Professional Documents
Culture Documents
Copyright Notice:
The cited and annotated content of cited standards are duly owned by their research organization or
publishers.
The provided information about the rules and standards are for educational purpose.
The PowerPoint presentation of the guide is free to use.
Being Competent in Data Privacy Protection
“A competent person has definitive understanding, skills
and character needed to perform
at a given level of
performance standard,
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Competency Model on Data Privacy Protection
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
Data Privacy Protection
Competency Guide Privacy and Security Risks
Privacy Impact Assessment Process
Consequences of failed Violations of these rules, shall, upon notice and hearing, be subject
to compliance and enforcement orders, cease and desist orders,
data privacy protection temporary or permanent ban on the processing of personal data,
based on or payment of fines, in accordance with a schedule to be published
by the Commission.
Circular 06-01
Security of Personal Data Failure to comply with the provisions of this Circular may be a
ground for administrative and disciplinary sanctions against any
in Government Agencies erring public officer or employee in accordance with existing laws
Section 34. or regulations. The commencement of any action under this
Circular is independent and without prejudice to the filing of any
action with the regular courts or other quasi-judicial bodies.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
1. Level of risk to the rights and freedoms of data subjects
What triggers posed by personal data processing by a PIC or PIP
compliance check of the 2. Reports received by the Commission against the PIC or PIP,
agency? or its sector
3. Non-registration of a PIC or PIP that is subject to the
National Privacy mandatory registration requirement as provided under
Commission NPC Circular 17-01
4. Unsecured or publicly available personal data found on
Circular No. 18-02 the internet thatmay be traced to a PIC or PIP
Guidelines on 5. Other considerations that indicate non-compliance with
Compliance Section 5 the DPA or the issuances of the Commission.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
1. Privacy Sweep.
How is compliance check The Commission shall review a PICs or PIPs compliance with respect to its obligation
under the DPA, and its related issuances based on publicly available or accessible
of the agency information, such as, but not limited to, websites, mobile applications, raffle coupons,
brochures, and privacy notices. This is the initial mode of Compliance Check.
conducted? 2. Documents Submission.
The Commission may require the submission of documents and additional
National Privacy information from a PIC or PIP that has undergone a privacy sweep to, among
others, clarify certain findings arising there from, and to determine the level
Commission of compliance of the PIC or PIP with respect to its obligations under the DPA
Circular No. 18-02 and its related issuances
3. On-Site Visit.
Guidelines on The Commission may subject a PIC or PIP to an on-site visit if there are persistent or
substantial findings of non-compliance with the obligations indicated in the DPA and
Compliance Section 5 its related issuances.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
R.A. 10173 –Data Privacy Act 2012
Accountability and Responsibility
1. The National Privacy Commission, sua sponte
Who may file complaint 2. The persons who are the subject of a privacy violation or personal data
breach
against the agency? 3. The person who are otherwise personally affected by a violation of the
Data Privacy Act
National Privacy 4. The person who is the subject of the privacy violation or personal data
breach, or his or her duly authorized representative may file the
Commission complaint, Provided, that the circumstances of the authority must be
Circular No. 16-04 established.
5. Any person who is not personally affected by the privacy violation or
Rules of Procedures Rule personal data breach may: (a) request for an advisory opinion on
matters affecting protection of personal data; or (b) inform the
II Section 1 National Privacy Commission of the data protection concern, which
may in its discretion, conduct monitoring activities on the organization
or take such further action as may be necessary
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Privacy and Security Risks
Privacy Impact Assessment Process
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Privacy Rule Context of Privacy Impact Assessment
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What data is protected by R.A. 10173?
PERSONAL DATA
that represent a set of
information that identifies an
individual or person who is
called a
1. Personal Information The identifiable person has a
2. Sensitive Personal Information
3. Privileged Information human right called .
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Personal
1. Name
Data Category
Given name, middle name, surname, alias
2. Identification number License number, tax number
3. Location data Address, GPS location
4. Online identifier e-mail, IP address
5. Digital identifier Biometric, CCTV data
6. Genetic Data DNA test result
7. Health Data Diagnostic report
8. Research Data Research question, enumerator interview logs
9. Physical factor Height, weight, sex
10. Physiological factor Body chemistry
11. Mental factor Intellectual aptitude test results
12. Economic factor Salary, debts, property
13. Cultural factor Nationality, tribe
14. Social identity factors Club membership, titles, legal record
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Sensitive Personal Information (RA 10173 sec 3i)
1. Health, education, genetic or sexual life of a person
2. Proceeding for any offense committed or alleged to have been committed by
such individual, the disposal of such proceedings, or the sentence of any court
in such proceedings
3. Individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations
4. Identification document issued by government agencies peculiar to an
individual which includes, but is not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or
revocation, and tax returns
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is data privacy in R.A. 10173?
