IAPP CIPM – From Small & Medium Enterprise (SME) to Multinational examples Part 2

  1. US Multinational – Business details, DPO, insourcing vs outsourcing

Hi guys. For the following five lessons, we’ll do the same exercise, but for a different company, the United States. multinational, and again, all the names you will find here. Company names and individual names are fictive. For the sake of this example, the company is called European Elements, Inc. and we’ll call it EEI from now on. Let’s start again with Part One and some business details. European Elements, Inc. is the newest multinational, with European Union subsidiaries and 50 million subscribers, as well as an Indian processor for application development called Hyperbad and a Philippine processor called Quickback for mirroring and disaster recovery.

Its headquarters are in California, and it has global locations, including in Germany and Italy. The company is in the social media business, hosting its websites in Germany and California. The Italian location provides the design of future website software, apps, and marketing for the European Union. The company offers consumers who use its website special discounts for referring friends who become subscribers. It also gives a free monthly subscription to the user who clicks the Mac button the most times for each of its new crazy drama videos put out by fellow subscribers. It also provides other websites with a social app plugin with a trumpet icon in the shape of an elephant trunk to show that the user intends to remember the trumpeted webpage forever. Regarding personal data details, personal data is collected from subscribers to EEI when the user registers, providing the name, address, phone number, email, user ID, number of siblings, gender, age, race, and education level.

Children under the age of 13 are not allowed to register unless mom or dad says it is fine by clicking the AOK button. Personal data is also collected by the activities of subscribers on the website, such as when they post a crazy drama video or on another site when they click the trumpet button. Personal data of non-subscribers, such as referred friends and those hitting the “trumpet button,” is also gathered. Unhappy with all this data collection, several of its customers have asked for their data subject rights under articles 15 and 22. A data breach has recently occurred, requiring notice under Article 34, for which EEI provided notifications to subscribers but not to any other data subjects. So is a DPO required or is upsourcing allowed? What should they choose? EEI must first determine if a DPO is mandatory or voluntary, similar to the example discussed below. as it is not a public authority. According to the first example, a DPO would be mandatory only if there was regular and systematic monitoring on a large scale or the processing of special categories of data. EEI seems to meet both criteria. First, it monitors the use of its social media site by its 50 million subscribers in several ways. It also monitors the tweets of non-subscribers. Second, it collects information from subscribers when registering that falls into the special categories of personal data under Article 9 of the Constitution. as these are core activities of its business and, by any measure, large-scale.

It is clear that EEI is mandated to designate a DPO. It concurs with that conclusion and documents this DPO requirement analysis. The question is then “insourcing” or “outsourcing.” EI then reviews the job skills for a DPO and realizes that it has the perfect internal candidate. Upon being approached, she quickly makes it clear that she will be on maternity leave for at least the next year. Then EI determines that there is no other available person on its European Union staff with the required skill set, but that he or she would relocate to the European Union to take on this role. EEI calculates that the cost of using a part-time DPO mentor plus their internal younger DPO trainee would be about the same as using an existing but unavailable internal candidate.

As a result, they seek to outsource the DPO mentor role. They evaluate, qualify, and select Deter, a well-reputed and experienced compliance auditor, to act part-time as a mentor and prepare Helen to take over this DPO function within two years. while sourcing the role. Deter is less likely to have conflicts of interest, and Helen has no other duties that could raise a conflict of interest. He will be the designated DPO for the first year, and Helen will be designated for the second year if she is ready, with Deter mentoring her. The company notifies the German and Italian DPAs of Detour’s designation and announces it internally to all staff members in the European Union and the US. His contact details are added to the external data protection statement and internally to the data protection policy. Dieter is to report to the board of directors and provide a quarterly report of his activities and findings. Helen is to report only to Dieter only. Not being a lawyer, EEI provides Dieter with a budget for outside European Union legal counsel. But Helen’s legal experience in the US will greatly assist the DPO team in dealing with global privacy laws.

  1. US Multinational – Assessing GDPR Compliance step by step

Hi guys. Let’s continue with Part 2 of our trip to the United States. Multinational example. Let’s talk about assessing GDPR compliance. Dieter initiates his role in tandem with Helen by interviewing top management data and process owners and reviewing available documentation, including the data and processing, inventory, and data protection policy. Peter is of the opinion, given the vast number and global dispersion of its subscribers, that the data protection policy publicly available on the website is of vital importance in not only laying out the data protection obligations of EEI. and the deep data protection rights of its subscribers. but also in communicating how the personal data of all these effective individuals is processed and eventually deleted. The Data Protection Policy has the following sections: purpose, security cookies, data collected, and changes to the policy. Also, there is a Phips VIPs section that articulates the FTC’s fair information practise principles.

