MODULE 3

Governance, Management and

the Data Protection Officer

John Walu
 Summary
Lesson 1: Governance & Management
Lesson 2: Privacy Management - the Privacy Risk
Approach
Lesson 3: Accountability & Documentation
Lesson 4: The Data Protection Officer (DPO) & the
Organisation
Lesson 5: Instituting a Privacy Management
Framework
Lesson 6: How to Be Compliant
Lesson 7: Practical Session
 Lesson 1

Governance & Management

 Governance & Accountability
Introduction to governance and accountability.
• Privacy governance relates to organisation
structures, processes and practices that aim to
reduce privacy risks for the organisation.
• Explain the main aspects of governance for data
protection – governance structures,
documentation and DPO.
• How to demonstrate good governance of data-
structures, documentation, DPO.
 Governance & Management

Introduction to governance and management

• Privacy governance relates to organisational
structures, processes, procedures, guidelines and
practices that aim to reduce privacy risks for the
organisation
• Privacy governance provides oversight activities
over the following:
– Privacy Management &
– Privacy Risk Management
 Governance & Management
• Governance ensures that stakeholder needs,
conditions and options are evaluated to
determine balanced, agreed-on enterprise
objectives to be achieved; setting direction
through prioritization and decision making; and
monitoring performance and compliance against
agreed-on direction and objectives.
• Management plans, builds, runs, and monitors
activities in alignment with the direction set by
the governance body to achieve the enterprise
objectives.
Enabling Organisation-wide
Privacy Governance
Organizational Enablers
Separate Governance &
Management
 Privacy by Design Concept
• The “Privacy by Design” principle requires
organisations to build data protection
considerations into their processing operations
and systems from the ground up, rather than as
a last-minute compliance issue. Hence,
organisations need to take early account of data
protection rights whenever they are developing
and designing products, services, and
applications.
 Privacy by Design Concept
• Privacy by design (PbD) also means that
whenever data controllers are determining the
means for processing, they should adopt
appropriate technical and organisational
measures (such as pseudonymisation or data
minimisation) to integrate the necessary
safeguards. A PbD approach also means that
developers and designers will minimise the
amount of collected data to that required to
provide the service.
 Privacy by Default Concept

• The “Privacy by Default” principle requires

organisations to ensure that personal data is
processed with the highest privacy settings and
protection from the start.
• The data collected is the minimum needed for
the service to be offered to the data subject.
Similarly, the data should be stored for the
shortest possible retention period and with
minimum accessibility so that by default,
personal data is not made accessible to an
indefinite number of other people.
 Privacy by Default Concept

• The principle of “privacy by default” is important

in protecting the data subject in situations in
which there might be a lack of understanding or
control on the processing of their data, especially
in a technological context.
 Lesson 2

Privacy Management – the Privacy Risk

Approach
 Privacy Management
Privacy management practice areas include:
– establishing privacy roles and responsibilities
related to data protection,
– fostering privacy training, and awareness
communications and activities,
– monitoring vendor and third-party
management practices,
Privacy management practice areas include:
– developing a privacy audit process; and
– implementing a privacy incident management
capability.
 Privacy Risk Management

Privacy risk management practices include:

– establishing a privacy risk management
process,
– performing data privacy impact assessments
(DPIAs), and
– identifying privacy threats, attacks and
vulnerabilities.
Privacy risk activities include:
• Consider privacy risk during the design phase of
the enterprise’s business processes, applications
and systems.
 Privacy Risk Management
• Identify and implement mitigating controls for
risks to the privacy and security of personal and
sensitive information.
• Keep an inventory of the circumstances in which
data is processed.
• Understand the privacy interests of individuals
directly or indirectly served or affected by an
enterprise.
• Conduct risk assessments for an enterprise to
understand its business environment, and to
identify and prioritize privacy risks.
Privacy Risk Assessment Steps
 Privacy Risk Dimensions

• The inability to agree on a standard definition of

privacy creates challenges when discussing
approaches to address potential threats.
• To overcome the lack of a common definition,
privacy professionals have agreed on
acknowledging that privacy has multiple
dimensions and those dimensions can be used to
define taxonomies of privacy problems, intrusions
or categories.
 Privacy Risk Dimensions

