2

N
M I SS I 0
O
M
COMPLIANCE CO
Y
C
V A
R I
FRAMEWORK
T I O N A L P

NA
HE
F T
O
Y Krishna Aira A. Tana
RT
E
P Compliance and Monitoring Division
R O
P
 2
N
Obligations of a Personal Information
M I SS I 0
O

Controller or ProcessorCOM
C Y
V A
UPHOLD THE I
RRIGHTS OF DATA
P
R SUBJECTS
O N A L
T I
NA
E
ADHERE TO DATA PRIVACY
P O F T H
PRINCIPLES
T Y
E R
P RO P
S IMPLEMENT SECURITY
MEASURES
 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
Y O
RT
PE
RO
P
5 PILLARS OF COMPLIANCE
 THE NPC DATA PRIVACY ACCOUNTABILITY
AND COMPLIANCE FRAMEWORK

O N
S I
M IS
II. RISK
O M
C
I. GOVERNANCE III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY
ASSESSMENT

A. Choose a DPO B. Register E. Privacy Management

A
Program H-O. Data Subject R. Physical

V
C. Records of

I
F. Privacy Manual Rights S. Technical
processing activities
D. Conduct PIA
P R P. Data Life Cycle „ Data Center
„ Encryption

A L „ Access Control Policy

O N
T I
NA
HE
T
VII. THIRD PARTIES X. PRIVACY
VI. BREACHES VIII. MANAGE HR IX. CONTINUITY

F
ECOSYSTEM

Y
T. Data Breach OU. Third Parties;
V. Trainings and
X. Continuing Y. New technologies
T
Management; „ Legal Basis for
Assessment and
and standards
R Certifications
„ Security Policy Development
Disclosure

PE
„ Data Breach
Response Team
„ Data Sharing W. Security
„ Regular PIA
„ Review Contracts
Z. New legal
requirements
O
Agreements Clearance „ Internal Assessments

R
„ Incident Response
„ Cross Border

P
Procedure „ Review PMP
Transfer Agreement „ Accreditations
„ Document
„ Breach Notification
 2
I. GOVERNANCE SIO0N
I S
M M
C O
C Y
V A
R I
L P
N A
T I O
NA
HE
F T
O Y
T
https://litmosheroes.com/wp-

E R content/uploads/2018/03/GDPR-Quiz-Question-6.jpg

O P
R
P A. Choose a Data Protection Officer
(DPO)
 II. RISK ASSESSMENT 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
O
Y Register
RTB.
PE C. Records of processing activities
RO
P D. Conduct PIA (Privacy Impact
Assessment)
 II. RISK ASSESSMENT 2
N
B. Register
M I SS I 0
O

O M
(NPC Circular 17-01)
Y C
A C
What to register?
R IV
L P
A
Registration of your Data Processing
N Systems
T IO
Who should register? NA
HE
A.the PIC F T
or PIP employs at least two hundred fifty
Y
(250) O
employees;
R T
B.the processing includes sensitive personal
PEinformation of at least one thousand (1,000)
R O
P individuals; and
C.the processing is likely to pose a risk to the rights and
freedoms of data subjects.
 II. RISK ASSESSMENT 2
N
B. Records of processing activities
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
Y O
RT
PE
RO
P
 II. RISK ASSESSMENT 2
N
B. Conduct PIA (Privacy Impact Assessment) ISS 0
I O
M M
CO
CY
V A
R I
L P
N A
T I O
NA
HE
F T
Y O
RT
PE
RO
P
 2
III. ORGANIZATION N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
OY
RT
PE E. Privacy Management Program
RO
P F. Privacy Manual
 IV. DAY TO DAY 2
N
M I SS I 0
O
RIGHTS OF DATA M
C O
SUBJECTS Y
A C
R IV
qRightPto be Informed
A L
O N
qRight to Access
T I qRight to Object
NA qRight to Rectification
HE qRight to Erasure or Blocking
F T qRight to Damages
Y O qRight to Data Portability
RT qRight to File A Complaint
PE
RO
P
https://www.nks.kent.sch.uk/uploads/asset_image/2_1666.jpg
 IV. DAY TO DAY 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
G. PrivacyF T
Notice
H - O. Data
Y O Subject Rights
T
P. PERData Life Cycle
R O
P
 V. DATA SECURITY 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
N A
Q. Organizational HE
R. Physical F T
S. Technical
Y O
T
http://www.gordiandynamics.com/wp-content/uploads/2015/08/data-security-