The Security section states that EEI uses state-of-the-art security to protect subscribers’ data and recommends that the Data Protection Policy be revised to be a global best practice, using the GDPR’s obligations and rights as the basis for all of EEI’s data protection practices globally. His proposed policy revision would include a scope section on data protection principles as well as data security rights, sections on the DPO, contact information, sections on disclosure, retention, and deletion of personal data, sections on how the processing of sensitive data in children’s data is handled, and an expanded Infosec section to further elaborate on safeguards implemented across the company and standard certification earned. Deter then evaluates how EEI meets its obligations under the seven Data Privacy Principles. The Data and Processing Inventory should show the personal data collected directly from subscribers: name, address, phone number, email number of siblings, gender, age, race, and education level.

Their social media website activity, such as posting crazy drama videos, mapping a video trumpeting, visiting another web page, and possibly their IP address or device identifier, are examples of personal data that is not directly collected. Personal data is also collected from non-subscribers, such as the name and contact details of referred friends or the IP address or device identifier for those using the Trumpet or mesh buttons, and children’s parents’ names and contact details when using the AOK button. The processing activities should show that all the directly collected data was collected and stored during the registration process. The other personal data was taken from examining their website activity in May, whether it was watching a crazy drama video or clicking the Trumpet, Mac, or AOK buttons, perhaps using a cookie or device identifier, or if all of them referred friends. Contact details would be processed when they are invited to join their parents’ contact details, and those of their under-13 child would be processed when a verification email is sent to the parent.

Other processing activities, such as system backups, are assumed to take place regularly against the data and processing list, supported by documentation and interviews with owners and specialists. The Seven Data Privacy Principles can be applied against each of the processing operations to understand how compliant EEI is. Just considering the first processing operation and collection would generate these inquiries. Was the processing lawful, fair, and transparent? Data must assert the legal basis for the collection and processing of the data, and there are quite a few different places where data is collected. When the data was collected online during subscriber registration, how was the consent unambiguous, specific, informed, and freely given? Did the subscriber click on the “accept” button? How was the user who clicked on the Mac Trumpet and OK buttons made aware that their personal data was being processed after being informed of the purposes of the processing? How did they consent?

Were records kept of this consent? Were there any coercive or hidden aspects to the registration process to negate it being freely given? If EEI believes that the collection and processing are based upon the performance of a contract with subscribers, are all the personal data collected necessary for the performance of the contract? For example, the gender, age, race, or education level? What about non-subscribers under Article 8? Does the collection of personal data of children under the age of 16, unless modified by member state statute, require the reasonable verification of parental consent by the controller? How does EEI enforce the varying ages of digital consent in each European Union country? How does it reasonably verify parental consent for fairness and transparency? Were data subjects required to provide all the information required in Articles 13 and 14 for the data that was collected directly and indirectly from  verif2. Was the collection for a specified,  explicit, and legitimate purpose? Some of the collected data looks like what might be needed to add the users as a subscriber.

Other collected data items appear to have been added in order to advertise to the subscriber. Still others were collected from their website activity. Did EEI document the internal assessment that it undertook for the specified purpose of the collection? Did EEI perform a compatibility assessment for any further processing contemplated after the collection? Remember that further processing and processing for a different purpose are not the same thing. Is it clear and unambiguous what the purpose of the processing is? Is the processing compliant with all these relevant laws? And what are the laws that the collection processes must be compliant with? Principle Three is that data be minimised through processing only what is adequate, relevant, and necessary for the purposes for which it was collected. Is each type of personal data relevant and necessary again? What about the gender, age, race, or educational level of siblings, for example? If it is not necessary for being part of social media, why was that type of personal data collected? Is there any other purpose, like advertising? And was that purpose disclosed to the customer?

If the data is found not to be necessary, is it immediately deleted? The fourth principle requires that personal data be accurate and up to date. What procedures does EI have to keep data accurate, such as input controls, application controls, and database record types? What controls do they have to keep data up-to-date? And how do data subject requests for rectification get handled? Is personal data to be kept for no longer than necessary? Is there a data retention policy and period for each type of personal data collected? What triggers the erasure of personal data from a system? What procedures are there for sweeping the system to determine if any personal data is retained beyond its retention periods?