The seven privacy risk categories are as follows:

• Privacy of the person
• Privacy of behavior and action
• Privacy of communication
• Privacy of data and image (information)
• Privacy of thoughts and feelings
• Privacy of location and space (territorial)
• Privacy of association
 Privacy Risk Examples
• Privacy of Person
This privacy category is focused on a person’s body
and the right of being free from any unauthorized
invasion, for example, forcing a person to provide
blood for testing.
Other examples of privacy issues include:
- Passenger scanning devices at airports.
- The use of implanted radio frequency
identification (RFID) chips for authorization
through security doors, authentication to
systems or gaining access to computing
hardware, and biometrics.
 Privacy Risk Examples
- Genetic testing, drug testing or information
about surgeries.
• Privacy of Behaviour & Person
This privacy category is an extension of the privacy
of person and is focused on thoughts and emotions
and actions expressed to somebody, activities in
public and private spaces, and targeted monitoring.
This category includes issues related to personal
activities, orientations, and preferences that are
sensitive in nature and could result in impacts on
the associated individuals.
 Privacy Risk Examples

Examples include:
• sexual preferences, political views, religious
beliefs and activities that occur in both public
and private spaces that are monitored.
• The use of red-light cameras to catch drivers
who commit traffic violations.
• The use of police body cameras.
 Privacy Risk Examples
• Privacy of Communication
This privacy category involves protection of the
ways in which individuals communicate with others
using communication any type of communication
media (printed, voice, visual and digital), for
example, postal mail, telephone conversations,
email and videoconferencing. Examples of privacy
issues include:
• The use of communications interception tools,
such as hidden microphones, and tools that
copy communications, such as email and text
messages.
 Privacy Risk Examples
- A government collecting information about the
activities of citizens without letting them know
such surveillance occurs.
• Privacy of Data and Image
This privacy category covers the protection of
personal information in all forms, including data,
printed information, and images. Activities within
this category are concerned with establishing rules
that govern the collection, use, sharing and
handling of personal information.
Enterprises commonly consider this category to
have privacy implications involving protecting
specific information items.
 Privacy Risk Examples

Examples of privacy issues include:

• Breach of financial information (i.e., bank
account numbers), medical information (i.e.,
health insurance account numbers), government
records (i.e., social security numbers), records of
a person’s activities (i.e., through access logs) on
the Internet
• Photos and videos taken and shared without
consent
 Privacy Risk Examples
• Privacy of Thoughts and Feelings
This privacy category is focused on the protection of
individuals to ensure their thoughts and feelings are
not inappropriately shared with others, or they are
not forced to share and have negative impacts
against them in some way.
Examples of privacy issues include:
• Being forced to provide social media passwords
when applying for a job
• Being forced to reveal religious beliefs or political
views when applying for a job
 Privacy Risk Examples
• Privacy of Location and Space
This privacy category is concerned with placing
limits on the ability to intrude into an individual’s
location, space and general environment.
The environment includes the home, workplace,
and public spaces. Interference with an individual's
territorial privacy usually takes the form of
monitoring, such as video surveillance or the use of
drones.
Examples of privacy issues include:
• Flying a drone over an individual’s property to
take photos
 Privacy Risk Examples

- Recording individuals behind their property fence

• Privacy of Association
This privacy category addresses the right people
have to associate with anybody they wish to,
without unauthorized monitoring or marginalization.
This category also addresses the types of groups
that individuals belong to, for which they have no
control, for example, ethnicity or ancestry.
Examples of privacy issues include:
• DNA testing that demonstrates ethnicity or
ancestry
 Privacy Risk Examples
• Denying membership of any kind after DNA
testing revealed predisposition to an
“undesirable” condition
• Employers using DNA testing to make
termination decisions
• Any type of segregation based on religion,
behavior, assembly or membership
Emerging Technologies & their
Privacy Risks
• Social media
• Evolving cloud and container computing services
• Mobile applications (apps)
• Big data analytics
• Internet of Things (IoT)
• Bring your own device practices (BYOD)
• Tracking/surveillance technologies
 Data Subject Rights & Associated
Risks

