Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Mapping & Data Subject Rights

Published byCurtis Farmer Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Mapping & Data Subject Rights"— Presentation transcript:

1 Data Mapping & Data Subject Rights
Session 4 Peter Murphy, Director Ioanna Karariga, Chief Digital Information Officer Vienna International School

2 Why data mapping is needed
Protecting data can be difficult. Data breaches are common. ~10% of breaches employee error or negligence ~7% accidental exposure ~5 insider theft. Right now, protecting data can be difficult. It’s often spread across and copied to a number of different environments, and it’s hard to know what to restrict it to and where it’s located. This data sprawl inevitably leaves organizations open to data breaches, and not just from hackers. In its 2017 end of year review of data breaches, the Identity Theft Resource Center revealed that ~10% of breaches were caused by employee error or negligence, ~7% were a result of accidental exposure, and ~5% were down to insider theft. Image source: Adetiqadetiq.co.uk

3 Why data mapping is needed?
Article 30 of the regulation places a legal requirement on organizations to maintain a record of processing activities under their responsibility, and make it available to the relevant supervisory authority on request. Right now, protecting data can be difficult. It’s often spread across and copied to a number of different environments, and it’s hard to know what to restrict it to and where it’s located. This data sprawl inevitably leaves organizations open to data breaches, and not just from hackers. In its 2017 end of year review of data breaches, the Identity Theft Resource Center revealed that ~10% of breaches were caused by employee error or negligence, ~7% were a result of accidental exposure, and ~5% were down to insider theft. Image source: onetrust.com

4 What needs to be included?
The purposes of processing data (customer management, marketing, etc) The categories of the individuals involved (customers, patients, etc) The categories of personal data being processed (financial information, health data, etc) The categories of any recipients of the data (suppliers, credit reference agencies, etc) Details of any transfers to other countries How long the data will be kept for The technical and organizational security measures in place (encryption, access controls, etc)

5 Rights of the individuals
Organizations which employ less than 250 people need only document processing activities that are regularly undertaken, or are likely to result in a risk to the rights and freedoms of individuals, or involve special category data, or data related to criminal convictions and offences. For everyone else, Article 30 is the key to being compliant – and demonstrating compliance – and will also help meet other aspects of the GDPR. It will aid in drafting the privacy notice, for example, that is now required whenever personal data is collected. It will enable organizations to respond to requests from individuals for access to their data, or its rectification or erasure, faster and easier. Image source childbasepartnership.com

6 Why is data mapping important?
It will give organizations an accurate picture of what data they hold, where it is, and whether it is data which needs to be protected. That knowledge, in turn, will immediately flag up any access controls that are required, and where measures like pseudonymization, encryption, anonymization and aggregation should be adopted. If copies of databases are used in development and testing, for example, personal data should be masked. This is where data mapping comes in – the process of discovering and classifying data so that it can then be protected and managed in a consistent, reliable way. Image source: superiorvan.com

7 Vienna International School approach
At VIS we conducted a Data Mapping Audit Procedure, using a modified version of the 9nine template. The original version was very detailed and without a formal training, the filling out procedure was a not realistic goal. We have distributed it to almost 40 areas of responsibility, and after a short training we gathered the data from the responsible people of each area . Image source:

8 Vienna International School approach
From there, we started making the audit of the tools that they use, and the data retention period that should be in place. We produced an updated list of software that are compliant and is being constantly updated. We produced the Data Retention Schedule for all data that are processed in our School Image source: Computerworld.com

9 Vienna International School findings
This procedure, revealed that as an organisation we gather a lot of data for different purposes. VIS has implemented a laptop model distribution to teachers, and this is an area where a lot of data stays on those machines as local copies. Image source: securedatarecovery.com

10 Vienna International School findings
Teachers tend to use many free online tools for their lessons, and this shift in practice in order to be compliant with GDPR was/is a big challenge. Student photos used to be taken and distributed freely to parents. Parents were used to taking photos at special events (concerts, field trips, school events). Some people find the acceptance of a new practice very challenging. Image source: Slideshare.net

11 Vienna International School findings
The multiple systems in school, do not permit an entry log per student, so that makes a SAR a very challenging procedure. Image source: Privacycompliancehub.com

Download ppt "Data Mapping & Data Subject Rights"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Chapter 8 8-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.

Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.
Www.ICT-Teacher.com. Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Taylor County Schools FERPA (Confidentiality) Training August 17, 2010.

Taylor County Schools FERPA (Confidentiality) Training August 17, 2010.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
How Prepared are Nordic CIOs for GDPR Compliance?

How Prepared are Nordic CIOs for GDPR Compliance?
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Explaining strategies to ensure compliance with workplace legislation

Explaining strategies to ensure compliance with workplace legislation
Preparing for a data protection audit 28 September 2017

Preparing for a data protection audit 28 September 2017
Understanding EU GDPR from an Office 365 perspective

Understanding EU GDPR from an Office 365 perspective

Similar presentations

Ads by Google