R
animation.jpg
„Data Center
P E
„Encryption
R O
P „Access Control Policy
 V. DATA SECURITY 2
N
M I SS I 0
O

O M
Y C
A C
IV
Involves implementing
R policies
and programs L P explicitly intended
N
to ingrain A the culture of privacy
I O
T an organization’s psyche,
into
A
E N
thus making it impervious to
T H hackers who resort to social
Q. F
O engineering ploys.
TY
Organizational
R
PE
RO
P
 V. DATA SECURITY 2
N
M I SS I 0
O

O M
Y C
A C
R IV
Refers to the
L P practical protective
schemes N Asuch as provision for
T I
securityO guards, padlocks, lockers
N A
and secluded archives to
HE
F T physically protect paper records
O
R. Physical
Y
and databases against data
RT thieves who may resort to brute
PE force.
RO
P
 V. DATA SECURITY 2
N
M I SS I 0
O

O M
Covers all Y C
proactive and
A C
defensive ITIV solutions an
organizationPR could employ in
A L
securing N its data assets against all
T
typesI O of breaches. This may
NA
include the use of robust firewall
HE
F T and encryption systems, rigorous
S. O data access protocols, as well as
T Y
Technical anti-virus and anti-spyware
RE
O P solutions.
P R
 VI. BREACHES 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
A
T. Data Breach Management;
N
H
„Security PolicyE
F
„Data Breach
TResponse Team
O
Y Response Procedure
„Incident
T
E R
„Document
O P
P R „Breach Notification
 VII. THIRD PARTIES 2
N
M I SS I 0
O

O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
FT
O
U. Third Parties;
Y
„Legal
T
R Basis for Disclosure
PE
O Sharing Agreements
„Data
R
P„Cross Border Transfer
Agreement http://infoorel.ru/user_foto/news/01906e8be48ab7b9c
6903f1e751df0d7.jpeg
 VII. THIRD PARTIES 2
N
Outsourcing Agreement
M I SS I 0
O

O M
• shall set out the subject-matter
C and
C Y
duration of the processing,
V A
R I
• the nature L P
and purpose of the
N
processing,
A
TOI
NA
• Ethe type of personal data and
H
T categories of data subjects,
Legal BasisOF
for T Y
E R • the obligations and rights of the
P
Disclosure
RO
P
personal information controller, and

• the geographic location of the

O M
• consent of data subjects,C
C Y
V A
• establishment of R Iadequate safeguards
L
for data privacy
P and security, and
N A
upholding
I O of the rights of data
A T
subjects,
E N
T H
Data Sharing O F • provide data subjects with the
AgreementsT Y required information prior to
E R collection or before data is shared,
O P
R and
P
• adherence to the data privacy
principles.
 VII. THIRD PARTIES 2
N
M I SS I 0
O

O M
Y C
A personal information
A C controller
shall be responsible
R IV for any personal
P
data underL its control or custody,
including N A
information that have been
T I O
outsourced
A or transferred to a
E N
personal information processor or a
H
T third party for processing, whether
Cross OF domestically or internationally,
BorderT Y
E R subject to cross-border arrangement
O P
Transfer and cooperation.
R
PAgreement
 VIII. MANAGE HR
O N
S I
MIS
O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
V. Trainings and
FTCertifications
O
TY Clearance
W. Security
R
PE
RO
P
20
 IX. CONTINUITY
O N
S I
MIS
O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
X. Continuing Assessment and
Y O
Development
RT „Regular PIA (Private Impact
PE Assessment)
RO
P „Review Contracts
„Internal Assessments
20
„Review and update PMP and Privacy
 X. PRIVACY ECOSYSTEM
O N
S I
MIS
O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
OY
RT
Y. New PE technologies and
R O
P
standards
Z. New legal requirements
20
 20
O N
S I
MIS
O M
Y C
If you can't protect it, don't
IV
A C collect it.
The Data Privacy Golden Rule PR
A L
O N
T I
NA
HE
F T
Y O
RT
PE
R O
P
 O N
S I
MIS
O M
Y C
A C
R IV
L P
N A
T I O
NA
HE
F T
Y O
RT
PE
RO
P
20