https://www.odpc.go.ke/data-subjects/#rights
 Data Breach Risks
• Any personal data breach can fall into one or
more of the following categories:
Impact of Data Breaches
 Communicating Data Breaches
• Breaches can cause significant damage to those
individuals whose personal data has been
compromised. For this reason, data controllers
are required by law to take action when a
personal data breach has occurred.
• The data controller should report personal data
breaches to the supervisory authority as soon as
possible and, where possible, within 72 hours.
• Notification to the Data Commissioner is
triggered where a breach is likely to result in a
risk to the rights and freedoms of individuals.
 Communicating Data Breaches
• The level of risk associated with any personal
data breach will therefore need to be assessed
on a case-by-case basis and a decision reached
about (i) notifying the supervisory authority and
(ii) communicating with the data subjects.
 Lesson 3

Accountability & Documentation

 Accountability
• Accountability is one the principles that govern
data processing activities. It obliges organisations
to be ready to demonstrate their compliance with
the law.
• Accountability means that data controllers need
to be ready to demonstrate the measures they
have taken to ensure compliance with the various
data processing principles.
Accountability Measures
 Staff Training & Awareness
• An understanding of appropriate data protection
responsibilities should apply at all organisational
levels, relevant to members of boards or senior
management as well as to operational staff.
• This means ensuring that adequate data
protection, training and education has been
offered to, and availed of by, staff members.
 Policies Guidelines & Procedures
•A key way for organisations to show
accountability is through the development of
appropriate data protection policies.
• One way Data Commissioners Auditors would
evaluate your Privacy readiness is by reviewing
your data protection documentation.
• Organisational policies, guidelines and
procedures will reflect the underlying data
processing functions specific to each
organisation but may address areas such as:
– Policies governing data processing operations
(e.g. Data quality, security etc.)
Policies Guidelines & Procedures
- Procedures to manage access, correction and
deletion requests.
- Procedures for the management and reporting
of security breaches.
- Procedures prior to creation of new personal
data processing operations (internal review,
assessment, etc.)
- Procedures to verify that measures are
implemented in practice (internal or external
audits, etc.)
- Mechanisms to handle complaints.
- Contracts to enforce data protection.
 Record Keeping
• Organisations can demonstrate accountability by
maintaining records of their processing activities.
• The nature of the records that need to be
maintained may be derived from internal
organisational policies or stem from legal
requirements defined in the Data Protection Act.
• The typical records that must be maintained by
organisations include.
- Record of any sharing or disclosure of the
personal data.
 Record Keeping
- Record of any transfer of data outside Kenya and
the associated safeguards.
- Retention periods/Time limits for erasure of the
different categories of data.
- A description of the technical and organisational
security measures in place.
- The categories of data subjects and the purposes
of the processing.
 Lesson 4

The DPO & the Organisation

 Governance
• Explain governance functions for data protection
• Describe the role of strategic management in
data protection
• Design a basic organisation data protection plan
• Governance functions- impact assessments, data
protection by design, data protection codes.
• Human factor in data governance- employees and
contractors; employee involvement in data
protection incidents- insider jobs, carelessness,
WFH, disgruntled employees; ethical hacking.
 Governance

Example: appointment of a data processor- legal

agreement, country of DP, compliance and security
measures, DP and third parties, DP and DC
obligations with data subjects and DPC
• Role of strategic management in data protection.
• Organisation data protection plan; data
insurance.
 Who is a DPO?
• Explain the basis, functions and skills required of
a data protection officer
• Explain the various ways in which a DPO can be
appointed:
– Legal basis
– Appointment
– Functions
– Skills
 Who is a DPO?
• A DPO is Data Protection Officer, the contact
person for all matters data protection in an
organisation.
• The Data Commissioner (regulator) expects the
DPO to be the liaison officer in terms of filing
accountability reports.
 Roles of a DPO
• The primary role of a data protection officer
(DPO) is to ensure that his or her organisation
processes the personal data of its staff,
customers, 3rd party providers or any other
individuals in compliance with the applicable
data protection regulations.
• A DPO should have knowledge of both the data
protection law and the associated technical
practices so that they can help organisations to
monitor and implement internal compliance with
the applicable regulations.
 Roles of a DPO
• The key role of the DPO is to inform and advise
the organisation on its obligations under the data
protection legislation. In addition, DPOs act as
intermediaries between relevant stakeholders
(e.g. data commissioner, data subjects, and
business units within an organisation).
• Data subjects also contact the data protection
officer with regard to all issues related to
processing of their personal data and to the
exercise of their rights. It is within their right to
request contact details of any DPO.
 Roles of a DPO

