Data Privacy

Challenges for data controllers:

Determining what is personal data for collecting and processing;
Procedure for providing information related to data subjects on their request;
Prevention of unauthorized access to personal data;
Destruction of personal data when there is no reason for storing it.

Data Privacy in a nutshell

The Kazakhstan law on personal data and protection establishes basic requirements and principles for personal data management, processing, collecting, maintaining and sharing. The Law defines personal data.

Data Privacy covers most data relating to staff and clients.

Data “subjects” have rights regarding the processing of their personal data.

Non-compliance with Data Privacy requirements results in civil, administrative and criminal liability:

Administrative fine approx. $70 7,000.
Criminal sanctions: fine up to approx. $20,000 35,000, imprisonment up to 2-7 years.

Areas covered in a Data Privacy project

PwC’s Data Privacy approach covers all relevant aspects of your organization. Areas typically covered include:

Benefits of PwC‘s approach

Why use PwC Privacy Network?

Data Privacy Challenges and How PwC can help

Challenges	How PwC can help
Define personal data
Kazakh legislation requires data controllers to define personal data for the purpose of the business concerned.	Identifying the relevant data. Review business processes and help define personal data subject to processing (data inventory), including IT assets. Identify and analyse the purpose of data collection, processing, storage and removal.
Establish personal data protection controls
Data Privacy requires controllers to take measures to protect personal data.	Develop data protection, privacy, information security, risk management and data governance policies and procedures. Determine a list of data subjects, storage locations, method of data processing and persons having access to personal data. Provide general advice on daily data processing and protection. Develop the appropriate data governance to avoid unnecessary data collection and storage.
Compliance with mandatory conditions for data collection and processing
Data Privacy requires data controllers to receive consent for collection and processing of personal data from data subjects. Data controllers must evidence the consent for data collection and processing.	Support personal data processing and protection activities. Develop a Data Privacy internal audit plan (review of websites, online services, agreements) and conduct review of Data Privacy compliance. Assess personal data handling processes for compliance with legislation. Develop/review documents required for data collection and processing, transparency notices. Develop a roadmap to align personal data processing operations with Data Privacy requirements. Coordination with state authorities on Data Privacy issues.
Risk Assessment
Consider the security of the network, IT systems and website including their resilience to unauthorized access. Consider the relationship with third parties and how personal data is treated.	Penetration tests of LAN, WiFi, applications, databases, operating systems and mobile devices. Security awareness tests (controlled social engineering attacks). Implementation of systems supporting risk management and risk assessments Support in assessment and development of BCP/DRP plans. Vendor and third party management. Conducting trainings on data privacy and cybersecurity.