gdpr - lessons learned - ey.com · gdpr lessons learned slide: 5 gdpr key changes (1/2) applies to...
Post on 27-Nov-2018
215 Views
Preview:
TRANSCRIPT
GDPR
Lessons Learned
01Introduction
GDPR Lessons Learned Slide: 3
Privacy is a hot topic
Privacy and Data Protection is increasingly in the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR) and uncertainty post Brexit
Personal Information (PI) is a valuable asset through intelligence and monetisation opportunities
Privacy awareness of the public has increased significantly, exacerbated by frequent personal data breaches catching media attention
Demonstrating good privacy governance and practices will be considered by the FCA and other regulators
GDPR Lessons Learned Slide: 4
GDPR coming into force in May 2018 and organizations need to act now
The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be underestimated
Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the requirements through the entire personal data lifecycle
As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in organisations not understanding how much PI they hold, why they retain it and how it is being used
GDPR Timeline
14 April 2016
GDPR formally adopted by member states
Transition period of 2 years
25 May 2018
GDPR takes effect
January 2012
European Commission (EC) proposed GDPR
March 2014
EU Parliament adopt compromise text Dec 2015
GDPR agreed
GDPR Lessons Learned Slide: 5
GDPR key changes (1/2)
Applies to all data controllers and processors established in the EU and organizations
that target EU citizensExpanded scope
► Consumer consent to process data must be freely given and for specific purposes
► Customers must be informed of their right to withdraw their consent
► Consent must be ‘explicit’ in the case of sensitive personal data or trans border dataflow
Consent
► The right to be forgotten — the right to ask data controllers to erase all personal data without undue delay in certain circumstances
► The right to data portability — where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible
► The right to object to profiling — the right not to be subject to a decision based solely on automated processing
New rights
Organizations must undertake Privacy Impact Assessments when conducting risky or
large scale processing of personal data
Privacy Impact Assessments
Organizations should design data protection into the development of business
processes and new systemsPrivacy by Design
GDPR Lessons Learned Slide: 6
GDPR key changes (2/2)
DPOs must be appointed if an organization conducts large scale systematic monitoring
or processes large amounts of sensitive personal data
Data Protection Officers (DPOs)
Organization must prove they are accountable by:
► Establishing a culture of monitoring, reviewing and assessing data processing procedures
► Minimizing data processing and retention of data
► Building in safeguards to data processing activities
► Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request
Accountability
New obligations on data processors — processors become an officially regulated entityObligations on
processors
► Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals
► If there is a high risk to individuals, those individuals must be informed as well
Mandatory breach notification
Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000, whichever is greater
Fines of up to
4% of annual worldwide
turnover
GDPR Lessons Learned Slide: 7
The importance of privacy – moving beyond compliance
Moving beyond Compliance –Business Incentives
Need to comply with laws, regulations, contracts and other agreements
Increasing pressure from regulators Rising fines and penalties
Minimise reputational damage
Significant costs associated with recovery from breaches and potential lawsuits from those affected
Compliance Incentives Move beyond compliance to build trusting relationships with stakeholders that drive loyalty and retention
Privacy is a competitive differentiator in a data- and technology-driven world
Enhance brand and reputation
Satisfy stakeholders’ expectations, especially in light of increasing public awareness of and concern about data privacy
Proactively prevent loss of customers and market share as a result of data breaches
Data protection as moral responsibility towards customer and part of CSR profile
Prevent data breaches and avoid associated remediation costs
Protect future revenue sources and create new ones through from data with customer consent
GDPR Lessons Learned Slide: 8
GDPR can frustrate or support the digital proposition
Internet of Things Digital marketing, sales and service
Partner and ecosystem
Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform
anonymization or pseudonymization.
More and more Internet of Things devices are introduced and generate large volumes of
data which can be used by organizations to support their market and client insights and
improve digital proposition. For example mobiles,
connected cars and wearables.
Organization are transformation their business
into digital propositions. These propositions are build on
technology and data. Precondition is the reuse of
data.
Organization are more and more connected with partners in an ecosystem. To utilize the
advantages data need to be shared across the ecosystem,
while supporting privacy regulations.
Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information
02Transformation approach
GDPR Lessons Learned Slide: 10
Data Protection and Privacy Transformation approach
Comprehensive in reach through its four phases: understand, assess, design and implement
Multi-disciplinary by integrating the legal, IT, risk and business perspectives of privacy
Close cooperation with EY Law to translate legal requirements into a risk-based, customised approach
Identification of high risks and focus on becoming compliant with current legislation, while keeping sight of the organisation’s GDPR readiness
Proven success in roll-out in various countries
EY’s unique approach
GDPR Lessons Learned Slide: 11
A phased approach combining Overall GDPR maturity assessment and PIAs on high risk data flows
Key activities
Framework Overall maturity assessment
Customize Privacy Impact assessment (PIA)
Implementation plan
Privacy framework policy and standards
Data governance (including DPO position)
Update implementation plan
Accountability
Privacy by Design
Monitoring and incident response
Notifications
Metrics, reports and dashboard
Dataflow Assessment data flows using PIA based on risk based approach
Fixing reported gaps based on priority setting
Continue dataflow assessments
Fixing reported gaps based onpriority setting
Continue dataflow assessments
Vendor Vendor risk management framework
Vendor risk assessment and update contracts
Vendor risk assessment and update contracts
Awareness Awareness Awareness Awareness
Phase 1 Phase 2 Phase 3
GDPR Lessons Learned Slide: 12
Risk based approach to assess data flows based on a well established PIA process
Dataflow inventory
In order to fully assess privacy and compliance risks, organizations will need to understand how (customer and employee) data are used.
Therefore, the first step of our PIA process consists of making an inventory of the dataflows, which includes i.a. a complete overview of data sources (systems and files), where data are stored, how it is processed, who it is shared with and how long it is retained.
The dataflows will be inventoried during a (+/- 2hour) workshop with internal stakeholders. Our dataflow tooling can be used to validate the outcome of such workshop.
Risk assessment dataflow
The second step of our PIA process consists of categorizing the dataflows by the associated risks (high/medium/low risk).
Such risk assessment – which consists of a (brief) questionnaire –enhances organizations to prioritize dataflows, establish whether a PIA would be obligated based on the GDPR and creates an audit trail in this respect.
Subjects of the risk assessment include i.a.:
• Personal data
• Special data
• Volume of data
• Sensitivity of process
Prioritize dataflows
Based on both the defined risk appetite of the organization and the established risk(s) per dataflow, it will be established on what dataflows the PIAs will be performed and the order in which they will be carried out.
The dataflows with risks that would impact the organization most –given its risk appetite – will be performed first.
Perform PIA
EY has developed an in-depth Excel based questionnaire to gather the insights necessary to assess the impact of the dataflows on the natural persons involved.
This questionnaire covers most subjects of the GDPR (more comprehensive than the risk assessment) and contains
guidelines and primarily closed-ended questions (yes/no, multiple choice, rating scale, etc.), making the PIA user-friendly for the business. If so desired, the PIA questionnaire can be modified or integrated with existing risk assessments (e.g. BIA or ISRA).
Define actions
Further to perform the PIA, actionswill be defined to mitigate the risks on the natural persons identified during the PIA.
Subsequently, this list of actions will be divided based on the risk appetite of the organizations, mitigating the highest risks first.
Defining risk appetite
Using the gathered insights on the dataflows, the risk appetite will be defined to support expected GDPR changes, prioritize dataflows and define actions.
EY will support in both (i) developing a qualitative statement to articulate privacy risk and (ii) defining a clear appetite statement that can be measured and aligns to your strategy and (iii) identify metrics from your Privacy Risk Control Framework that speak to your risk appetite and align where possible to strategic objectives
GDPR Lessons Learned Slide: 13
Lessons learned
• Many organisations are unaware of their data flows and have launched ambitious data flow mapping initiatives
• Data flow mapping exercises are all too often performed in manner that is too detailed and resource consuming
• A more limited scope is sufficient to facilitate the creation of a privacy register
• Data discovery tooling can be used to further detect structured and unstructured data
Data flow mapping
• Privacy impact assessments (PIA) need to be performed for the organisation’s data flows and a risk-based approach should be adopted to focus on high impact data flows
• Through data flow mapping, non-compliances with the GDPR’s requirements such as the right to be forgotten and data retention are identified
• A targeted approach allows for prioritisation of actions and the identification of those which can be pursued centrally to facilitate integration with the entire organisational data governance (including Privacy by Design)
Legacy
• Privacy is no longer exclusively situated within the legal realm but has evolved into a multi-disciplinary issue
• Organisations are struggling to establish a comprehensive model to lead privacy transformation
• A new, collaborative model is needed to unite the multiple dimensions of privacy within the organisation
Privacy governance
GDPR Lessons Learned Slide: 14
Lessons learned
• The use of big data analytics has attracted widespread attention and has proven to provide added business value
• Challenges around privacy arise due to the lack of consent amongst data subjects
• In essence, these challenges are not new, and thus lend themselves to the established response of pseudonomisation or anonymization of data to ensure the preservation of privacy, while still leveraging the strategic value of data.