Section 24 (7) states: A data protection officer

shall:
(a) advise the data controller or data processor and
their employees on data processing requirements
provided under this Act or any other written law;
(b) ensure on behalf of the data controller or data
processor that this Act is complied with;
(c) facilitate capacity building of staff involved in
data processing operations;
(d) provide advice on data protection impact
assessment; and
 Roles of a DPO
(e) cooperate with the Data Commissioner and any
other authority on matters relating to data
protection.

When is a DPO needed?

Section 24(1) states that: A data controller or data
processor may designate or appoint a data
protection officer on such terms and conditions as
the data controller or data processor may
determine, where:
(a) the processing is carried out by a public body or
private body, except for courts acting in their
judicial capacity;
 Roles of a DPO
(b) the core activities of the data controller or data
processor consist of processing operations which,
by virtue of their nature, their scope or their
purposes, require regular and systematic
monitoring of data subjects; or
(c) the core activities of the data controller or the
data processor consist of processing of sensitive
categories of personal data.
 Who can be a DPO?
Section 24 (2) of the DPO states:
(2) A data protection officer may be a staff member
of the data controller or data processor and may
fulfil other tasks and duties provided that any such
tasks and duties do not result in a conflict of
interest.
Section 24 (5) of the DPA states:
(5) A person may be designated or appointed as a
data protection officer, if that person has relevant
academic or professional qualifications which may
include knowledge and technical skills in matters
relating to data protection.
 DPO & the Organisation
• Describe the various relationships between the
DPO and board, departments, data subjects and
contractors
• Describe activities that a DPO would typically
undertake organisational change management
relationship with various departments,
compliance and advisory functions; training;
audits relationship with data subjects; service
charters; communications and notifications
independence and conflict of interests
 DPO & the Organisation
• The DPO should setup and institute a Data
Privacy Management Program /Framework with
measurable parameters or principles to help
guide the data protection activities across the
organization.
• There are several privacy frameworks the DPO
can chose to implement including but not limited
to OECD, ISO, ISACA privacy frameworks amongst
others.
 Lesson 5
Instituting a Privacy Program/
Framework
 OECD Privacy Framework
• Organisation for Economic Co-operation and
Development (OECD) Privacy Principles
Framework, 2013.
• The OECD Privacy Principles closely tie to the
European Union (EU) member nation data
protection legislation and cultural expectations,
which implement the European Commission (EC)
Data Protection Directive (Directive 95/46/EC) and
other EU-style national privacy legislation.
 OECD Privacy Framework
The eight privacy principles or parameters that are
monitored and measured include :
1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Accountability
 ISO Privacy Framework
• The 11 privacy principles that are measured and
monitored include are:
1. Consent and choice
2. Purpose legitimacy and specification
3. Collection limitation
4. Data minimization
5. Use, retention and disclosure limitation
6. Accuracy and quality
7. Accuracy and quality
8. Openness, transparency and notice
 ISO Privacy Framework
9. Individual participation and access
10. Accountability
11. Information security
12. Privacy compliance
 ISACA Privacy Framework
The 14 ISACA privacy principles are:
• Principle 1: Choice and consent
• Principle 2: Legitimate purpose specification and
use limitation
• Principle 3: Personal information and sensitive
information life cycle
• Principle 4: Accuracy and quality
• Principle 5: Openness, transparency and notice
• Principle 6: Individual participation
• Principle 7: Accountability
 ISACA Privacy Framework
• Principle 8: Security safeguards
• Principle 9: Monitoring, measuring and reporting
• Principle 10: Preventing harm
• Principle 11: Third party/vendor management
• Principle 12: Breach management
• Principle 13: Security and privacy by design
• Principle 14: Free flow of information and
legitimate restriction
 Principle 1: Choice and Consent
When collecting personal information from data
subjects, the data controller should:
• Describe, within some type of privacy notice, the
choices (e.g., for accessing, updating, restricting
access to their associated personal information)
that are available to the data subject.
• Obtain implicit or explicit consent. This should be
as appropriate and according to what the
corresponding regulation mandates (if there is a
regulation in place) for the associated situation,
with respect to the collection, use, and disclosure
of personal information.
 Principle 1: Choice and Consent
• Ensure that appropriate and necessary consents
have been obtained:
– Prior to commencing collection activities.
– Prior to using the personal information for other
purposes beyond those for which the personal
information was originally collected.
– Prior to the transfer of personal information to
third parties and other jurisdictions.
 Principle 2: Legitimate purpose
specification and use of limitation
When collecting and using personal information, the
data controller should:
• Describe and specify the purpose(s) for which
personal information, and any associated
sensitive information, is collected in the privacy
notice or other means of communication, when
the request for personal information is made.
They must ensure that the purpose(s) complies
with applicable law and relies on a permissible
legal basis.
 Principle 2: Legitimate purpose
specification and use of limitation
• Align the subsequent uses of the personal
information and sensitive information with the
purpose(s) provided, as well as with the consents
obtained; and be compliant with associated legal
requirements for use limitation.
• Communicate when necessary with applicable
data protection authorities about legitimate
purposes and use limitations.
 Principle 3: Personal information
and sensitive information lifecycle
When determining how personal information will be
collected and used throughout the entire
information life cycle, the data controller should:
• Limit the collection, derivation, use, disclosure,
transfer, retention, and disposal of personal and
sensitive information throughout the entire
information life cycle to that which is within the
