing Updated our contracts to be privacy compliant
How we comply
We have… Obtained employee commitment to the confidentiality of PII Ensured our international transfers of PII are legal Introduced privacy impact assessments and data protection by default Increased protection and prepared for a breach
How can you help?
Help us to stay compliant
Read and follow our data protection policy Process access requests promptly Recognise the importance of protecting PII
Only use PII for the defined purposes
Help us to stay compliant
Be fair and transparent about our use of PII Keep PII confidential Consider data protection in new developments Handle any breaches in a professional way
Summary
There are many requirements that must be met worldwide
We must clearly understand our collection and use of PII Everyone has a part to play in meeting our privacy obligations
Penalties for not protecting PII are increasing Notification is often mandatory
Questions
