Data Protection Learnings from Across the Pond

Data Protection Learnings from Across the Pond

Data Protection Learnings from Across the Pond From GDPR to LGPD Okan Kibaroglu, Head of Governance GDPR to LGPD 26/08/2019 Agenda • Your presenter • This is Imperial! • Principles to keep in mind • Our experience, a detailed synopsis; based on “principles” • Lessons Learnt About me About me – Okan Kibaroglu • Born in Turkey in 1966 • BSc and MSc in Computer Science from Bogazici University, Istanbul • Worked at different industries and management levels in IT since 1994 • At Imperial College for 14 years, and Head of Governance for 5 years • Married with three grown up children This is Imperial! 26/08/2019 Imperial College: Our Mission Imperial College London’s mission is to achieve enduring excellence in research and education in science, engineering, medicine and business for the benefit of society. This is Imperial 26/08/2019 Our standing • Times Higher Education World University Rankings 2019: 9th overall, 3rd in UK • Times Higher Education World’s Most International Universities 2019: 9th in the world • QS World University Rankings 2019: 8th in the world • Research Excellence Framework (REF): 1st for high impact research of any UK university • Reuters Europe’s Most innovative universities 2019: 1st in UK, 3rd in Europe • The Guardian University Guide 2019: 1st for Career Prospects This is Imperial! 26/08/2019 History 1851–1890: Building on the Great Exhibition, Prince Albert supported the idea of South Kensington becoming the London Centre for Science and Arts. Constituent Colleges formed. 1907: Imperial College founded by merger of: • City and Guilds College • Royal College of Science • Royal School of Mines 1987: Management School formed (now Imperial College Business School) This is Imperial! North 26/08/2019 West London Imperial Today Hospitals Nine campuses: • South Kensington • White City • Silwood Park • 6x Hospitals Silwood – Charing Cross Park – Chelsea & Westminster – Hammersmith – North West London Hospitals Campus – Royal Brompton – St Mary’s This is Imperial White City – a new era of discovery for Imperial, London and the wider world. White City is home to the College’s major new campus, co-locating world-class researchers, businesses and higher education partners to create value from ideas. White City Michael Uren Biomedical Translation & Engineering Innovation Hub Research Hub Invention Rooms Molecular Science Research Hub Public Health Research This is Imperial! 26/08/2019 Our People Students 17,054 full-time (2017–18) • 9,767 – undergraduate • 3,812 – taught postgraduate • 3,475 – research postgraduate • Students from 132 countries Staff • 3,765 academic and research staff • 3,940 support staff Alumni Over 190,000 alumni This is Imperial Our financial strengths £1,033m £196m Total income Tuition fees and education contracts income £364m £187m Research grants and College capital expenditure contracts income (2017-18 Annual Report and Accounts) This is Imperial! 26/08/2019 Global Imperial • Imperial is one of the world's most international universities (9th in the world) according to Times Higher Education. • Around 60% of students and 40% of staff come from outside the UK. • We defend our international values. Following the EU referendum, we have provided extra support to our staff and students and increased our lobbying efforts. • Find out more: www.imperial.ac.uk/global This is Imperial Imperial College London and Brazil • 1,300 papers in 5 years with Brazilian co-authors • MoU with FAPESP for collaborative research in 2013 + 3 MoUs with unis • Collaborative research and joint PhD in Aeronautics and other areas • Strong industry partnerships: Energy Futures Lab -> Sustainable Gas Institute in 2014 • Recently: 3 Newton funded research + one GCRF project with Brazil Principles General Awareness Don’t forget Think, eat, ‘consent’ and sleep with ‘minors / Data vulnerable Protection individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Principles General Awareness Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Show you’re working How did we show we are working? • Identified the top-level accountable role – College Secretary – Also appointed as the SIRO (DP accountability at the highest level) • Preparations handled as a College-wide Project • Appointed an acting DPO during the project • Set up the Information Governance Steering Group • On G-day (25 May 2018) project wrapped up – permanent DPO appointed – day-to-day work commenced Information Governance Structure Principles General Awareness Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Awareness Awareness Courses • General Awareness is most important – Data Protection Awareness – Information Security Awareness • If ICO (ANPD) ever comes to audit or to follow up an incident, they will ask: – “How do you train your staff? Show us you records of training.” • These courses are now mandatory for new starters • If they are handling personal data (Researchers) – More specific and detailed training: Handling Sensitive Data • Consider a general awareness campaign Policies and training – evidential weight • We keep records of: – Online awareness training for Data Protection and Information Security – Also require an annual declaration of compliance with information governance policy framework • Don’t forget the people supporting you: IAOs, IAAs and DP co-ordinators – We provide classroom training and also keep records of those Principles General Awareness Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Information Security Data Protection This Photo by Unknown Author is licensed under CC BY Policies and Procedures Information Governance Policy Framework • Information Governance Policy Framework – overarching document – Information Security Policy – Data Protection Policy • Policy training and acceptance is essential – We have online awareness training for both – But not proving very effective – There are inevitable overlaps – Should we consider bringing them together? Policies and Procedures Policy Detail -> Codes of Practice • Information Security Policy • Data Protection Policy – Electronic Messaging – Handling Personal Data – Inspection of Electronic – Handling Patient Data Communications and Data – Access to Personal Data by – Passwords Data Subjects – CCTV – Information Asset Register – DPIA Principles General Awareness Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) DPIA – Privacy by Design Data Privacy Impact Assessment DPIA – Privacy by Design Privacy by Design • Questions should be asked when designing a new process / product – Embed into your project process – Apply to existing information assets • Especially when: – Using new technologies to process data: near-field, RFID, etc. – Biometric / genetic data – Processing large amounts of data (big data); match / combine data – Profiling children or targeting with online marketing – Risk to individuals’ physical health and safety DPIA – Privacy by Design Our DPIA Process Evaluate • Personal data? Process • Actions to reduce • Predict behaviour? risks • Large scale? • Describe data • Sign-off by IAO, processing • Vulnerable indiv’s? DPO and IT • Legal basis? Governance • Data flow Qualifying • Risks? Identify Questions Measures Principles General Awareness Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) IAR Information Assets • A body of information, defined and managed as a single unit so it can be understood, shared, protected and used effectively • Information Asset Register: a list / database of Information Assets showing: – Description, owner, accessibility – Whether its personal / sensitive or not – How it is kept secure – Retention IAR Information Asset Owners • One clear owner for every asset • Managing the asset in line with policies and standards (Protect it) • Responsible to identify, understand and manage risks (Protect proactively) – Who accesses the asset? – What functions do they access? (Roles) – What is the approval process for accessing? – How do we remove access? IAR What information is kept in the IAR? • Information Asset Owner • Does it contain personal data? • Information Asset Administrator • DPIA • Business criticality • Categories of data • Who has access? • Purposes for processing I • How is it stored? (Media type) • Legal justification for processing • Where is it stored? • Disposal arrangements A • How is it secured? • Data subjects aware? • How often is it backed up? • Staff trained in DP? • Is it taken off site? R • Policy awareness • Earliest date of recorded data

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    53 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us