Home / Resources / News and Trends / Industry News / 2017 / Using ISACA Privacy Principles for GDPR Compliance

Using ISACA Privacy Principles for GDPR Compliance

Privacy Principles for GDPR Compliance | ISACA
Author: Rebecca Herold, CEO, Privacy & Security Brainiacs
Date Published: 10 August 2017

I started addressing privacy risk within a large multinational financial and health care organization around 1993 when, generally, no legal requirements for addressing privacy existed, but certainly many privacy risk factors and concerns did indeed exist. (Note: Just because there are no laws governing privacy, it does not mean there is no privacy risk or potential privacy harms; there could be many.) How times have changed.

Now the need to address privacy to meet legal obligations has expanded, and so have the privacy risk factors that are emerging in everyday use of new technologies, which continue to expand exponentially, as more personal information is created and shared daily. Additionally, the drivers for protecting privacy to address these risk factors have evolved throughout the countries that have been implementing data protection laws, and the ways in which these views are addressed also continue to develop. For example, in some parts of the world, privacy laws were generally created to address and reflect sectoral issues, such as in the United States. In other parts of the world, privacy laws were created to reflect the issue of protecting each individual citizen’s rights for all the industries within which their associated personal data are used, such as throughout the European Union countries.

Early in the creation of privacy laws, this tactic seemed to work, at least from a nation-based view. However, economic globalization and online sharing of data from all parts of the world has emerged to digitally make country borders disappear, particularly online. Now those regional differences in laws have become a significant challenge for all businesses in general (with individuals traveling the world to do business anywhere with a press of a keyboard button), and information assurance professionals in particular are challenged to meet multiple compliance requirements with all those digital international travelers visiting their online storefronts and using their apps.

Business leaders with responsibilities that include information security, privacy and compliance need to identify not only the data protection laws with which they must comply, but also the privacy risk applicable to their organizations, along with the privacy harms possible to the associated data subjects, and then utilize effective frameworks to help them to address and appropriately mitigate, on an ongoing basis, the privacy risk. One current focus for a large number of worldwide organizations is how to get ready and meet the new EU data protection law next year.

GDPR Background

In 2016, the European Union General Data Protection Regulation (GDPR) 1 (effective on 25 May 2018) was adopted to replace the Directive 95/46/EC to implement a legally binding regulation that will be considered the EU data protection law. The purpose of this article is not to provide in-depth coverage for the GDPR. However, for readers who are not familiar with the massive breadth of topics covered, it is beneficial to provide, as a reference, a high-level outline listing the wide range of topics covered within the 11 chapters, consisting of 99 articles with hundreds of specific requirements in total that make up the law. They include:

  • Chapter 1—General provisions includes Articles 1 through 4 covering : Subject matter and objectives; Material scope; Territorial scope; Definitions
  • Chapter 2—Principles includes Articles 5 through 11 covering : Principles relating to processing of personal data; Lawfulness of processing; Conditions for consent; Conditions applicable to child's consent in relation to information society services; Processing of special categories of personal data; Processing of personal data relating to criminal convictions and offences; Processing which does not require identification
  • Chapter 3—Rights of the data subject includes Articles 12 through 23 covering : Transparency and modalities; Transparent information; Communication and modalities for the exercise of the rights of the data; Information and access to personal data; Information to be provided where personal data are collected from the data subject; Information to be provided where personal data have not been obtained from the data subject; Right of access by the data subject; Rectification and erasure; Right to rectification; Right to erasure ‘right to be forgotten’; Right to restriction of processing; Notification obligation regarding rectification or erasure of personal data or restriction of processing; Right to data portability; Right to object and automated individual decision-making; Right to object; Automated individual decision-making, including profiling; Restrictions
  • Chapter 4—Controller and processor includes Articles 24 through 43 covering : General obligations; Responsibility of the controller; Data protection by design and by default; Joint controllers; Representatives of controllers or processors not established in the Union; Processor; Processing under the authority of the controller or processor; Records of processing activities; Cooperation with the supervisory authority; Security of personal data; Security of processing; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; Data protection impact assessment; Prior consultation; Data protection officer; Designation of the data protection officer; Position of the data protection officer; Tasks of the data protection officer; Codes of conduct and certification; Codes of conduct; Monitoring of approved codes of conduct; Certification; Certification bodies
  • Chapter 5—Transfers of personal data to third countries or international organisations includes Articles 44 through 50 covering : General principle for transfers; Transfers on the basis of an adequacy decision; Transfers subject to appropriate safeguards; Binding corporate rules; Transfers or disclosures not authorised by Union law; Derogations for specific situations; International cooperation for the protection of personal data
  • Chapter 6—Independent supervisory authorities includes Articles 51 through 59 covering : Independent status; Supervisory authority; Independence; General conditions for the members of the supervisory authority; Rules on the establishment of the supervisory authority; Competence, tasks and powers; Competence; Competence of the lead supervisory authority; Tasks; Powers; Activity reports
  • Chapter 7—Cooperation and consistency includes Articles 60 through 76 covering : Cooperation; Cooperation between the lead supervisory authority and the other supervisory authorities concerned; Mutual assistance; Joint operations of supervisory authorities; Consistency; Consistency mechanism; Opinion of the Board; Dispute resolution by the Board; Urgency procedure; Exchange of information; European data protection board; European Data Protection Board; Independence; Tasks of the Board; Reports; Procedure; Chair; Tasks of the Chair; Secretariat; Confidentiality
  • Chapter 8—Remedies, liability and penalties includes Articles 77 through 84 covering : Right to lodge a complaint with a supervisory authority; Right to an effective judicial remedy against a supervisory authority; Right to an effective judicial remedy against a controller or processor; Representation of data subjects; Suspension of proceedings; Right to compensation and liability; General conditions for imposing administrative fines; Penalties
  • Chapter 9—Provisions relating to specific processing situations includes Articles 85 through 91 covering : Processing and freedom of expression and information; Processing and public access to official documents; Processing of the national identification number; Processing in the context of employment; Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; Obligations of secrecy; Existing data protection rules of churches and religious associations
  • Chapter 10—Delegated acts and implementing acts includes Articles 92 through 93 and covers : Exercise of the delegation; Committee procedure
  • Chapter 11—Final provisions includes Articles 94 through 99 and covers : Repeal of Directive 95/46/EC; Relationship with Directive 2002/58/EC; Relationship with previously concluded Agreements; Commission reports; Review of other Union legal acts on data protection; Entry into force and application 2

The EU GDPR does not impose data transfer restrictions on data flows within the European Union (registration and notification requirements still apply). However, the EU GDPR does regulate transfers of personal data to and from non-EU countries. Personal information can be transferred only to jurisdictions outside of the European Union that can demonstrate an “adequate level of protection” 3 for the personal information or have another basis for the transfer.

EU data protection law provides data subjects with a wide range of rights that can be enforced against organizations that process personal data. These rights will limit the ability of organizations to lawfully process the personal data of data subjects in many of the ways that they had regularly done in the past. These new rights could significantly impact an organization's business model. This change to an individual-focused protection model represents a major transformation for how organizations must now protect the personal data of individuals throughout Europe.

GDPR Has Global Impact

Given the significant financial penalties for non-compliance 4 and what appear to be more proactive compliance efforts planned from the EU data protection supervisor, 5 the GDPR truly compels action from all organizations not only doing business across Europe (including the United Kingdom post-Brexit, along with the European Union and European Economic Area countries), but also all organizations with offices in Europe, workers in Europe (even if they are not there permanently), clients, customers, patients and any type of consumer in Europe. Does an organization have a website? Do individuals from Europe interact with that organization through its website? Do they use its applications (apps)? If so, then GDPR most likely impacts that organization. All organizations that act as controllers 6 are directly affected by the rights the GDPR establishes for data subjects. Organizations that act as processors (e.g., contracted vendors, third parties) must also be aware of GDPR requirements, and most will need to comply with all requirements, generally. This can be facilitated by establishing a privacy management framework that considers all the organization’s applicable legal requirements for personal data protection.

Using ISACA Privacy Principles for GDPR Compliance

The recently released ISACA Privacy Principles and Program Management Guide can be used by information assurance professionals, in conjunction with COBIT 5, to implement a privacy program within the COBIT 5 governance and management framework construct to establish such a privacy risk management framework. The recently released ISACA publication, Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles describes in detail how to accomplish this.

This article provides one example using a current, common, worldwide initiative for compliance with one of the 99 Articles within the GDPR, Article 34, “Communication of a personal data breach to the data subject,” 7 a challenge faced not only by any organization located in the European Union, but also by any organization with offices, workers, patients, clients, customers, or any personal data of anyone in or from the European Union.