bounds of applicable law and strictly necessary
for the specified purpose(s).
• Collect, derive or obtain personal information
and sensitive information by fair means.
 Principle 3: Personal information
and sensitive information lifecycle
• Minimize the personal information and sensitive
information that is processed and those with
access to it, to only that which is necessary for
the purposes that it was collected or derived for.
• Retain personal information and sensitive
information for only as long as necessary to fulfill
the stated purposes or as required by law or
regulations.
 Principle 3: Personal information
and sensitive information lifecycle
• Irreversibly dispose personal information when
no longer needed to fulfill the stated purposes as
required by legal requirements (e.g., laws,
regulations and standards), using the most
appropriate disposal and destruction method
based upon the storage media.
• Support appropriate controls for personal
information and sensitive information throughout
the entire information life cycle.
 Principle 4: Accuracy and quality
The data controller should:
• Implement practices and processes to ensure that
personal information and sensitive information is
accurate, complete, and up to date to the extent
necessary for the purposes of use. This minimizes
the possibility that inappropriate or inaccurate
information may be used to make a decision
about the data subject.
 Principle 4: Accuracy and quality
The data controller should:
• An organization should not update personal
information unless such a process is necessary to
fulfill the purposes for which the information was
collected. Personal information that is used on an
ongoing basis, including information that is
disclosed to third parties, should generally be
accurate and up to date.
 Principle 5: Openness,
transparency and notice
The data controller should provide the following
information to data subjects:
• Clear and easily accessible information about its
privacy management program, policies and
practices.
• Accurate details in the privacy notice about the
personal information and sensitive information
that is being collected, derived and processed;
• The purpose(s) for these actions; to whom and to
which jurisdiction the personal information might
be disclosed or transferred; and the identity of
the data controller including information on how
to contact the data controller.
 Principle 6: Individual
Participation
The data controller should provide data subjects
with the following rights and capabilities:
• A process to request confirmation from the data
controller about whether the data controller has
personal information relating to the data
subjects; and when, why, and where the
information was obtained.
• A reasonable process to provide data subjects
with access, within a reasonable time and at a
reasonable cost, (if applicable) to their
associated personal information and sensitive
information, in an easy to understand format.
 Principle 6: Individual
participation
• A method to validate the identity of the
individual prior to the data controller providing
the appropriate information to fulfill the data
subject’s request.
• A reasonable process to provide the data subject
with the opportunity to challenge the accuracy or
use of personal information/ sensitive
information relating to him/her; and if the
challenge is successful, to have the personal
information erased, rectified, completed or
amended.
 Principle 6: Individual
participation
• A reasonable process to provide the data subject
with portability of his or her associated personal
information and sensitive information that can
allow for the data subject to move the
information to a different service provider.
• A reasonable process to give the data subject the
opportunity to provide consent/ authorization, or
deny the same, prior to the data controller
continuing with the collection and use of
personal information or sensitive information.
 Principle 6: Individual
participation
• A reasonable process to enable the data subject
to request an accounting of disclosures that
details with whom, when, why, and how personal
information and sensitive information has been
shared.
• A reasonable process to give the data subject the
opportunity to request restriction of uses of
personal information and sensitive information.
 Principle 7: Accountability
The data controller and all associated data
processors should be accountable for appropriate
governance and risk management of personal
information and sensitive information for which they
have responsibility. The data controller should:
• Identify appropriate privacy stakeholders and
applicable legal requirements; and implement
privacy frameworks to support risk mitigation
and legal compliance.
• Analyze, assess, and manage privacy risk
throughout the enterprise.
 Principle 7: Accountability
• Assign roles, responsibility, accountability, and
authority for performing privacy risk
management processes.
• Define, document, communicate, and assign
accountability for privacy policies and supporting
procedures and standards.
• Identify and inventory personal information/
sensitive information and business processes
that involve such information.
• Provide periodic privacy training and ongoing
awareness communications.
 Principle 8: Security safeguards
The data controller should:
• Identify appropriate security safeguards, based
upon identification of privacy risk, that align with
all existing information security policies,
applicable laws, and regulations that the data
controller has ready to implement throughout the
enterprise.
• Establish security safeguards that include
administrative, technical, and physical security
controls that address confidentiality, integrity
and availability (CIA) of information in all forms,
to mitigate risk to appropriate levels.
Principle 9: Monitoring, measuring
and reporting
The data controller should establish appropriate and
consistent monitoring, measuring, and reporting of
the effectiveness of the privacy management
program and tools. The data controller should
establish a framework for measuring and
monitoring the following:
• Effectiveness of the privacy management
program.
• Level of compliance with applicable policies,
standards, and legal requirements.
• Use and implementation of privacy tools.
• Types and numbers of privacy breaches that
Principle 9: Monitoring, measuring
and reporting
• Privacy risk areas within the data controller.
• Third parties that have access to personal
information, sensitive information and the
associated risk levels.
• Report compliance with privacy policies,
applicable standards and laws to key
stakeholders.
 Principle 10: Preventing harm