What legal obligations are there for retaining data for a specified period? What is the impact on potential or actual litigation of the retention or deletion of personal data? Is security appropriate to prevent unauthorized loss or disclosure of personal data? This is principle number six. Are there information security assessments or certifications performed? And principle number seven is regarding the controller’s ability to demonstrate compliance with principles one through six. Is there documented evidence for every type of personal data processed and every type of processing activity undertaken that EEI has complied with its obligations under the GDPR for these principles? These are all questions that the Data Privacy Officer will need to ask the other, say, business leaders in the organisation or the people it is interviewing, and a report will need to be created based on the findings during this question.

  1. US Multinational – Compliance with other Obligations

Hi, guys. In part three of our example, we’ll discuss compliance with other obligations. EEI is required to be able to respond within a limited timeframe to data subjects’ exercise of their data privacy rights. Article 12 establishes time frames of one month unless the controller requires more time and notifies the requester within one month of this. Does EEI have a process set up and fully explained publicly in their data privacy policy to allow data subjects to initiate requests for access under their data privacy rights to access? Article 15, “rectification,” Article 16, “erasure,” Article 17, “restricting processing,” and Article 18, “porting their personal data.” Article 20 objects to the processing of article 21 and is not subject to decisions based solely on the automated processing of article 22; existing data subject requests provide evidence of how the response mechanism currently operates; which data should be inspected? How does EEI keep track of this request and ensure its timely completion?

How does EEI verify the identity of the requester to know what personal data is applicable? How does EEI keep track of all personal data that applies to each data subject? What types of restrictions are provided for in local law in Germany, Italy, and other European Union countries regarding these data subject rights? Are there laws in member countries or the European Union that limit what data can be collected and what personal data is covered? In what electronic formats is personal data made available? Has EEI set up the ability to port data directly to other controllers? Does EEI make any automated decisions that affect the rights of its data subjects? Dieter must look closely at the processes set up for data subject rights and the relevant restrictions on those rights and time frames, along with any evidence of the exercising of data subject rights.

Data must be checked to see if the records of processing activities meet the requirements of Article 30, and it must also be known what other data protection provisions the EEI must comply with in the European Union and the United States. and elsewhere, and how compliance with these laws is verified, as well as any relevant regulatory investigations. Data should also check the type of data protection training provided to specialists, the data privacy awareness efforts within the company and with relevant contractors and vendors, and the mechanism that the company uses to stay abreast of changes to the law and technology related to data protection in each relevant jurisdiction.

  1. US Multinational – Technical Assessments and Data Breach

Hi guys. We are in Part 4 of our US trip. Multinational example, and we’ll continue with the technical assessment. The infosec capabilities of EEI are an extremely important aspect for the protection of data subject rights, given the vast amount of personal data held by the controller.

So Dieter decides that while there are other approaches, the best infosec assessment for EEI would be a combination of the ISO certification process and the ISO and NIST control catalogues set on top of a risk assessment methodology based on the ISO standard for infosec risk. In assessing infosec risk, Data will assess both the controller, EEI, and their two processors, Hibernate and Quickback. Data must review documents from all three companies and interview specialists in the U.S., India, and Philippines, remotely or in person. Dieter begins by comparing risk management programmes to ISO 27005. This requires that there be an ongoing programme to assess and treat infosec risk. Deter first reviews the risk management programmes against ISO 27005. This requires that there be an ongoing programme to assess and treat infosec risk in the context of the establishment phase. The organizational, geographic, and business process scope of the risk programme must be defined.

Along with that, each organisation must have established criteria for determining how critical an information asset is, the impact of its loss or disclosure, and the amount of residual risk that can be accepted. The risk assessment phase must show an established programme that accomplishes all the following: It must identify and value the business assets that infosec is protecting. It must be able to identify threats, existing controls to deal with those threats, vulnerabilities, and the consequences if a threat exploits a vulnerability. Threat identification is an ongoing and multifaceted process that involves looking for threats externally and internally from hackers, criminals, disgruntled employees, competitors, and perhaps most frequently, negligence from poor training, technical tools, published lists, knowledge sharing networks, and outside experts, all of whom can be sources of the types of threats an organisation might face.