Big data analytics
• The concept of rightful usage (legitimate use or explicitly obtained consent) forms an integral part of the privacy impact assessment (PIA) related to the mapping and discovery of organisational data flows
• Organisations too often adopt an isolated approach focused on a singular data flow
• In contrast, an overarching approach forms a starting point for additional activities requiring the basis of legitimate use or consent as it centralises the overview of rightful usage of data
Rightful usage
• The majority of applications are not currently supporting the key changes brought by the GDPR around the right to be forgotten, data portability and data retention
• In particular, many organisations struggle with supporting the right to be forgotten due to the complexity and wide distribution of data across different databases, backups etc.
Right to be forgotten
03Impact on IT and Security
GDPR Lessons Learned Slide: 16
Impact IT and Security (1/2)An overview of impact and solutions
GDPR Impact Solutions
Data Lifecycle Management
• Integrate GDPR in data governance and management
• Implement or enhance (existing) tooling to support data flow mapping and
document data attributes
• Implement privacy register based on tooling
• Define data flows
• Document conditions for processing (i.e. legal
ground, data minimization, information provision,
purpose limitation)
• Implement and maintain privacy register
Data Protection Policy and data classification
• Draft, review and update existing data protection policies and standards
• Use specific tooling to classify your PII
• Use specific tooling to enforce data protection policy and standards
• Classify Personal identifiable information (PII)
• Ensure necessary and proportionate use only
• Enforce policies and standards
Privacy Risk and Controls
• Update existing risk framework and assessments
• Integrate privacy controls in the existing tools and controls testing
• Integrate privacy controls and assessment into the
existing control framework and risk assessments
• Perform risk assessments on processes and data
flows (in stead of systems/applications)
Privacy by design and architecture
• Take into data protection of PII in [existing design
and build procedures]
• Enhance existing security architecture to support
privacy by design including libraries of tools to
support [design and build procedures]
Data subject rights
• Implement procedure/functionality for data subjects to submit requests and
provide transparency on data subjects rights
• Implement procedure to assess the requests of data subjects to exercise rights
• Tooling for providing access on user request
• Tooling for transferring data to another organization (data portability)
• Tooling for erasure by ways of disposal, pseudonomization/anonymization
• Support rights of data subjects i.a. to access,
modify and erase their PII, transfer PII to another
organization (data portability) and object to the
processing.
• Implement procedure for assessing risk of data flows
• Perform PIA's (privacy impact assessments) on new and current processes
• Redesign design and build procedures by including data protection principles
GDPR Lessons Learned Slide: 17
Impact IT and Security (2/2)An overview of impact and solutions
GDPR Impact Solutions
Monitoring • Implement data discovery tooling to ensure that all data is recorded and
accounted for as part of the privacy register
• Use specific monitoring tooling to record the deviations of policies, disclosures
and data flows, privacy data analytics
• Implement monitoring to ensure that PII is used in
line with policies, standards and GDPR
• Detect deviations, i.a. unauthorized disclosures
Data security • Describe procedures in information security policy and standards on data
protection and implement such procedures
• Implement tooling to encrypt data on different technology layers, i.a. network,
end-user, server, database, application, e-mail and unstructured documents
• Update roles and authorizations in existing identity access management
• Technical security measures to protect PII in line
with policies and procedures
• Implement encryption (rest, use motion)
• Align identity access management with appropriate
use in line with GDPR
Data retention and disposal
• Describe the retention periods per record (using the mandatory privacy
register);
• Implement the retention periods in applications or implement specific tooling in
combination with archiving system
• Identify retention periods for each category PII
• Dispose or anonymize PII after retention period
• Create a data retention and disposal policy.