The data controller should:

• Establish documented practices that
demonstrate that the interests of the data
subjects are recognized, respected, and support
legitimate expectations of privacy.
• Design the implementation of controls for
personal information and sensitive information to
prevent misuse of that information, which can
result in harm to the associated individuals.
 Principle 10: Preventing harm
• Ensure that data processors understand the
privacy harms that can occur to data subjects if
the personal information and sensitive
information that data processors can access
during their job responsibilities is misused or
breached, and understand that they must take
appropriate actions to prevent such harms.
• Establish processes to mitigate any personal
harms that occur to data subjects as a result of
privacy breaches.
 Principle 11: Third party/ vendor
management
The data controller should provide ongoing
oversight of third parties to which the data
controller entrusts any type of access to the
personal information and sensitive information for
which the data controller is responsible. The data
controller should:
• Implement governance and risk management
processes; apply contractual, administrative, and
audit measures to ensure the appropriate
protections and use of personal information and
sensitive information that are transferred to,
maintained, processed, controlled, and/or
Principle 11: Third party/ vendor
management
• Require all third parties with any type of access
to personal information and sensitive information
to report personal information breaches in a
timely manner to the data controller without
delay (as defined by the data controller to the
third party and as required by any applicable
data protection authorities).
Principle 12: Breach management

