Privacy and Data Protection: Practical Approaches to Risk Assessment and Management
|
|
- Elizabeth Banks
- 6 years ago
- Views:
Transcription
1 Privacy and Data Protection: Practical Approaches to Risk Assessment and Management SCCE 11 th Annual Compliance & Ethics Institute October 16, 2012 About Us Marti Arvin JD, CHC-F, CPC, CCEP-F, CHRC, CHPC Chief Compliance Officer, UCLA Health System Courtney Barton CCEP, CIPP/US, CIPP/E Director, Corporate Compliance & Global Data Privacy, Bausch & Lomb, Incorporated [ 2 ] What We Plan to Cover Today Building and implementing an effective Privacy and Data Protection risk assessment and management process Managing Privacy and Data Protection risks in global organizational settings challenges, strategic solutions and effective management Legal considerations and enforcement trends in Privacy and Data Protection compliance [ 3 ] 1
2 Bausch + Lomb: See better. Live Better. We offer the world s most comprehensive portfolio of eye health products and we have one of the oldest, best known and most respected healthcare brands in the world. Our core businesses include soft and rigid gas permeable contact lenses, lens care products and ophthalmic surgical and pharmaceutical products. The company began in 1853 in Rochester, New York, as a small optical shop that grew to become a multi-billion dollar global corporation with approximately 11,000 employees worldwide and with products available in more than 100 countries. [ 4 ] [UCLA Health System] UCLA Health System and the David Geffen School of Medicine is a health system with three hospitals with over 800 beds Faculty practice group with over 1800 providers A school of medicine with clinical research Part of a larger university system of 10 campus [ 5 ] In the course of operating our business We collect, use, maintain, process and disclose information provided by consumers, patients, healthcare professionals, employees, vendors and others. Data Privacy The right of individuals to keep their personal data from being misused or disclosed Personal Data Information that can be used to uniquely identify, contact or locate an individual, including: Government issued identification numbers Financial information Personal history (date of birth, address) Personal Health information Sensitive Personal Data Personal data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or medical details or sexual orientation [ 6 ] 2
3 Data Privacy and Protection Regulations Continue to Grow in Scope and Complexity Numerous laws have been enacted in countries around the world since the late 1990s, covering privacy, data protection, telemarketing, on-line communications and information security. Canada s Personal Information and Electronic Documents Act (2002) United Kingdom s Data Protection Act Amendments (2009) The European Union s Data Protection Directive 95/46/EC The 2009 amendments to the PRC Tort Liability Law now imposes penalties on both government and company personnel for misappropriation of personal information. In the United States, 46 states and the District of Columbia have enacted data breach notification statutes in addition to federal legislation on the appropriate use and disclosure of financial (including credit) and health-related data The United States relies on a mix of sectoral regulation, self enforcement, and state regulation. Argentina s Law for the Protection of Personal Data (2000) India s Information Technology Act amendments (2009) penalizes companies for misappropriation of personal information of individuals. New Zealand s Privacy Act (1993) Australia s Privacy Act (1988) Source: CELC - And, the financial, legal and reputational costs of a potential data breach continue to grow, as well. [ 7 ] 1. Establish a Clear and Defined Governance Structure Design: Who has an appropriate level of expertise and authority to oversee the program? Chief Privacy Officer with oversight of overall program Cross-functional support network Implement: Cross-Functional Data Privacy Steering Committee Establish a group of subject matter experts responsible for setting and implementing Privacy and Information Security strategy, policy and initiatives Formalize roles, responsibilities and authority in a charter or job descriptions [ 8 ] 1. Establish a Clear and Defined Governance Structure Manage: Review your infrastructure on a regular basis. Ensure that you continue have the right level of authority and support to be effective Maintain a connection with the right subject matter experts as your organization evolves [ 9 ] 3
4 2. Understand your risk profile through comprehensive data mapping and assessment. Conduct a data mapping exercise to obtain a robust inventory of sensitive data elements. What sensitive information do we have? Where is it stored? Who has access to the information? Where does the information move? What are we sending to the cloud or other third parties? What protections currently exist? The mapping and assessment results must drive initiatives and corrective actions. [ 10 ] Deep Dive: Comprehensive Data Mapping and Assessment Design: Build a business case for support and collaborate with those responsible for information security and records management. Don t overlook the savings opportunities and the overlap between these disciplines. Working with counsel and leveraging benchmark data for your industry, develop a list of simple, practical questions Remember, most people don t realize the