For reference when going through this example, here are the 14 ISACA Privacy Principles defined within the ISACA Privacy Principles and Program Management Guide:

  1. Choice and Consent
  2. Legitimate Purpose Specification and Use Limitation
  3. Personal Information and Sensitive Information Life Cycle
  4. Accuracy and Quality
  5. Openness, Transparency and Notice
  6. Individual Participation
  7. Accountability
  8. Security Safeguards
  9. Monitoring, Measuring and Reporting
  10. Preventing Harm
  11. Third-party/Vendor Management
  12. Breach Management
  13. Security and Privacy by Design
  14. Free Flow of Information and Legitimate Restriction 8

The ISACA Privacy Principles and Program Management Guide provides a high-level look at how the ISACA Privacy Principles apply to COBIT 5 and provides full explanation of each privacy principle.

Figure 1 demonstrates the relationship among GDPR Article 34, COBIT 5, the ISACA Privacy Principles (the wording is slightly modified for better ease of reading in this context) and an organization’s related activities. This demonstrates how practical utilization of the ISACA Privacy Principles, in conjunction with the COBIT 5 principles, can be used to support the creation and implementation of management processes to support Article 34 compliance requirements for breach response procedures and associated actions with managing a privacy breach.

Figure 1—Mapping COBIT 5 and ISACA Privacy Principles to Compliance Requirements

GDPR Article 34 Requirements for Breach Response

ISACA Privacy Principles

COBIT 5 Principles

Organization Activities

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (data subjects), the data controller must communicate the personal data breach to the data subjects without undue delay.

Primary :
12: Breach Management

Related :
3: Personal Information and Sensitive Information Life Cycle
5: Openness, Transparency and Notice
6: Individual Participation
7: Accountability
9: Monitoring, Measuring and Reporting

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust and providing benefits
2. Covering the enterprise end to end: Knowing where personal data exist so breaches and related details can be identified
4. Enabling a holistic approach: Ensuring enablers within the organization (e.g. IT, Legal, Compliance) processes, information, and policies/processes are appropriately coordinated, along with skills for appropriate communications, and ensuring the culture reacts appropriately to a breach
5. Separating governance from management: Supporting and defending the business appropriately and transparently when privacy breaches occur, while also communicating to impacted data subjects to mitigate privacy harms

A. Upon awareness of the breach, activate the breach response team that is responsible for determining privacy harm risk levels and for providing notice to involved data subjects.
B. Document the breached personal data items for which the data controller was responsible.
C. Follow documented breach identification and response policies and procedures to determine if there is high risk of harm 9 to associated data subjects.
D. If there is high privacy harm risk, create the notice, including the breached personal data items, and communicate to the involved data subjects as shown in row 2 of this table.
E. The breach team will determine what, if any, corrective actions (measures) should be taken to:
• Mitigate risk of harm to associated data subjects.
• Prevent subsequent similar types of breaches.

2. The communication about the breach to the impacted data subjects must describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the data protection officer or other contact point where more information can be obtained, a description of the likely consequences of the personal data breach, a description of the measures taken or proposed to be taken by the controller to address the personal data breach, and any adverse effects of mitigation actions taken.

Primary :
9. Monitoring, Measuring and Reporting

Related :
5: Openness, Transparency and Notice
10: Preventing Harm
12: Breach Management

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust, and providing benefits
2. Covering the enterprise end to end: Knowing where personal data exist so breaches and related details can be identified
4. Enabling a holistic approach: Identifying associated privacy risk, and providing privacy controls necessary for mitigation and to prevent further similar breaches
5. Separating governance from management: Supporting and defending the business when privacy breaches occur. Promoting responsible behaviors to protect the privacy of all associated individuals

A. If there is high risk of harm to the involved data subjects, obtain the description of the actions the breach response team has taken to date and write a description of those actions, including the likely harms and consequences and the mitigating controls taken and planned.
B. Determine the amount of effort to provide the breach notice. Follow procedures to write and distribute breach notices, based upon the amount of effort for providing notice, that include all the required information elements, and write it in a clear and easy-to-understand manner.

3. The communication to the data subject referred to in row 1 shall not be required if any of the conditions in rows (a), (b) or (c) are met:

Primary:
12: Breach Management

Related:
5: Openness, Transparency and Notice

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust, and providing benefits
5. Separating governance from management: Supporting and defending the business when privacy breaches occur; promoting responsible behaviors to protect the privacy of all associated individuals

A. If the risk is not high, communications are not required to be sent to affected data subjects.
B. The breach response team and applicable management determine, based on the type of breach and any publicity to date, whether or not notification communications will be sent to affected data subjects anyway.

a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;

 Primary:
12: Breach Management

Related:
8: Security Safeguards
10: Preventing Harm
13: Security and Privacy by Design

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust, and providing benefits
2. Covering the enterprise end to end: Knowing where personal data exist so breaches and related details can be identified
5. Separating governance from management: Governance bodies ensure that privacy by design is made a priority. The adequate means are being mandated, and its adequacy is regularly assessed.

