1 / 9

GDPR & Accountability

Ultan O'Carroll, Assistant Commissioner (Technology), discusses the implications of GDPR regulations at the ISACA Ireland Annual Conference 2018. Topics include data protection principles, obligations, accountability, transparency, and record keeping. Learn about codes of conduct, certification, impact assessment, governance, data protection by design, and more. Gain insights on user rights, data protection officers, and the importance of data security. Stay informed about GDPR opportunities and the skills needed for compliance.

margaretmiles
Download Presentation

GDPR & Accountability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR & Accountability ISACA Ireland Annual Conference 2018 Ultan O’Carroll, Assistant Commissioner (Technology) November 2018 @DPCIreland

  2. Regulations • Universal Declaration on Human Rights (1948) • European Convention on Human Rights (1950) • Constitution of Ireland (1937; case-law) • Convention 108 (Council of Europe, 1981) • Data Protection Act, 1988 • EU Directive 95/46/EC • Data Protection (Amendment) Act, 2003 • GDPR - 2018 • ePrivacy Regulation?

  3. Data Protection Principles Obligations

  4. Accountability by… Transparency Record Keeping Codes of Conduct Certification Impact Assessment Governance and Data Protection By Design & Default Contract, transfers, agreements, BCRs User rights Data Protection Officer

  5. Data Protection by Design • Start to finish – business case to end-of-life • Design and Non Functional Requirement • Whole organisation to engage • Delete means delete • Security – encryption and pseudonymisation are not anonymization • Know your data, processes, configuration, deployment and risks – Data Protection Impact Assessment [35,36] • Default settings observing principles must be used

  6. Impact Assessment (Art 35) • Prior Assessment (audit) for high risk processing • Screening & record keeping (Art 30) • Structured & Methodical approach • Documents processing, inherent and residual risk • Determines whether processing can take place • Prior Consultation - Art 36?

  7. Accreditation & Certification • 765/2008 still applies but Art 43(1) also applies • ISO 17065 basis – products and services • INAB will accredit, DPA to approve criteria – GDPR based • DPA to specify “additional requirements” – expertise etc. • Legal, Technical, Security, Evaluation, Assessment skills • Cross border – “EDPB Seal” • Other certification still possible

  8. GDPR Opportunities • Skills needed across organisations to demonstrate and be accountable for processing – compliance • Documentation & record keeping; DP by Design; Governance; Internal audit; Process, change & risk management;DPO support; Certification; Contracts • Technical, legal, communications expertise • Enjoy the day!

  9. www.dataprotection.ie www.GDPRandyou.ie @DPCIreland

More Related