The data controller should establish methods to

prevent, identify quickly, respond to, and effectively
mitigate privacy breaches. The data controller
should:
• Establish a documented policy and supporting
procedure for identifying, escalating, and
reporting incidents of personal information and
sensitive information breaches to data subjects
and relevant data protection authorities (as
necessary), in a timely manner to mitigate
potential legal and reputational risk.
Principle 12: Breach management

• Maintain records of all personal information

and sensitive information breaches including
incident details, actions, and progress with
investigation, remediation, and monitoring the
progress until the incident is closed.
• Implement remediation actions to prevent
reoccurrence of personal information and
sensitive information breaches of a similar
nature.
Principle 13: Security and privacy
by design
The data controller should document the enterprise
privacy philosophy by which it performs business
activities. The data controller should:
• Ensure executive support for the identification of
personal and sensitive information security, and
privacy risk within enterprise events.
Communicate executive support for the privacy
enterprise wide roles and responsibilities during the
implementation of IT systems, new/ updated
manual or computerized business processes, and
launch of enterprise programs and operations
involving personal information.
Principle 13: Security and privacy
by design
• Establish a documented enterprise privacy policy
describing the privacy philosophy for the data
controller, including clear executive support, to
ensure that the evaluation of the impact to the
security and privacy of personal information and
sensitive information when new initiatives and
changes to enterprise structure occur.
Principle 14: Free flow of information
and legitimate restriction

The data controller should:

• Establish a framework to govern the transfer of
personal information and sensitive information
outside of the jurisdiction of the data controller
to ensure regulatory adequacy.
• Ensure that the transfer of personal information
and sensitive information does not violate
relevant legal requirements and contractual
responsibilities.
Principle 14: Free flow of information
and legitimate restriction
• Document the security and privacy protection
requirements for the data processor receiving
the personal information to implement within
other jurisdictions.
• Ensure the data processor receiving the personal
information has implemented the security and
privacy measures that are necessary to meet the
requirements of the data controller and the
applicable legal and data protection authority
requirements.
• Maintain records of all personal information
transferred into and out of the data controller’s
jurisdiction.
 Lesson 6

How To Be Compliant
 How to be Compliant &
Documentation
• Explain some of the documentation for data
protection.
• Design documentation required for their
organisation’s data protection.
• Examples of documentation- Data records,
security documentation, DP plan, DPIA report etc.
• Data Privacy & Protection By Design
– Create inventory of Data Processes & their
Life Cycle.
– Evaluate existing data processing system to
establish the extent (or not) that they meet
the Key Principles (Consent, Purpose, Data
Minimization etc).
– Undertake Data Protection Impact
 How to Be Compliant
• Appoint Data Protection Officers/ Function.
• Take note of Clause on Automated Processing &
Data Transfers.
• Take note of Breach Notifications (within 72hrs).
 How to be Compliant: Key Steps
• Management. The Enterprise shall define,
document, communicate, and assigns
accountability for its privacy policies and
procedures.
• Privacy Notice. The Enterprise shall provide
notice about its privacy policies and procedures
and identify the purposes for which personal
information is collected, used, retained, and
disclosed.
• Choice and consent. The Enterprise shall
describe the choices available to the individual
and obtain implicit or explicit consent with
97
respect to the collection, use, and disclosure of
 How to be Compliant: Key Steps
• Collection. The Enterprise shall collect personal
information only for the purposes identified in
the notice.
• Data Min/Use and disposal. The Enterprise
shall limit the use of personal information to the
purposes identified in the notice and for which
the individual has provided implicit or explicit
consent.
• Retention Policies: The Enterprise shall
retain personal information for only as long as
necessary to fulfill the stated purposes or as
required by law or regulations and thereafter
appropriately disposes of such information.
 How to be Compliant: Key Steps
• Access. The Enterprise shall provide individuals
with access to their personal information for
review and update.
• Disclosure to third parties. The Enterprise
shall disclose personal information to third
parties only for the purposes identified in the
notice and with the implicit or explicit consent of
the individual.
• Security for privacy. The Enterprise shall
protect personal information against
unauthorized access (both physical and logical).
 How to be Compliant: Key Steps
• Quality. The Enterprise shall maintain accurate,
complete, and relevant personal information for
the purposes identified in the notice.
• Monitoring and enforcement. The Enterprise
shall monitor compliance with its privacy policies
and procedures and institute procedures to
address privacy related complaints and disputes.
 How to be Compliant: Minimum
Baseline 5-Point Action Plan