This is addressed in row 1 activities.

b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize;

Primary:
12: Breach Management

Related:
8: Security Safeguards
10: Preventing Harm

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust, and providing benefits
2. Covering the enterprise end to end: Knowing where personal data exist so breaches and related details can be identified
5. Separating governance from management: Management ensures changes occur (plan, build, run and monitor) to ensure similar privacy breaches do not occur again. Governance roles monitor any potential privacy harms to breach victims.

This is addressed in row 1 activities.

c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 Primary:
12: Breach Management

Related:
5: Openness, Transparency and Notice

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust and providing benefits
5. Separating governance from management: Management actions support business changes to ensure transparency to victims and the public. Governance roles promote and ensure responsible behavior to protect the privacy of all associated individuals.

This is addressed in row 1 activities.

3. If the controller has not already communicated the personal data breach to the associated data subjects, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Primary:
12: Breach Management

Related:
5: Openness, Transparency and Notice
10: Preventing Harm

1. Meeting stakeholder needs: Supporting privacy needs, maintaining/building data subject trust, and providing benefits
5. Separating governance from management: Appropriate management communicates with supervisory authorities as appropriate when privacy breaches occur. Governance roles promote responsible behavior from those within the organization to protect the privacy of all associated individuals.

A. The breach response team will follow breach procedures to notify the supervisory authority. Such notification will include the same information as was included in the data subject breach notifications, if they were sent. If breach notifications were not sent, the information sent to the supervisory authority will contain the same information as would have been included in the event notification had been given.
B. If notifications were not provided to the impacted data subjects and the supervisory authority determines that they should be notified, the breach response team will follow documented procedures to send such notifications.

Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles includes details, as shown in the excerpted figure 2, to identify the management processes for incidents within the COBIT 5 process reference model. Similar tables are provided in Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles for the other topics within the COBIT 5 process reference model as well.

Figure 2—COBIT 5 Management Process Set DSS02

DSS02 Manage Service Requests and Incidents

Area: Management
Domain: Deliver, Service and Support

COBIT 5 Process Description
Provide timely and effective response to user requests and resolution of all types of incidents. Restore normal service; record and fulfill user requests; and record, investigate, diagnose, escalate and resolve incidents.
COBIT 5 Process Purpose Statement
Achieve increased productivity and minimize disruptions through quick resolution of user queries and incidents.

Primary Privacy Principles Involved

• Principle 3: Personal Information and Sensitive Information Life Cycle
• Principle 9: Monitoring, Measuring and Reporting
• Principle 10: Preventing Harm
• Principle 12: Breach Management

DSS02 Privacy-specific Process Goals and Metrics

Privacy-specific Process Goals

Related Metrics

A privacy breach and incident response program including actions to ensure that responses are effective, efficient and appropriate is established and maintained.
  • Mean time to resolve privacy breaches and privacy-related incidents
  • Number and percentage of privacy breaches and privacy-related incidents causing disruption to business-critical processes
  • Number of privacy breaches and privacy-related incidents open/closed and their risk rankings
  • Frequency of privacy breach and incident response plan testing
  • GDPR and other breach regulations:
    • Number of data subjects involved in each breach
    • Number of personal data types involved in each breach
    • Number of data subjects provided with a breach notice communication using each of the following types of notice media:
      • Phone calls
      • Emails
      • TV media notices
      • Newspaper notices
      • Postal mail notices

DSS02 Privacy-specific Process Practices, Inputs/Outputs and Activities

Management Practices

Privacy-Specific Activities (in Addition to COBIT 5 Activities)

DSS02.01 Define incident and service request classification schemes.
Define privacy breach and privacy-related incident and service request classification schemes and models.
  • Define and communicate the nature and characteristics of privacy breaches and potential privacy-related incidents so they can be easily recognized and their impact understood to enable a commensurate response.
  • Document each GDPR-specific privacy incident to support cumulative reporting of all GDPR-related breaches.

DSS02.02 Record, classify and prioritize requests and incidents.
Identify, record and classify service requests and incidents, and assign a priority according to business criticality and service agreements.
  • Maintain a privacy breach and privacy-related incident investigation and response procedure.
  • Ensure that documented measures are followed by appropriate personnel to protect the privacy of personal information related to breaches and incidents.
  • Maintain a procedure to classify the related regulatory compliance requirements associated with each privacy breach that occurs, such as the GDPR, the US Health Insurance Portability and Accountability Act (HIPAA), and the US Federal Information Security Act (FISMA).