sensitivity of what they have, you need to help them make the connection Review your organizational hierarchy in detail and develop a list of those who deal with the most personally identifiable data on a routine basis. Drill-down to the level of those who actually handle the data Be sure to include every business function and representatives from every geography/operating unit If you don t ask the right people the right questions, you won t get accurate or useful information. [ 11 ] Deep Dive: Comprehensive Data Mapping and Assessment Implement: Plan, communicate and execute. Develop a marketing plan and let people know what s coming; emphasize the importance of active engagement and input Give people a reasonable amount of time to do what you re asking and track progress, sending personalized reminders as necessary Be available for questions and support Manage: Once you have completed the map of applicable data elements, convene cross-functional leadership and counsel to prioritize risk areas and develop an action plan Must be risk-based; there will likely be many opportunities for improvement Be sure to consider how to keep the data map up-to-date to track your progress and enable rapid response to new and changing requirements [ 12 ] 4
5 3. Inventory Applicable Laws and Regulations Design: Align the results of your data map, industry standards and geographic range of your company Implement: Conduct a gap assessment, taking into account the likelihood and impact of enforcement action Manage: Keep the inventory updated through a method to track new and changing laws and regulations [ 13 ] 4. Review, Revise and Create Policies and Procedures Design: Develop a deep understanding of your data map and applicable laws and regulations. Identify any gaps Benchmark, benchmark, benchmark Be aware of what your notice of privacy practices says and whether you have multiple versions in different places with conflicting language Implement: Carefully review existing policies and procedures for areas of opportunity, overlap and potential inconsistency. Draft new policies as needed Senior level, cross-functional approval and support is critical [ 14 ] 4. Review, Revise and Create Policies and Procedures Manage: Assure there is a process for continuous review of policies and procedures Incorporate this into a regular review cycle Identify necessary resources to assure continued support for compliance with policies and procedures [ 15 ] 5
6 5. Design and Implement Training and Awareness Programs Design: Identify specific high-risk areas and leverage data map in choosing content to highlight Consider opportunities to incorporate into other training, such as Code of Conduct and information security training programs Implement: Comprehensive training/awareness program for general population; targeted training for specialized and high-risk areas Manage: Review and update training according to other changes in your program Use methods for assuring that your training is effective Lack of understanding of the rules that apply is probably the biggest risk to information privacy and security [ 16 ] 6. Ensure Coordination with the Company s Information Security Program Design: A typical Information Security Program focuses on the processes, systems and controls designed to protect information from disclosure, inappropriate access or loss of integrity or availability. Consider your organization s infrastructure. Implement: Formalize the link between the Data Privacy and Information Security programs Manage: Have regular meetings between privacy and information security Provide sufficient cross training to assure each recognizes the respective roles and responsibilities [ 17 ] 7. Third-Party Compliance Processes Design: Create or leverage information security protocols and requirements for key Third-Parties Create a process for identifying third-parties who will be receiving, creating or otherwise handling your company s sensitive data and the legal implications of their processing activities Implement: Coordinate with information security team and sourcing or procurement on contractual requirements Track these vendors Assure you workforce is aware of the process for contract negotiation. Manage: Update agreements if necessary for changes in legal provisions Where appropriate, audit and certify third-party privacy and information security measures To the extent possible, identify what actions by a vendor would result in contract termination Assure there is a method to track vendors who retain your company s sensitive data after contract termination. [ 18 ] 6
7 8. Global companies: Understand and implement measures to ensure compliance with national data collection, protection and transfer laws Design: Consult legal counsel and consider the results of your data mapping exercise, along with existing policies, practices and scope of foreign operations. Remember, laws vary by country and sector. Implement: With guidance from legal counsel, execute country-specific compliance plans, taking your risk profile into account. Manage: Continuously monitor the countries in which you do business for changes to laws and regulations Ensure there is a process for tracking changes and developments in all the countries in which you do business Understand the cultural environment in which you do business as well as the legal environment Be aware of any conflicting laws and regulations between countries [ 19 ] 9. Data Breach Incident