risk management under gdpr• understanding the references to risk under the gdpr • understanding...

Risk Management under GDPR

10 March 2017 – IRMS Public Sector Group Meeting

Scott Sammons CIPP/E, AMIRMS

Information Governance & Transparency

Some learning outcomes for you:

• An understanding of what risk is with regards to Information

Governance

• Understanding the references to risk under the GDPR

• Understanding a risk based approach to GDPR implementation

• An overview of how a robust risk approach can support your

initiatives and grow your maturity.

*disclaimer, this is an approach. This is not the holy grail, Opinions are my own*

2


© Essex County Council

A little glimpse of me:

• Information Governance Strategy Lead for Essex County Council

within the ECC Information Governance & Transparency Team

• BCS IAPP Certified (DP & FOI), IAPP Certified (DP), IRMS

Accredited (RM)

• Experience practitioner of Information Governance,

management, risk, security and legislation

• Volunteer at IRMS

• Independent Exam Board member of a DP Practitioner

Certificate

• Certified Practitioner of NLP

3



Awareness

What makes up a risk framework?

4


Identification

Assessment

Mitigation

Monitoring Registers & KRIs

Audit

Physical Controls

‘Soft’ Controls

Risk Assessments

PIAs

Reviews & project controls

Staff Training


https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj-tq-oh6HSAhWjK5oKHXmtCmcQjRwIBw&url=https://www.africaglobalfunds.com/analysis/analysis-and-strategy/&bvm=bv.147448319,d.bGs&psig=AFQjCNHlzfX_ueo4m0IxmKdagngAC6d29w&ust=1487761859066338

Information Risk right now

5


Data Protection Act 1998

- Principle 7

- Privacy Impact Assessments

ISO27001

– ISMS

Codes of Connection

– IG Toolkit, GovConnect


https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiF94mc_qDSAhXpYpoKHXuhBBoQjRwIBw&url=https://commons.wikimedia.org/wiki/File:Scales.png&psig=AFQjCNG4EslNtQ4cvRNnYotX8JO3MRhNAg&ust=1487759479643000

Risk is everywhere under GDPR

6


• Security of Processing

• Tasks of the DPO

• Balancing rights against grounds for processing

• Prior Consultation for ‘risky’ processing

• Privacy Impact Assessments

• Breach notification


7


How do I apply this…


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.safehouse.in/Services.htm&ei=_dGDVb2HMIHa7gb_ioCQCQ&bvm=bv.96042044,d.bGg&psig=AFQjCNGNKgW_7myuw_AA3lnrsHBGcoeGqA&ust=1434788630383539

8


To this…


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://anormal-anm.com/?p=3155&ei=PNGCVbzNBMis-AHl74H4Cg&bvm=bv.96041959,d.cWc&psig=AFQjCNEjNteFrBKZBrLiFixdvYsBAJvTuQ&ust=1434722959400526

And move from this….

9


to that!


https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjp-OeSgKHSAhXoBZoKHVd1CmcQjRwIBw&url=https://pixabay.com/en/photos/monster/?cat%3Dfeelings&bvm=bv.147448319,d.bGs&psig=AFQjCNHukfov9fhQ1bTlbY9p9_ezcnB3lQ&ust=1487759998615203

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwik3Z6EgaHSAhVFYpoKHTNoDNoQjRwIBw&url=http://www.publicdomainpictures.net/view-image.php?image%3D155201%26picture%3Dscary-monster&psig=AFQjCNGR_Ku4-NqzRouSKY-BrVIwrIla_w&ust=1487760229797691

A risk based implementation

10


• Think long term & be honest

• Focus on supporting framework first;

Key roles (DPO)

Privacy Impact Assessments

Policies & Procedures

Risk Management Framework

• Prioritise based on level of work, time

needed, risk rating under GDPR

compliance.

• Key is to have a plan in place and

underway.


https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi72am2haHSAhXEYZoKHTWECt4QjRwIBw&url=https://pixabay.com/en/crossroads-signpost-directions-wood-303896/&bvm=bv.147448319,d.bGs&psig=AFQjCNH9Qcrw-pwNKhQ7lFO9QAVENg1clg&ust=1487761391877367

ECC GDPR Implementation Project

11


1. Governance 2. Assurance 3. Third Party

Management 4. Collection & Use

5. Retention &

Destruction

10. Staff Data 9. Training &

Awareness

6. Rights 7. Security 8. Systems &

Technology

• Workstream based delivery structure

• Deliverables to hand over to BAU throughout project

• Looking for quick wins and existing initiatives

• Create an ongoing compliance risk register

• Aligns with existing initiatives and projects


The ECC journey

12


Data Flow Mapping Previous ICO Audit

Information Asset Owners Information Governance Team

Information Assurance Maturity Model Senior Information Risk Officer

Privacy Impact Assessments Information Champions

Risk based GDPR Implementation Programme

ECC IG Support


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.dailymail.co.uk/news/article-2567858/Why-swastikas-carved-stonework-council-offices-completed-outbreak-WWII.html&ei=zeuDVc3nJcrfUYqrg-gJ&psig=AFQjCNGv6r0t4qnNAiY48jVgmUhHpR2WBw&ust=1434795320894429

Grab a pen…

13


• Be realistic with what you can achieve by May 2018.

• Establish a risk framework sooner rather than later.

• Agree your risk based approach to GDPR implementation.

• Add risk management to your toolkit of skills.


How to get in touch

14


• ECC IG Team Email:

[email protected]

• WEISF contact details:

https://weisf.gov.uk or [email protected]


mailto:[email protected]

https://weisf.gov.uk/

mailto:[email protected]

risk management under gdpr• understanding the references to risk under the gdpr • understanding...

Documents