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is data privacy in R.A. 10173?
2. PRIVACY VIOLATION (RA 10173 chap VIII)
is illegal or unwanted act that endangers the privacy rights of a
person. Data privacy violation is penalized act to be complained
through NPC Complaint-Assisted Form.
Section 25 Unauthorized processing Section 30 Concealment of breach
Section 26 Negligence in access Section 31 Malicious disclosure
Section 27 Improper disposal Section 32 Unauthorized disclosure
Section 28 Unauthorized purpose Section 33 Combination of acts
Section 29 Unauthorized access or
intentional breach
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Privacy Rights Violation
1. Unauthorized processing It is when personal information is processed
3-6 years imprisonment
500K-4M penalty
without the consent of the data subject, or
without being authorized using lawful criteria
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Privacy Rights Violation
3. Improper disposal It is when personal information is knowingly or
6 mos-3 years imprisonment
100K-1M penalty
negligently disposed, discard, or abandon in an
area accessible to the public or has otherwise
placed the personal information of an
individual in any container for trash collection
4. Unauthorized purpose It is when personal information is processed
1-7 years imprisonment
500K-2M penalty
for purposes not authorized by the data
subject, or otherwise authorized by any
existing laws.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Privacy Rights Violation
5. Unauthorized access It is when an individual handling personal information
or intentional knowingly and unlawfully, or violating data confidentiality
breach and security data systems, breaks in any way into any
1-3 years imprisonment system where personal and sensitive personal information
500K-2M penalty
are stored
6. Concealed breach It is when an individual or entity who has knowledge of a
1-5 years imprisonment security breach and of the obligation to notify the
500K-1M penalty
Commission pursuant to Section 20(f) of the Act,
intentionally or by omission conceals the fact of such
security breach.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Privacy Rights Violation
7. Malicious disclosure It is when an individual or entity with malice
1-65years imprisonment
500K-1M penalty
or in bad faith, discloses unwarranted or false
information relative to any personal
information or sensitive personal information
obtained by him or her
8. Unauthorized disclosure It is when an individual or entity discloses to
1-5 years imprisonment
500K-2M penalty
third party personal information not covered
by legitimate purpose, lawful criteria, and
without the consent of the data subject.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is data privacy in R.A. 10173?
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is data privacy in R.A. 10173?
4. PERSONAL DATA PROCESSING
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the
collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.
“Right to be informed”
“Right to block”
“Right to access” “Right to complain”
“Right to object” “Right to damages”
“Right to rectify”
“Right to erase”
“Right to data portability”
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is data privacy in R.A. 10173?
(RA 10173 chapter III)
The foundation of data processing system that is privacy by design and by default
CONFIDENTIALITY INTEGRITY
Authority is enforced to keep Trust is assured in the accuracy,
completeness, immediacy, usefulness,
secrecy and privacy of personal data
and reliability of personal data
AVAILABILITY
Accessibility is guaranteed in the connectivity,
uptime, reach ability, location, protection, and speed of personal
information exchange
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Privacy Stakeholders
Whose Interest and Participation, Accountability and Responsibility
Benefit is Data Privacy
Act of 2012 R.A. 10173
1. Data Subject Represents the exercise of data privacy rights and main party to
associate personal data to be protected with privacy and security
2. National Privacy Commission Creates regulation; monitor compliance; educate the public;
enforces rules; and resolve cases on data privacy
3. Personal Information Directs and rules the processing of personal information with set
Controller limitations on data privacy
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Risk Assessment Concept (ISO 31000)
1. Risk identification - It applies risk identification tools and techniques,
the organization should identify risk sources, areas of impacts, events and
causes, and their potential consequences.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Risk Assessment Concept
3. Risk evaluation -It assist in decision making about which risks
need treatment and priority for treatment implementation.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
1. Unauthorized processing
2. Negligence in access
3. Improper disposal
4. Unauthorized purpose
5. Unauthorized access
6. Intentional breach
7. Concealed breach
8. Malicious disclosure
9. Unauthorized disclosure
10.Combined violations
Impact: imprisonment and fines –Data Privacy Act of 2012
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What kind of exploitations are involved in data breach