Plan Design: Establish a data breach response procedure and team Establish perimeters regarding when credit monitoring may be provided Implement: Train response team on breach response tactics and fire-drill scenarios Manage: Consider a contract for breach response assistance services 10. Monitor and Audit Program Performance Design: Ensure that you fully understand your organization s risk profile and tolerance Implement: Develop program metrics to track effectiveness Manage: Review and discuss metrics with senior leadership with an eye towards continuous improvement [ 20 ] Legal Considerations and Enforcement Trends The legal landscape for privacy and information security risk is ever evolving Increased consumer awareness and activism More litigation led by government entities Liability for breaches caused by Third Parties State vs. Federal legislation in the US HIPAA/HITECH Directive vs. Regulation in the EU Global trending towards omnibus data protection laws Over 80 countries have enacted comprehensive data privacy laws [ 21 ] 7
8 Legal Considerations and Enforcement Trends Discussion areas: Enforcement FTC OCR Local Data Protection Authorities Regulatory changes Bills in Congress Regulation vs. Directive in the EU Other countries Australia Brazil Korea [ 22 ] Enforcement Actions The FTC has become increasingly active in enforcing the privacy provisions August Google pays $22.2 million for misrepresenting privacy assurances July FTC Becomes First Enforcement Authority in APEC Cross- Border Privacy Rules System March FTC Puts an End to Tactics of Online Advertising Company That Deceived Consumers Who Wanted to "Opt Out" from Targeted Ads November 2010 LifeLock pays $11 million June 2010 Twitter settles case that if failed to protect consumer data February 2010 FTC notified almost 100 organizations about breaches of sensitive data through peer-to-peer file sharing sites. [ 23 ] OCR Eight resolution agreements since 2008 More to come Representative from the OCR has stated the Director Rodriguez has indicated they are going from HIPAA Lite to HIPAA Jolt regarding enforcement. Remember your health plan is likely a HIPAA covered entity even if your organization has nothing to do with health care services [ 24 ] 8
9 IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES Budgets for DPAs [ 25 ] IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPA staffing size by country Over 40 FTEs Australia, Bulgaria, Canada, European Union, Germany, Hong Kong, Hungary, Italy, Mexico, Poland, Spain and Sweden 31 to 40 FTEs Norway, Serbia, Slovak Republic, Slovenia and United Kingdom FTEs Argentina, Ireland, Lithuania and Macao FTEs Cyrpus, Estoria, Finland, Latvia, Mauritius and New Zealand 2 to 10 FTEs Faroe Islands, Gibraltar and Guernsey [ 26 ] IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES Staff allocation by activity [ 27 ] 9
10 IAPP 2011 GLOBAL SURVEY ON DATA PROTECTION AUTHORITIES DPAs oversight authority [ 28 ] Recent Bills in Congress SB 3414 The Cybersecurity Act of 2012 failed in the Senate but Senator Liberman vowed to bring it back HB The Data Accountability and Trust Act (DATA) reasonable security policies for computerized personal information National notification SB 3333 Data Security and Breach Notification Act of 2012 Security of sensitive data Breach notification [ 29 ] Recent Bills in Congress SB 3742 Data Security and Breach Notification Act of 2010 reasonable security policies for computerized personal information National notification SB 139 Data Breach Notification Act Would require federal agencies and entities engaged in interstate commerce to notify of breach of sensitive personal information [ 30 ] 10
11 Regulations v. Directives Regulations are the most direct form of EU law Binding law as soon as they are passed on every Member State National governments do not have to take action themselves to implement EU regulations. EU directives lay down certain end results that must be achieved in every Member State. National authorities have to adapt their laws to meet these goals, but are free to decide how to do so. Directives may concern one or more Member States, or all of them. [ 31 ] Other countries Australia Key changes to benefit consumers through the changes include: clearer and tighter regulation of the use of personal information for direct marketing extending privacy protections to unsolicited information making it easier for consumers to access and correct information held about them tightening the rules on sending personal information outside Australia a higher standard of protection to be afforded to sensitive information which includes health related information, DNA and biometric data enhancing the powers of the Privacy Commissioner to improve the Commissioner s ability to resolve complaints, conduct [ 32 ] Other countries Brazil Proposed Data Protection Bill would Establish standards for sensitive data Require breach notification Formalize expectations where previously less clear Korea New law passed in 2011 Increased requirements for protection of personal information The Philippines Brand new law just signed in August 2012 Based on the European Directive [ 33 ] 11
12 Contact Information Marti Arvin, JD, CHC F, CCEP-F Chief Compliance Officer, UCLA Health System and David Geffen School of Medicine Courtney R. Barton, CCEP, CIPP (US/E) Bausch & Lomb, Incorporated Director, Corporate Compliance & Global Data Privacy (585) or to [ 34 ] 12
