1 / 5

EU Data Protection

EU Data Protection. IT Governance view. Ger O’Mahony 12 th October 2011. Data Protection – so what?. Damage to reputation HSE – SONY – T.K.MAXX-NHS Risk to information infrastructure DOS – SLAs - AUDIT-BCP/DR Financial penalties Communication – recovery - Fines.

gina
Télécharger la présentation

EU Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU Data Protection IT Governance view Ger O’Mahony 12th October 2011

  2. Data Protection –so what? • Damage to reputation HSE – SONY – T.K.MAXX-NHS • Risk to information infrastructure DOS – SLAs- AUDIT-BCP/DR • Financial penalties Communication – recovery - Fines

  3. Data Protection seven principles enshrined in EU Directive 94/46/EC • Notice : subjects whose data is being collected should be given notice of such collection. • Disclosure:subjects whose personal data is being collected should be informed as to the party or parties collecting such data. Does the individual know their data is being held and what their data will be used for by the data controller ? Is CCTV in use, if so is the public notified and are cameras in the right locations ? If monitoring controls are in effect has an individual been notified and the reason for monitoring been communicated ? • Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s). Do data controller staff know if/when to pass personal information when asked ? Is access to personal data limited to those on a need to know basis ?

  4. Data Protection seven principles enshrined in EU Directive 94/46/EC • Purpose: data collected should be used only for stated purpose(s) and for no other purpose. As a data controller does the organisation need this individual’s information, does the data controller know what the data will be used for ? • Security:once collected, personal data should be kept safe and secure from potential abuse, theft or loss. Is personal data - in physical and electronic record formats securely stored ? - up to date ? - deleted/destroyed when no longer required ? - held on mobile devices which are encrypted ? • Access: subjects should be granted access to their personal data and be allowed to correct any inaccuracies. In the event of a subject access request are procedures and processes in place ? • Accountability:subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles. Is there a policy for dealing with data protection issues ? Are company staff aware of DPA requirement and do they understand their roles and responsibilities ? In the event of a data breach does the data controller know what to do and whom to contact ?

  5. Data Protection – Cookie Monster? Directive 2009/136/EC Requires companies running a web site to get informed consent from users in order to store and retain information on their PC’s. Third party cookies are the problem – advertisers Impacts to T&C’s • T&C’s need to be changed • Existing customers must actively agree to revised terms • Positive consent must be given for new terms

More Related