Vendor management
• Having an up-to-date overview of all vendors that
process PII
• Ensure vendors only process PII in line with policies,
standards and GDPR (e.g. monitoring vendors and
performing audits)
Incident response and Breach notification
• Update existing incident procedure
• Keep internal register on data breaches
• Implement or update procedure and tooling for assessing data breaches and
notifying to authority/data subjects
• Include data breaches in existing incident response
procedures
• Mandatory notifications of data breaches to
authority/data subjects
• Implement vendor management framework, including controls vendors should
comply with.
• Implement procedures and tooling for monitoring vendors
• Bind vendors to data protection principles by concluding processing agreement
Data analytics and profiling
• Implement procedures to ensure conditions for profiling/analytics are met,
including alternatives (pseudonimization/anonymization)
• Implement functionality to exclude individuals from profiling/analytics
• Ensure profling/analytics is performed in line with
strict conditions
• Data subjects right to object to profiling/analytics
04Role of the DPO
GDPR Lessons Learned Slide: 19
Roles and responbilities
05Credentials
GDPR Lessons Learned Slide: 21
Credentials (1/2)
Large Credit Services Company – Credit service company
We performed an audit on the internal controls of the client and assessed whether they comply with the Dutch privacy laws. Our opinion was based on a public framework and resulted in a report comparable to ISAE 3000.
Privacy and compliance assessment – International information provider
We identified non-compliance gaps and improvement opportunities for our client. We created a high level roadmap that illustrates the activities which should to be performed to comply with the GDPR.
Privacy and compliance scan – Insurance company
We performed a privacy compliance scan to identify gaps based on the Dutch Data Protection Act and the GDPR.
We performed workshops to raise awareness and knowledge and drafted a roadmap to implement the necessary actions identified during the assessments and workshops.
GDPR assessment & data flow mapping – Financial institution (UK)
We performed a GDPR assessment, including a gap analysis of various business units (BUs) and systems.
World largest search engine
We advised on the data retention periods, under UK financial services regulatory regimes, for the world’s largest search engine operator which also owns and operates a UK payment services and e-wallet provider.
.
EY Data Privacy Workshops performed at multiple financial services organisations
We provided a workshop to create awareness within the company of the client. By using cases, simulations and interactive break-out sessions, we assessed privacy from different angles to allow the client to understand the impact of privacy on its organization.
1
2
3
4
5
6
GDPR Lessons Learned Slide: 22
Credentials (2/2)
US based IT provider
We advised a US-based IT provider – which specializes in providing IT back office support to banks – on the interaction between regulatory retention periods, AML and data protection laws.
Privacy gap assessment and implementation – Large pension fund
For our client, we established risk management, compliance management and a function & governance structure. In addition, we carried out risk identification & assessment, drafted policies (privacy policy, IT policy), assisted in develop risk mitigation strategies, designed reporting templates and raised awareness within the company through workshops.
7
8
9
Large bank based in UK
Recently, we drafted the data retention policy – which included time periods for which different classes of data should be retained, methods for storing data and guidance on whether data should be erased or archived – for a large UK based challenger bank.
10
Global oil & gas company
We provided support to the global privacy officer and global internal audit department, as a subject-matter expert regarding implementation of and compliance with the global privacy policy.
06Contact us
GDPR Lessons Learned Slide: 24
More information and contacts
@@@
EMEIA contacts
Bernadette Wesdorp
Senior Advisor Data Privacy and Data Protection
bernadette.wesdorp@nl.ey.com+ 31 6 21252753
Tony de Bos
Data Protection and Privacy leader EMEIAExecutive Director Financial Services Advisory NL
tony.de.bos@nl.ey.com+ 31 6 29084182
Privacy offerings
Privacy workshop
GDPR key changes
Saskia Vermeer – de Jongh
Senior manager and Attorney IP/IT and Privacy
saskia.de.jongh@hvglaw.nl
+ 31 6 29083580
Wout Olieslagers
Consultant and Attorney IP/IT and Privacywout.olieslagers@hvglaw.nl+ 31 6 524 656 93
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2016 EYGM Limited.All Rights Reserved.
In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com
top related