Privacy and Data Protection: Practical Approaches to Risk Assessment and Management
Privacy and Data Protection: Practical Approaches to Risk Assessment and Management SCCE 11 th Annual Compliance & Ethics Institute October 16, 2012 About Us Marti Arvin JD, CHC-F, CPC, CCEP-F, CHRC, CHPC
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More information20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics
Global Privacy and Data Protection: Practical Risk Assessment and Governance 9 October 2013 Robert Bond, BA, CCEP, HonMIEx Head of Data Protection and Info Security, Speechly Bircham Marti Arvin, CHC-F,
More informationCYBER RISK MANAGEMENT
CYBER RISK MANAGEMENT AND BEST PRACTICES Heather Fields, JD, CHC, CCEP (414) 298-8166 hfields@reinhartlaw.com 1000 North Water Street, Suite 1700, Milwaukee, WI 53202 www.reinhartlaw.com 0 Agenda Role
More informationADMA Briefing Summary March
ADMA Briefing Summary March 2013 www.adma.com.au Privacy issues are being reviewed globally. In most cases, technological changes are driving the demand for reforms and Australia is no exception. From
More informationData Processing Agreement DPA
Data Processing Agreement DPA between Clinic Org. no. «Controller». and Calpro AS Org. nr. 966 291 281. «Processor» If the parties have executed a Data Management Agreement, the Date Management Agreement
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationHIPAA Security. An Ounce of Prevention is Worth a Pound of Cure
HIPAA Security An Ounce of Prevention is Worth a Pound of Cure Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Paul R. Hales, Attorney at Law Subject Matter Expert
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationDAVID J BEHINFAR, JD., LLM., CHC, CHRC, CCEP, HCISPP, CIPP/US P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT
P23: AN EFFECTIVE PRIVACY PROGRAM BUILT THROUGH STRATEGIC VISION AND LEADERSHIP SUPPORT APRIL 7, 2019 David Behinfar, Chief Privacy Officer University of North Carolina Health Katherine Georger, Associate
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationCNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.
CNH Industrial Privacy Policy General Terms The CNH Industrial Group appreciates your interest in its products and your visit to this website. The protection of your privacy in the processing of your personal
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationIt applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).
Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationPrivacy Shield Policy
Privacy Shield Policy Catalyst Repository Systems, Inc. (Catalyst) has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data privacy protection. This
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationThe prospects of data breach laws in 18 European countries
The prospects of data breach laws in 18 European countries Stewart Dresner, Chief Executive, Privacy Laws & Business 11:30 a. m.11:30 a.m. Privacy in Transition: The International Perspective THE PRIVACY
More informationEU data security and privacy trends
EU data security and privacy trends Top issues for HR and global mobility 26 29 October 2014 Disclaimer EY refers to the global organization, and may refer to one or more, of the member firms of Ernst
More informationPrivacy Policy... 1 EU-U.S. Privacy Shield Policy... 2
Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2 Privacy Policy knows that your privacy is important to you. Below is our privacy policy for collecting, using, securing, protecting and sharing your
More informationWorkday s Robust Privacy Program
Workday s Robust Privacy Program Workday s Robust Privacy Program Introduction Workday is a leading provider of enterprise cloud applications for human resources and finance. Founded in 2005 by Dave Duffield
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationGeneral Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant
General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationDevelopments in Global Data Protection & Transfer: How They Impact Third-Party Contracts
Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts Rebecca Eisner Partner +1 312 701 8577 reisner@mayerbrown.com Mark Prinsley Partner +44 20 3130 3900] mprinsley@mayerbrown.com
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationHong Kong s Personal Data (Privacy) Ordinance
Asia Privacy Bridge Forum 11 May 2016 Hong Kong s Personal Data (Privacy) Ordinance Fanny Wong Deputy Privacy Commissioner for Personal Data Hong Kong, China The Personal Data Landscape in Asia 2011 2003
More informationCatalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1
Catalent, Inc. Privacy Policy, effective May 25, 2018 1. This Policy This Privacy Policy (this Policy ) is issued by Catalent, Inc. on behalf of itself and its domestic and international subsidiaries and
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationManaging Jurisdictional Risks for Public Cloud Services
Managing Jurisdictional Risks for Public Cloud Services Version 1.0 July 2017 1 Contents Executive summary 3 Definitions 4 Assessing jurisdictional risk 5 Commonly-used jurisdictions 8 2 Executive summary
More information2017 RIMS CYBER SURVEY
2017 RIMS CYBER SURVEY This report marks the third year that RIMS has surveyed its membership about cyber risks and transfer practices. This is, of course, a topic that only continues to captivate the
More informationPolemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.