Privacy Policy & 05

Breach Notification
Consent Management
01 04
3rd Party Vendor
Data Mapping & Management (Data
Data Protection Processors)
Impact Assessments 02 03 Data Subjects
Access Requests
(DSAR)

101
Sample Privacy Program Metrics
Sample Privacy Program Metrics
Maturity Model/ Rating Scale (ISO
15504)

104
 Data Protection Impact
Assessment (DPIA)
A Data Protection Impact Assessment (DPIA), also
known as a Privacy Impact Assessment, aims is to
identify the potential privacy risks of new or
redesigned programs, systems or products.
The Law provides some circumstances where a DPIA
would be mandatory. For example:
• (a) processing that involves automated decision
making that produces a significant effect on data
subjects;
• (b) systematic monitoring of data subjects in a
publicly accessible area; or
• (c) large scale processing of sensitive data
(special categories of data and data regarding
criminal offences).
Sample Data Protection Impact
Assessments
 Sample Privacy Policy: Typical
Content
• Identity and contact information of the controller;
• Where personal data is not collected from the
individual, the source and nature of that data;
• The purposes of the processing;
• The legal bases for the processing, including
details of applicable legitimate interests;
• The recipients or categories of recipients of the
personal data;
• Details of international transfers of personal data
that require legal protections, and details of
those protections;
107
 Sample Privacy Policy: Typical
Content
• The periods for which the personal data will be
stored, or at least the criteria used to determine
those periods;
• Individuals' legal rights with respect to their
personal data;
• Whether the provision of personal data is a legal
requirement;
• The existence of automated decision-making,
including profiling (if any).

108
 Practical Session

• Describe the steps we would take in case of a

data breach.
• Hypothetical activity to be shared at the
beginning of the course.
 Lesson 7

Practical Session
Practical Session
 Typical Privacy Activities/
Challenges
• How to do Data Mapping/Privacy Impact
Assessments:
– Data Transfer/Location, Privacy Risk Profiles.
– Personal data is stored and Processed On-Site
and In-Cloud IT infrastructure.
• How to Realign the internal workflows to comply:
– Consent Management, Data Subject Request,
Incident/ Breach Management.
• How to Realign existing policies to comply
– Data Protection/ Privacy Policy, Data Processor
Agreements, Cookie Policies, Incident-Breach
Policies, Data Retention Policies, etc.
112
 Typical Privacy Activities/
Challenges
• Compliance costs in terms of readiness & re-
engineering data processes maybe high to most
organisations
• Poor understanding of data protection regime
– Capacity Building Required For Stakeholders:
Data Controllers/ Data Processors/ Data
Subjects.

113
FB Compliance - Example

114
Google Compliance - Example

115
Twitter Compliance - Example

116
FB Privacy Policy - Example

117
Sample Incident Reporting Form
Sample Incident Register
Sample Incident Management
Dashboard
Sample Cookie Settings
Sample Consent Management
Dashboard
Sample Data Subject Request
Sample Data Mapping Dashboard
 Exercise (Introduction to Data
Mapping)
Under each of your functional domains, identify
processes that capture the following personal data:
• Sales & Marketing,
• Finance
• HR
• ICT
• Legal,
• Customer Care, etc.

125
 Exercise (Introduction to Data
Mapping)
Then show how each of the process addresses the
following data subject rights:
○ Purpose of process
○ How consent is captured
○ Which data is collected
○ Where it is kept (location)
○ Who can access it
○ How it is updated
○ Its retention period.
References
• Kenya Data Protection Act 2019
• WP 248, Article 29 Data Protection Working Party
• ISACA Privacy Standards/Principles
• ISO Standards
• OECD Standards