90 likes | 102 Views
Ultan O'Carroll, Assistant Commissioner (Technology), discusses the implications of GDPR regulations at the ISACA Ireland Annual Conference 2018. Topics include data protection principles, obligations, accountability, transparency, and record keeping. Learn about codes of conduct, certification, impact assessment, governance, data protection by design, and more. Gain insights on user rights, data protection officers, and the importance of data security. Stay informed about GDPR opportunities and the skills needed for compliance.
E N D
GDPR & Accountability ISACA Ireland Annual Conference 2018 Ultan O’Carroll, Assistant Commissioner (Technology) November 2018 @DPCIreland
Regulations • Universal Declaration on Human Rights (1948) • European Convention on Human Rights (1950) • Constitution of Ireland (1937; case-law) • Convention 108 (Council of Europe, 1981) • Data Protection Act, 1988 • EU Directive 95/46/EC • Data Protection (Amendment) Act, 2003 • GDPR - 2018 • ePrivacy Regulation?
Data Protection Principles Obligations
Accountability by… Transparency Record Keeping Codes of Conduct Certification Impact Assessment Governance and Data Protection By Design & Default Contract, transfers, agreements, BCRs User rights Data Protection Officer
Data Protection by Design • Start to finish – business case to end-of-life • Design and Non Functional Requirement • Whole organisation to engage • Delete means delete • Security – encryption and pseudonymisation are not anonymization • Know your data, processes, configuration, deployment and risks – Data Protection Impact Assessment [35,36] • Default settings observing principles must be used
Impact Assessment (Art 35) • Prior Assessment (audit) for high risk processing • Screening & record keeping (Art 30) • Structured & Methodical approach • Documents processing, inherent and residual risk • Determines whether processing can take place • Prior Consultation - Art 36?
Accreditation & Certification • 765/2008 still applies but Art 43(1) also applies • ISO 17065 basis – products and services • INAB will accredit, DPA to approve criteria – GDPR based • DPA to specify “additional requirements” – expertise etc. • Legal, Technical, Security, Evaluation, Assessment skills • Cross border – “EDPB Seal” • Other certification still possible
GDPR Opportunities • Skills needed across organisations to demonstrate and be accountable for processing – compliance • Documentation & record keeping; DP by Design; Governance; Internal audit; Process, change & risk management;DPO support; Certification; Contracts • Technical, legal, communications expertise • Enjoy the day!
www.dataprotection.ie www.GDPRandyou.ie @DPCIreland