Privacy policy 1 Background This document sets out the policy of Polemic Forensic ABN 60 392 752 759 ( Polemic ) relating to the protection of the privacy of personal information. Polemic is a business
More informationBuilding YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services
Building YOUR Privacy Program: One Size Does Not Fit All Justine Gottshall Partner, InfoLawGroup, LLP Chief Privacy Officer, Signal Jgottshall@infolawgroup.com Adam Nelson Executive Consultant Global Data
More informationWithin the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):
Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this
More informationEuropean Union Agency for Network and Information Security
Critical Information Infrastructure Protection in the EU Evangelos Ouzounis Head of Secure Infrastructure and Services Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European Union Agency
More informationGeneral Data Protection Regulation (GDPR)
BCD Travel s Response to the EU General Data Protection Regulation (GDPR) November 2017 Page 1 Response to the EU GDPR Copyright 2017 by BCD Travel N.V. All rights reserved. November 2017 Copyright 2017
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationPlan a Pragmatic Approach to the new EU Data Privacy Regulation
AmChamDenmark event: EU Compliant & Cyber Resistant Plan a Pragmatic Approach to the new EU Data Privacy Regulation Janus Friis Bindslev, Partner Cyber Risk Services, Deloitte 4 February 2016 Agenda General
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationForensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services
Forensic Technology & Discovery Services Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services Forensic Technology & Discovery Services EY s Forensic
More informationEU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product
More informationMastering Data Privacy, Social Media, & Cyber Law
Mastering Data Privacy, Social Media, & Cyber Law Data Breach Notification and Cybersecurity Developments Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US 1 State
More informationTechnology and data privacy Global perspectives
Technology and data privacy Global perspectives Anna Gamvros, Partner, Hong Kong Barbara Li, Partner, Beijing Ryan Berger, Partner, Vancouver 13 September 2018 Agenda Asia privacy developments HK and China
More informationHot Topics in Privacy
Hot Topics in Privacy Gretchen S. Herault Monster Worldwide SCCE Conference April 12, 2013 Agenda Privacy Landscape current state of regulatory coverage > Global > Industry Sector > Technology Hot Topics
More informationHot Topics in Privacy
Hot Topics in Privacy Gretchen S. Herault Monster Worldwide SCCE Conference April 12, 2013 Agenda Privacy Landscape current state of regulatory coverage > Global > Industry Sector > Technology Hot Topics
More informationData Protection. Guidance Notes
Data Protection Guidance Notes Contents Introduction... 3 Registration Authority Office... 3 What are the Data Protection Regulations 2015?... 4 Key Definitions... 4 Role of Data Controller in relation
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationSecurity in Today s Insecure World for SecureTokyo
Security in Today s Insecure World for SecureTokyo David Shearer (ISC) 2 Chief Executive Officer dshearer@isc2.org www.isc2.org I m Influenced by a Mission Driven Background U.S. Maritime Transportation
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda Rise in Data Breaches Effects of Increase in Cybersecurity Threats Cybersecurity Framework
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More information1 Privacy Statement INDEX
INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related
More informationPRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.