Vulnerability identification can occur using scanning tools, published lists, and code process or contract work. Through these avenues, the tester needs to discover how an organisation identifies the infosec, threats, and vulnerabilities that it faces, how it analyses the consequences and likelihood of a threat exploiting a vulnerability, and again, how often it runs risk assessments and their scope. From there, risk must be treated by either avoiding, transferring, retaining, or reducing it with controls, which is discussed below. a comprehensive risk register with regular risk assessments based on the above or similar methodologies across the whole scope of the enterprise. Periodic meetings to discuss the status of risk treatments and reviews of the effectiveness of implemented controls would be a minimum that creditors should expect at each organization. He then reviews each company as if he were performing an ISO 27001 certification. Has each of the organisations established an information security management system, and how is it supported by top management through objectives, roles, and commitments? Is an information security policy in place, and how is it and the security culture integrated into the organization’s processes?

Has the risk management programmer been established organisation-wide? How aware are employees and contractors of the ISM, and how do they contribute to its effectiveness? How does the organisation monitor changes to risk and the information security systems? How is the effectiveness of ISMS evaluated? How often are internal audits and management reviews undertaken? How are nonconformities addressed, and what is the process for continual improvement? Finally, he considers the actual InfoSec control selected to treat the risks identified in the risk assessment exercise. The ISO 27,002 catalogue of controls provides the general areas that should exist in any IS, and so the existence of each control in the 14 control categories should be noted and any missing controls justified. The categories were InfoSec, policy, organization, HR, asset management, access control, cryptography, physical and environmental operations, communications systems, development, suppliers, incident management, business continuity, and finally, compliance. The ISO controls should be supplemented by the list of NIST controls for a designated depth. For this initial assessment, data does not need to assess the effectiveness of the controls or find evidence that will occur later during a formal audit, although any obvious issues with control effectiveness should be addressed now. Data Breach The data breach response processes for all three organisations need to be evaluated by DETER. He’s looking holistically at the incident response process, for which data breach is one type of response, and within data breach, one of the action items is compliance with statutory breach notifications.

The first item is to gain data and understand how the organisation has defined a personal data breach, meaning what types of incidents will lead to something that the organisation classifies as a breach that impacts the confidentiality, integrity, and availability of personal data. You may find this by reading the Incident Response policies and procedures, or it may be detailed separately in the data breach process documents. The actual data breach that has occurred should be examined, including how the risk to the data subject was evaluated. Different questions should be asked, including the identification of the types and classifications of personal data an organisation has, their present storage locations, and whether the data is encrypted. If encryption is used, what type is the type?

How are the encryption keys managed and safeguarded? What technologies are deployed to notify the organisation of a potential data breach? How will a security incident be classified as a data breach, and what processes are used to determine what has happened to the personal data? What security levels have been predefined? Who is assigned the responsibility to call a security incident a data breach, and what if they are not available? Who are the members of the incident response team, and what are their respective skill sets? Have the exact steps in the breach response process been clearly defined? And how has the response process been tested for the processor organisations and any part of their data that EEI has stored with third-party service providers, such as cloud providers?

Data would need to make the following Additional inquiries for encrypted data: who at the service provider has access to the keys? What is the key management process? Is the data of multiple customers stored on the same physical devices? How can they determine the affected data in the event of a breach? What are their intrusion detection and prevention tools and techniques? How do they define a bridge? Is AI notified of all security incidents? How is access provided to data and facilities in the event of needing to perform forensic analysis? What are the defined RTOs and RPOs (response time objectives and response point objectives)? How do they test their breach response procedures? What is their breach notification time to EEI? Is there ever a case where they would not report a personal data breach to EI? What are the data protection laws in their countries for breach notification? To respond within the required time frames for the legal and bridge notification processes, data would need to assert which bridge notification regimes apply beyond GDPR.

What procedures do the processors have to ensure that they notify EEI without undue delay? What information do they provide to EEI? How does EEI determine if there is a sufficient risk to the rights and freedoms of data subjects to report the breach to a DPA? Which DPA is EI required to report this to? What role does law enforcement play in the data breach response? Given the vast number of data subjects across the world that EEI holds personal data on, there should be a list of all relevant DPAs and law enforcement agencies to be notified so that data can be verified. How does EEI determine if there is a high enough risk to the rights and freedoms of data subjects to report the breach to data subjects? What medium they will use to report data subjects, and how EEI obtained the necessary information to send to the data subjects. Data will note from the recent bridge that only subscribers were notified and not other potentially impacted individuals. They referred friends who did not become subscribers, for example. The determination process of who was notified and why should also be examined. This is a quite complex process that dieters will need to perform for all these companies, and it will take a lot of time, but it is also a really important process that will define the level of compliance.

img