(Sans Survey)
Malware infections
Unauthorized access
Data breach (stealing sensitive data)
Advanced persistent threat or multistage attack
Insider breach
Unauthorized privilege escalation for lateral movement
Destructive attack (aimed at damaging systems)
Attack impacting data integrity
DDoS attack as the main attack
DDoS attack as a diversion
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
1. Illegal Access
2. Illegal Interception
3. Data Interference
4. System Interference
5. Misuse of Devices
6. Forgery
7. Fraud
8. Identity Theft
9. Cyber Squatting
10. Libel
Impact: imprisonment and fines – Cyber Crime Prevention Law of 2012
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Systems to watch to be involved in breaches (SANS Survey)
o Business applications (e.g., Web apps, line-of-business systems) and services (e.g., email, file sharing) in
the cloud
o Corporate-owned laptops, smartphones, tablets and other mobile devices
o Internal network (on-premises) devices and systems
o Business-related databases hosted locally
o Corporate data center servers hosted locally (on-premises)
o Employee-owned computers, laptops, tablets and smartphones (BYOD)
o Business-related databases in the cloud
o Unapproved systems (shadow IT), applications or services hosted locally
o Corporate data center servers hosted in the public cloud (e.g., Azure or Amazon EC2)
o Unapproved systems (shadow IT), applications or services hosted in the cloud
o Employee social media accounts
o Embedded, or non-PC devices, such as media and entertainment boxes, printers, smart cards, connected
control systems, etc
o Business-related social media accounts or platforms
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Privacy Threat Incidents and Controls
Privacy Breach Threats to Personal Data Security Controls
(SANS Threat Survey) (R.A. 10173 and GDPR)
Privacy Law 1. Ransomware 1. Security Policy
R.A. 10173 2. Elevation of privilege into sensitive systems 2. Network Protection
3. Confidentiality, Integrity, Availability, and
1. Unauthorized processing 3. Breaches in cloud-based, multitenant
Resilience Assurance of Processing System
2. Negligence in access architectures 4. Intrusion Detection and Prevention
3. Improper disposal 4. Denial of service 5. Network Security Monitoring
4. Unauthorized purpose 5. Data tampering 6. Vulnerability Assessment and Penetration
5. Unauthorized access 6. Identity theft Testing
6. Intentional breach 7. Insider threat 7. Backup and Data Recovery
7. Concealed breach 8. Questionable transactions 8. Identity, Access, Privilege Management
9. Security Incident Management System
8. Malicious disclosure 9. Corporate or foreign government espionage
10. Data Loss Prevention
9. Unauthorized disclosure 10. Information disclosure 11. Encryption and Pseudonymization, Host-based
10. Combination of unwanted act 11. Compromise of DNS infrastructure enabling encryption
stealing and exfiltration of data 12. Insider Threat Control
12. Anti-malware/Antivirus 13. Third-Party Risk Management
13. Spoofing of identity or access credential 14. Firewall/UTM
14. Drive-by Download 15. End-Point Protection
16. Email security
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Security Threat Incidents and Controls
Violation/Threat Vulnerability/Exploitation Control Measures
(ETSI ISG ISI) (CIS Security Controls)
Cyber Crime Prevention Law -R.A. 10175 1. Website Forgery 1. Inventory and Control of Hardware Assets
1. Illegal access 2. Spam 2. Inventory and Control of Software Assets
3. Phishing 3. Continuous Vulnerability Management
2. Illegal interception
4. Intrusion 4. Controlled Use of Administrative Privileges
3. Data interference
5. Website Defacement 5. Secure Configuration for Hardware and Software on Mobile
4. System interference 6. Misappropriation of Resources Devices, Laptops, Workstations and Servers
5. Misuse of device 7. Denial of Service 6. Maintenance, Monitoring and Analysis of Audit Logs
6. Fraud 8. Malware 7. Email and Web Browser Protections
7. Forgery 9. Physical Intrusion 8. Malware Defenses
8. Identity Theft 10. Malfunction 9. Limitation and Control of Network Ports, Protocols and Services
11. Loss or theft of mobile device 10. Data Recovery Capabilities
9. Cyber-squatting
12. Trace Malfunction 11. Secure Configuration for Network Devices, such as Firewalls,
10. Libel
13. Internal Deviant Behavior Routers and Switches
14. Rights or Privileges Usurpation or Abuse 12. Boundary Defense
15. Unauthorized access to servers through remote access points 13. Data Protection
16. Illicit Access to Internet 14. Controlled Access Based on the Need to Know
17. Deactivating of Logs Recording 15. Wireless Access Control
18. Non-patched or poorly patched vulnerability exploitation 16. Account Monitoring and Control
19. Configuration vulnerability exploitation 17. Implement a Security Awareness and Training Program
20. Security incidents on non-inventoried and/or not managed assets 18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
What is privacy impact? (ISO 29134)
1. It is any thing that has effect on the data privacy
of personal information security of a data subject
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is privacy impact assessment?