1. Introduction 1.1 From time to time Business & Risk Solutions Pty Ltd ("the Company") is required to collect, hold, use and/or disclose personal information relating to individuals (including, but not
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationData Privacy & Protection
Data Privacy & Protection March 10, 2016 Data Breach Notification and Cybersecurity Developments in 2016 Melissa J. Krasnow, Dorsey & Whitney LLP, and Certified Information Privacy Professional/US This
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationIMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES
IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES Introductions Agenda Overall data risk and benefit landscape / shifting risk and opportunity landscape and market expectations Looking at data
More informationAchieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)
Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association
More informationVIACOM INC. PRIVACY SHIELD PRIVACY POLICY
VIACOM INC. PRIVACY SHIELD PRIVACY POLICY Last Modified and Effective as of October 23, 2017 Viacom respects individuals privacy, and strives to collect, use and disclose personal information in a manner
More informationRIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015
www.pwc.com RIMS Perk Session 2015 - Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015 Los Angeles RIMS Agenda Introductions What is Cybersecurity? Crown jewels The bad
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationThis guide is for informational purposes only. Please do not treat it as a substitute of a professional legal
What is GDPR? GDPR (General Data Protection Regulation) is Europe s new privacy law. Adopted in April 2016, it replaces the 1995 Data Protection Directive and marks the biggest change in data protection
More informationWhat To Do When Your Data Winds Up Where It Shouldn t
What To Do When Your Data Winds Up Where It Shouldn t Don M. Blumenthal Defcon 16 Las Vegas, Nevada August 9, 2008 Disclaimer Opinions expressed are my own and intended for informational purposes. They
More informationEU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know
EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know The General Data Protection Regulation (GDPR) The eprivacy Regulation (epr) The Network and Information Security Directive
More informationVII. GUIDE TO AGENCY PROGRAMS
VII. GUIDE TO AGENCY PROGRAMS Executive Offices and Centers David L. Lakey, M.D., Commissioner Kirk Cole, Associate Commissioner Luanne Southern, Deputy Commissioner FTEs: 71.1 Commissioner FTEs: 1.5 The
More informationGeneral Data Protection Regulation Frequently Asked Questions (FAQ) General Questions
General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationSecurity Breach Notification Reflections on the U.S. Experience
Compliance & Regulatory Matters Data Privacy Security Breach Notification Reflections on the U.S. Experience Bojana Bellamy Director of Data Privacy Accenture Brief History of Breach Notification Laws
More informationXpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;
65 Gilbert Street, Adelaide SA 5000 Tel: 1300 216 890 Fax: 08 8221 6552 Australian Financial Services Licence: 430962 Privacy Policy This Privacy Policy was last updated on 27 February 2017. Our Commitment
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationAudit and Compliance Committee - Agenda
Audit and Compliance Committee - Agenda Board of Trustees Audit and Compliance Committee April 17, 2018, 1:30 2:30 p.m. President s Board Room Conference Call-In Phone #1-800-442-5794, passcode 463796
More informationPRIVACY NOTICE WHO WILL PROCESS YOUR PERSONAL INFORMATION? WHY IS YOUR PERSONAL INFORMATION REQUIRED?
PRIVACY NOTICE First Capital Independent Financial Advisers Limited understands its obligations in regards to your fundamental right to a private life and has implemented systems and controls to ensure
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationEmerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More informationTopics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More informationREPORT 2015/149 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results
More informationData Breach Notification: what EU law means for your information security strategy
Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP Key points 1. Introduction 2. Overview of data breach requirements
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationIntroductory guide to data sharing. lewissilkin.com
Introductory guide to data sharing lewissilkin.com Executive Summary Most organisations carry out some form of data sharing, whether it be data sharing between organisations within the group or with external
More informationJefferies EMEA Privacy Notice
Jefferies International Limited Vintners Place 68 Upper Thames St London United Kingdom Jefferies EMEA Privacy Notice 1. Introduction This Privacy Notice explains what we do with your personal data. It
More informationU.S. Private-sector Privacy Certification
1 Page 1 of 5 U.S. Private-sector Privacy Certification Outline of the Body of Knowledge for the Certified Information Privacy Professional/United States (CIPP/US ) I. Introduction to the U.S. Privacy
More informationSubject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More information