The Impact of GDPR Compliance on IT and Security

Transcription

1 The Impact of GDPR Compliance on IT and Security

2 Experts on Panel Bojana Bellamy President Centre for Information Policy Leadership Vibhav Agarwal Director MetricStream 2017 MetricStream, Inc. All Rights Reserved.

3 Agenda The effect of GDPR on IT and security teams Technical and security measures to support data protection The interaction between IT and IS with data privacy compliance and legal A risk based approach to GDPR compliance Q&A 2017 MetricStream, Inc. All Rights Reserved.

4 GDPR Compliance Key impact for IT, CIO and CISO and Recommendations for Data Driven Organizations

5 A GLOBAL PRIVACY AND SECURITY THINK TANK CIPL at a glance BRIDGING REGIONS BRIDGING INDUSTRY & REGULATORS BRIDGING PRIVACY AND DATA DRIVEN INNOVATION ACTIVE GLOBAL REACH 55+ Member Companies 5+ Active Projects & Initiatives 20+ Events annually 15+ Principals and Advisors We INFORM through publications and events We SHAPE privacy policy, law and practice We NETWORK with global industry and government leaders We CREATE and implement best practices ABOUT US The Centre for Information Policy Leadership (CIPL) is a global privacy and security think tank Based in Washington, Brussels and London Founded in 2001 by leading companies and Hunton & Williams LLP CIPL works with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for data privacy and responsible use of data to enable the modern information age Twitter.com/the_cipl Pennsylvania Ave NW Washington, DC Park Atrium, Rue des Colonies Brussels, Belgium 30 St Mary Axe London EC3A 8EP

6 Key GDPR Changes at a Glance Harmonisation and progressive aspects Broader scope Increased obligations Strengthened rights of individuals Increased enforcement, fines, liability Harmonised rules, but not fully (e.g. employee data, children data) Obligations on both controller and processor DP principles tightened (consent, transparency/notices) Right to erasure Data portability Regulatory fines up to 4% of annual worldwide turnover One Stop Shop: Lead DPA for pan-european matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals Risk-based approach Some reduction of administrative burden (no national registration of processing. or prior authorisation) BCR, seals and certifications Extraterritorial application to foreign controller and processor Wider definition of personal data and sensitive data; anonymous data and pseudonymisation Processing data of children under 16 requires parental consent Profiling rules Privacy Impact Assessment Privacy by Design Breach notification - to DPAs and individuals Direct obligations and liability for processor Accountability - privacy programme Internal record of processing Right not to be subject to automated decision making Right to object Individual action Class action Criminal sanctions (in national laws) Larger role for European Data Protection Board (EDPB) Greater cooperation and consistency by DP regulators DP Officer

7 CIPL GDPR Project Deliverables to Date 5 Workshops and working sessions Amsterdam (Kick-off), Paris (DPO, Risk), Brussels (Certifications), Madrid (Transparency, Consent, Legitimate interest), Dublin (Smart Regulation) 5 CIPL Papers Submitted to WP29 DPO Risk and DPIA One Stop Shop and Lead DPA Certifications Transparency, Consent, Legitimate Interest eprivacy Regulation Consultation Response 4 CIPL Responses to WP29 Guidance DPO, Data Portability, Lead SA, DPIA GDPR Readiness Survey Report 3 CIPL Papers in Progress Smart Regulation eprivacy Regulation Profiling and Automated Decision-Making

8 GDPR: Key Areas of Strategic Impact DPIA and Risk Assessment Privacy Engineers Vendor management Data strategy and Big Data enablement Breach management Data transfers strategy DPA relationship management DPO led, documented, risk-based, verified, demonstrated Impact and interaction with global program DP Program Corporate Digital Responsibility Legal uncertainty and disputes management

9 Level of Impact CIPL & AvePoint Joint GDPR Readiness Survey Oct 2016 Privacy Management Programme Use/Contracting with processors Individual rights Readiness Data breach notification SENIOR MANAGEMENT KEY CONCERNS Enhanced sanctions Data breach reporting Stricter rules on consent & data reuseccc Individual rights Changes to internal privacy program Legitimate interest, Privacy by Design, DPIA and risk - the main areas requiring most clarification

10 Accountability in GDPR Privacy Programme Controllers must: Be responsible for compliance with GDPR Implement appropriate and effective technical and organisational measures to comply with the GDPR Demonstrate compliance & effectiveness of the measures Taking into account: The nature, scope, context, and purposes of the data processing The risk for individuals - physical, moral, material damages

11 Compliance Tools, Technology, Software Currently organizations do not widely use, or have access to, technology tools and software to aid with data privacy compliance tasks. Only a minority use technology to automate and industrialize: DPIAs; Data classification and tagging policies; Data processing records / inventories; Delivery of new data portability right. Where else can technology help? Right of access, consent management, privacy transparency dashboards, Privacy Program demonstration, etc.