DSS02.03 Verify, approve and fulfill service requests.
Select the appropriate privacy breach and incident service request procedures and verify that the service requests fulfill defined incident response request criteria. Obtain approval, if required, and fulfill the requests.
  • Ensure that the personal data involved with the incident according to the associated personal information categories and associated personal information items to be used within the breach and incident response procedures are documented.
  • Ensure the incident response procedures and service requests include documented steps to ensure consideration of, and appropriate actions to take for, regulatory compliance requirements for each privacy breach, such as GDPR, HIPAA and FISMA.

DSS02.04 Investigate, diagnose and allocate incidents.
Identify and record incident symptoms, determine possible causes, and allocate for resolution.
  • Maintain a procedure for evidence collection in line with local forensic evidence rules and ensure that all staff are made aware of the requirements.
  • Document applicable associated regulatory compliance requirements associated with each privacy breach, such as GDPR and HIPAA.

DSS02.05 Resolve and recover from incidents.
Document, apply and test the identified solutions or workarounds and perform recovery actions to restore the IT-related service.
  • Define a privacy breach and incident response plan.
  • Ensure the response plan incorporates applicable regulatory compliance requirements associated with each privacy breach, such as GDPR and HIPAA.
  • Apply harm mitigation actions as appropriate to the breach.

DSS02.06 Close service requests and incidents.
Verify satisfactory incident resolution and/or request fulfilment, and close.
  • Establish privacy response and mitigation requirements for privacy breaches and privacy-related incidents.
  • Determine privacy harm mitigation activities necessary for meeting the associated breach situation that will be in compliance with applicable regulatory compliance requirements associated with each privacy breach, such as GDPR and HIPAA.

DSS02.07 Track status and produce reports.
Regularly track, analyze and report privacy breaches and privacy-related incidents, and request fulfillment trends to provide information for continual improvement.
  • Report the outcome of privacy breach and related incident investigations to appropriate stakeholders, including periodic reports to executive management.
  • Make necessary reports to the applicable data privacy authorities and supervisory authorities.
  • Ensure privacy breaches and related incidents and appropriate follow-up actions, including root cause analysis and data subject notifications, follow the existing breach management processes and legal compliance requirements.

Source: Based on ISACA, Implementing a Privacy Protection Program: Using COBIT Enablers With the ISACA Privacy Principles , USA, 2017, chapter 2

As author and lead developer for the book, this author wanted to demonstrate how the ISACA Privacy Principles could be mapped into the full set of COBIT 5 processes. The ISACA International Privacy Task Force, along with approximately 450 additional ISACA member reviewers, supported that idea and approved of the mappings. Mapping the requirements in this way helps to ensure that all requirements are addressed and shows how each activity is related to the COBIT 5 framework and associated ISACA Privacy Principles and, in the example here, ensures compliance with this particular requirement of the GDPR.

Now that the mapping exercise has been outlined, one can look at how one subset of the associated breach management process goals, metrics and practices can be established using COBIT 5 and the corresponding privacy principles, as shown in figure 2. It includes some sample metrics to the goals specific to GDPR requirements. An organization could use any of these that are applicable and add others that are more specifically applicable to the organization’s business environment.

Rebecca Herold, CISA, CISM, FIP, CIPM, CIPP/IT, CIPP/US, CISSP, FLMI

Is chief executive officer for The Privacy Professor and president and cofounder, SIMBUS, LLC, Information Security and Privacy Management Services. She served on ISACA’s Project Development Team to create ISACA’s Privacy Framework and authored the 2 volumes of ISACA Privacy Principles books released in 2017.

Endnotes

1 The European Parliament and the Council of the European Union, Article 34 Communication of a personal data breach to the data subject, General Data Protection Regulation, European Union, 2016
2 The European Parliament and the Council of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, European Union, 2016
3 Ibid. This concept is discussed in 10 places within the GDPR text.
4 Ibid. Article 83. Fines can be up to EUR €20 000 000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
5 European Commission, European Data Protection Supervisor
6 Op cit, General Data Protection Regulation. Per the GDPR, “‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
7 Ibid. Article 34
8 ISACA, ISACA Privacy Principles and Program Management Guide , USA, 2017
9 European Commission, Questions and Answers—Data protection reform package, press release, 24 May 2017