1. An instrument to assess the potential impacts on
data privacy and security of the filing system,
automation, technology platform, program, software
module, device or other project that is defined to act the
collection, processing, retention, sharing and disposal of
a data subject’s personal data.
2. It is a process at the initiation of data processing
system project to ensure privacy by design. It continues
until, and even after, the project has been deployed.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What is privacy impact assessment?
3. A consultation with stakeholders, for taking
actions as necessary in order to treat data privacy
and protection risk.
4. A report that documents on the measures to be
taken for the treatment of risk based on
established control criteria.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
What reasons to cause privacy impact assessment?
1. The developed, acquired and operated data processing system
collects personal data
2. A change in applicable privacy related laws and regulations, internal
policy and standards, information system operation, purposes and
means for processing data, new or changed data flows.
3. A new or prospective technology, service or other initiative where
personal information is, or to be, processed
4. A decision that sensitive personal information is going to be
processed
5. A data privacy violation complaint is made against a system
operation.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Who conducts privacy impact assessment?
1. Personal information controller (PIC) has the
responsibility to conduct privacy impact assessment
and may request a personal information processor
to act on the PIC’s behalf.
2. Personal information processor (PIP) a data
processing supplier has the responsibility to
conduct privacy impact assessment in all of its
project and program associated with the processing
of personal data as required by law and as agreed
with a personal information controller.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Critical Steps in Doing Privacy Impact Assessment
1. JUSTIFY the conduct of privacy impact assessment with a
privacy threshold analysis
2. SCOPE the privacy impact assessment by identifying and
describing system context and configuration with impact
to privacy
3. ADOPT a privacy and security risks criteria and the
corresponding measurement that determine the
indicators and rating of threat, vulnerabilities and control
in the impact assessment.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Critical Steps in Doing Privacy Impact Assessment
4. IDENTIFY the stakeholders to participate in creating
privacy impact assessment report
5. PLAN the assessment activities
6. EXECUTE the privacy and security risks identification,
analysis, and evaluation
7. FILL-UP the Privacy Impact Assessment Report template
of the National Privacy Commission.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Threshold Analysis
Privacy threshold analysis determines the necessity for doing
privacy impact assessment.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Measuring Impact
Rating Type Description
1 Negligible The data subjects willeither not be affected or mayencounter a few inconveniences, which they
will overcome without any problem.
2 Limited The data subject may encounter significant inconveniences, which they will be ableto
overcomedespitea few difficulties.
3 Significant The data subjects may encounter significant inconveniences, which they shouldbeableto
overcomebutwith serious difficulties.