12 GDPR Opportunity to Rethink Data Privacy and Information Management Strategy Enable new business models, digitalisation and data innovation Address expectations for increased transparency, user control and value, corporate responsibility Ensure data sustainability and digital trust Address regulatory changes - impact and implementation Mitigate legal, commercial and reputational risks

13 Systematic Changes Ahead for Organisations GDPR implementation requires company-wide change management program DP becomes a business issue - wide impact on company s globalisation, digital transformation and data strategy DP becomes board-level issue higher enterprise risk; larger business, legal and compliance impact; security breach notification and management Holistic and joined-up approach - between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations DP Officer (DPO) - becomes a more strategic, senior and multi-skilled role Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates)

14 EU GDPR - Key Red Flags for IT, CIO, CISO Privacy Impact Assessments, based on risk to individuals Privacy by Design and Privacy by Default Security breach management & notification Internal inventory of processing Third party providers (software and services) Wide regulated personal data Coordinated action DPO, CIO, CISO Tension privacy v. security

15 Holistic Approach to Privacy and Security Two sides of the same coin There is no privacy without security Privacy can be breached without a breach of security Convergence Privacy > Security Governance Conflict Enabling business growth and innovation Protecting assets and information creates privacy risks

16 GDPR Compliance Steps Understand your data, its relevance and the risks customers, employees, third parties contacts, website users Create and maintain accourate records of processing Appoint DPO, or allocate responsibility for DP compliance Establish legal basis for each data processing consent, legitimate interest, contract necessity, etc. Draft privacy notices and policies for individuals Create DPIA processes / templates and carry out DPIA for existing and new processing and new projects Draft vendor DP due diligence and contracting templates Create legal mechanisms for sharing data globally Establish procedures for rights of individuals Develop and test breach response and notification procedures Training and communication of the staff and relevant functions On-going compliance and monitoring / auditing

17 Thank you Bojana Bellamy Centre for Information Policy Leadership Hunton & Williams Privacy and Information Security Law Blog FOLLOW US ON LINKEDIN linkedin.com/company/centre-for-information-policy-leadership FOLLOW US ON

18 How can technology help you? Vibhav Agarwal Director MetricStream

19 Top Concerns of CIOs within Enterprises* *cioinsights.com 2017 MetricStream, Inc. All Rights Reserved.

20 Key Requirements for GDPR Centralized repository/ library of articles, controls, and requirements for GDPR compliance Establish an integrated framework to conduct Data Privacy Impact Assessments (DPIAs) through surveys and questionnaires Enable the implementation of robust data privacy processes and controls Generate delta control reports, as well as other reports and dashboards to assess GDPR compliance Manage issues generated from risk and control assessments 2017 MetricStream, Inc. All Rights Reserved.

21 GDPR - Focus on Key Areas Assess Compliance Ongoing Compliance Data Privacy Risks, Controls & Process setup Data Privacy Impact Assessments Data Protection Audits Controls Compliance Risk Assessments Update Risk register, Control register and Process register with GDPR data Perform survey based Impact assessments across assets and processes across Bus and Third parties Addition of testing strategies and steps to audit Data breach response plan and PII storage Comprehensive Extended Orgwide Controls assessment process for GDPR related controls Workflow to assess enterprise & IT Risks quantitatively based on inherent factors and control effectiveness 2017 MetricStream, Inc. All Rights Reserved.

22 Implementation of an Industry Standard Solution Centralized IT Repository Relational Data Model Data Privacy Impact Assessments Controls Compliance & Risk Assessment Third Party Compliance Assessment Management Reporting 2017 MetricStream, Inc. All Rights Reserved.

23 Way forward Strategy Design Implement Assess Monitor Define the overall management strategy for managing GDPR compliance Create an Risk and Compliance process with ownership and governance to meet the GDPR mandate Implement a Technology solution to ensure traceability and accountability across the workflow Assess IT controls and IT risks leveraging the latest controls, questions and procedure libraries Monitor the assessments and perform management reporting via reports and dashboards Consultancy Technology solution 2017 MetricStream, Inc. All Rights Reserved.

24 Are you GDPR ready? 2017 MetricStream, Inc. All Rights Reserved.

25 About MetricStream Vision Integrated Governance, Risk and Compliance for Better Business Performance Solutions Risk Management IT Risk Management Business Continuity Management IT Compliance Management SOX Compliance Management Enterprise Risk Management Internal Audit Management Compliance Management Policy and Document Management Regulatory Change Management Partners Organization Differentiators Over 1,400 employees Headquarters in Palo Alto, California with offices worldwide Over 400 enterprise customers Privately held Backed by global leading VCs, Sage View Capital, Goldman Sachs Technology - GRC Platform 9 Patents Breadth of Solutions Single Vendor for all GRC needs Cross-industry Best Practices and Domain Knowledge ComplianceOnline.com - Largest Compliance Portal on the Web 2017 MetricStream, Inc. All Rights Reserved.

26 Topics in Discussion Include: GRC for High Performers Days Speakers Sessions Attendees Is your company ready for GDPR A Chief Privacy Officer s Perspective Emerging Audit trends and challenges Converging Across Emerging and Evolving Risks Building An Enterprise Strategy MetricStream GRC Summit 2017 Date: November 6-7, 2017 Location: Lancaster London Hotel, London, UK Register now Use Discount Code WEB200 & Register Now for JUST 599

27 Q&A Bojana Bellamy President Centre for Information Policy Leadership Vibhav Agarwal Director MetricStream Thank you for participating! A copy of this presentation will be made available to all participants in next 48 working hours. For more details on upcoming MetricStream webinars: MetricStream, Inc. All Rights Reserved.

28 THANK YOU Contact Us: Website: Phone: USA UAE UK MetricStream, Inc. All Rights Reserved.