4 Maximum The data subjects may encounter significant inconveniences, or even irreversible,
consequences, which they may not overcome.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Measuring Probability
Rating Type Description
1 Unlikely Not expected, but there is a slight possibility it may occur at some time.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Privacy Risks Map
ISO 29134
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Business Process Context
Function Name: Business Process Name:
Accountable: Responsible:
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Personal Data Processing Flow Visualization
ISO 29134
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Business Process Event or Privacy/Security
Statutory Conformity
System Application Features Control Agreement
1 Personal Data Collection Data Subject Inform
Data Subject Consent
Legitimate purpose, minimal are observe and
security policy observed
2 Personal Data Retention Storage is secured
Storage time legitimate
3 Personal Data Use Data is used as defined by agreement and rules
4 Data Disclosure/ Sharing Data is disclosed as defined by agreement and
rules
5. Data Disposal Data is destroyed as per
Data Archiving Policy
Data is archived as per policy
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Processing Privacy and Security Impact Assessment
Name of Data Processing System: Controller: Processor: [] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share:
SECURITY INCIDENT VULNERABILITIES
CONSIDERED AS THREAT
Privacy Rights Not Privacy Principles Lawful Criteria to Conditions to Process Data Sharing Condition
TO PRIVACY AND A
Respected Undermined Process Personal Sensitive Personal Not Applied
PENALIZED
Information Not Applied Information Not Applied
VIOLATION
1.Unauthorized processing
2.Negligence in access
R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173
3.Improper disposal Chapter IV Chapter III Chapter III Chapter III Chapter III-VI
4. Unauthorized purpose
5.Unauthorized access or R.A. 10173
intentional breach R.A. 10173 R.A. 10173 R.A. 10173 R.A. 10173 IRR Rule X-XII
6.Concealment of breach
IRR Rule VIII IRR Rule IV IRR Rule V IRR Rule IV
7.Malicious disclosure NPC Circular
8.Unauthorized disclosure
ISO 29100 16-02
R.A. 10173
RR Rule XIII
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Processing Privacy and Security Impact Assessment
Name of Data Processing System: Controller: Processor: [] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share:
SECURITY INCIDENT VULNERABILITIES
CONSIDERED AS THREAT
Organizational Security Physical Security Technical Security CIS Security Control Not OWASP Security Control
TO PRIVACY AND A
Measures Measures Not Measures Not Installed Applied not Applied
PENALIZED
Not Instituted Implemented
VIOLATION
1.Unauthorized processing 1. Inventory and Control of C1: Define Security Requirements
R.A. 10173 Rule VI R.A. 10173 Rule VI R.A. 10173 Rule VI Hardware Assets C2: Leverage Security
1.Compliance Officers. 1.Policies and Procedures on 1.Security policy in processing personal
2.Negligence in access data 2. Inventory and Control of Frameworks and Libraries
2.Data Protection Policies Limited Physical Access 2.Safeguards to protect computer C3: Secure Database Access
Software Assets
3.Improper disposal 3.Records of Processing 2.Security Design of Office network again unlawful, illegitimate, and C4: Encode and Escape Data
destructive activities 3. Continuous Vulnerability C5: Validate All Inputs
Activities Space and Room 3.Confidentiality, integrity, availability, Management C6: Implement Digital Identity
4. Unauthorized purpose 4.Processing of Personal 3.Person Duties, and resilience of the processing systems
4. Controlled Use of C7: Enforce Access Controls
Data Responsibility and Schedule and services
5.Unauthorized access or 4.Vulnerability assessment and regular Administrative Privileges C8: Protect Data Everywhere
5.Personal Information Information monitoring for security breaches 5. Secure Configuration for C9: Implement Security Logging
intentional breach
Processor Contracts 4.Policies on transfer, 5.Ability to restore the availability and
Hardware and Software on and Monitoring
access to personal data
6.Concealment of breach removal, disposal, and re- 6.Regularly testing, assessing, and Mobile Devices, Laptops,
C10: Handle All Errors and
use of electronic media evaluating the effectiveness of security
Exceptions
Workstations and Servers
7.Malicious disclosure 5.Prevention policies against measures
7.Encryption of personal data during 6. Maintenance, Monitoring
mechanical destruction of storage and while in transit, and Analysis of Audit Logs
8.Unauthorized disclosure
files and equipment authentication process
-20.
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
Data Processing Privacy and Security Impact Assessment
Name of Data Processing System: Controller: Processor: [] Outsource {] In source
Personal Database Name: Location of Data Processing and Storage: Legal Basis Data Processing: Data Share:
VIOLATION SOURCE OF SECURITY EXPLOITED IMPACT PROBABILITY REMEDY
THREAT VULNERABILITIES TREATMENT
1.Unauthorized processing Organizational No policy Negligible Unlikely Vulnerability test
2.Negligence in access Physical Poor office design Limited Possible Policy review
3.Improper disposal Technical Lack of procedures Significant Likely Acquire tools
4. Unauthorized purpose Organizational Weak monitoring Maximum Almost certain Organize team
5.Unauthorized access or Technical Not segmented network Training people
intentional breach
6.Concealment of breach
7.Malicious disclosure
8.Unauthorized disclosure
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.
PRIVACY AND SECURITY RISKS MAP
IMPACT
1 Concealment of breach
NEGLIGIBLE
1 2 3 4
PROBABILITY Unlikely Possible Likely Almost Certain
Copyright Notice: The cited and annotated content of cited standards are duly owned by their research organization or publishers.