GDPR. Lessons Learned

Transcription

1 GDPR Lessons Learned

2 Introduction 01

3 Privacy is a hot topic Privacy and Data Protection is increasingly in the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR) and uncertainty post Brexit Personal Information (PI) is a valuable asset through intelligence and monetisation opportunities Privacy awareness of the public has increased significantly, exacerbated by frequent personal data breaches catching media attention Demonstrating good privacy governance and practices will be considered by the FCA and other regulators GDPR Lessons Learned Slide: 3

4 GDPR coming into force in May 2018 and organizations need to act now The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be underestimated Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the requirements through the entire personal data lifecycle As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in organisations not understanding how much PI they hold, why they retain it and how it is being used GDPR Timeline January April May 2018 European Commission (EC) proposed GDPR March 2014 EU Parliament adopt compromise text Dec 2015 GDPR agreed GDPR formally adopted by member states Transition period of 2 years GDPR takes effect GDPR Lessons Learned Slide: 4

5 GDPR key changes (1/2) Expanded scope Applies to all data controllers and processors established in the EU and organizations that target EU citizens Consent Consumer consent to process data must be freely given and for specific purposes Customers must be informed of their right to withdraw their consent Consent must be explicit in the case of sensitive personal data or trans border dataflow New rights The right to be forgotten the right to ask data controllers to erase all personal data without undue delay in certain circumstances The right to data portability where individuals have provided personal data to a service provider, they can require the provider to port the data to another provider, provided this is technically feasible The right to object to profiling the right not to be subject to a decision based solely on automated processing Privacy Impact Assessments Organizations must undertake Privacy Impact Assessments when conducting risky or large scale processing of personal data Privacy by Design Organizations should design data protection into the development of business processes and new systems GDPR Lessons Learned Slide: 5

6 GDPR key changes (2/2) Data Protection Officers (DPOs) DPOs must be appointed if an organization conducts large scale systematic monitoring or processes large amounts of sensitive personal data Organization must prove they are accountable by: Accountability Establishing a culture of monitoring, reviewing and assessing data processing procedures Minimizing data processing and retention of data Building in safeguards to data processing activities Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request Obligations on processors New obligations on data processors processors become an officially regulated entity Mandatory breach notification Organizations must notify supervisory authority of data breaches without undue delay or within 72 hours, unless the breach is unlikely to be a risk to individuals If there is a high risk to individuals, those individuals must be informed as well Fines of up to 4% of annual worldwide turnover Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or 20,000,000, whichever is greater GDPR Lessons Learned Slide: 6

7 The importance of privacy moving beyond compliance Moving beyond Compliance Business Incentives Compliance Incentives Need to comply with laws, regulations, contracts and other agreements Increasing pressure from regulators Rising fines and penalties Minimise reputational damage Significant costs associated with recovery from breaches and potential lawsuits from those affected Move beyond compliance to build trusting relationships with stakeholders that drive loyalty and retention Privacy is a competitive differentiator in a data- and technology-driven world Enhance brand and reputation Satisfy stakeholders expectations, especially in light of increasing public awareness of and concern about data privacy Proactively prevent loss of customers and market share as a result of data breaches Data protection as moral responsibility towards customer and part of CSR profile Prevent data breaches and avoid associated remediation costs Protect future revenue sources and create new ones through from data with customer consent GDPR Lessons Learned Slide: 7

8 GDPR can frustrate or support the digital proposition Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information Internet of Things Digital marketing, sales and service Partner and ecosystem More and more Internet of Things devices are introduced and generate large volumes of data which can be used by organizations to support their market and client insights and improve digital proposition. For example mobiles, connected cars and wearables. Organization are transformation their business into digital propositions. These propositions are build on technology and data. Precondition is the reuse of data. Organization are more and more connected with partners in an ecosystem. To utilize the advantages data need to be shared across the ecosystem, while supporting privacy regulations. Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform anonymization or pseudonymization. GDPR Lessons Learned Slide: 8

9 Transformation approach 02

10 Data Protection and Privacy Transformation approach EY s unique approach Comprehensive in reach through its four phases: understand, assess, design and implement Multi-disciplinary by integrating the legal, IT, risk and business perspectives of privacy Close cooperation with EY Law to translate legal requirements into a risk-based, customised approach Identification of high risks and focus on becoming compliant with current legislation, while keeping sight of the organisation s GDPR readiness Proven success in roll-out in various countries GDPR Lessons Learned Slide: 10

11 A phased approach combining Overall GDPR maturity assessment and PIAs on high risk data flows Phase 1 Phase 2 Phase 3 Key activities Framework Overall maturity assessment Customize Privacy Impact assessment (PIA) Implementation plan Privacy framework policy and standards Data governance (including DPO position) Update implementation plan Accountability Privacy by Design Monitoring and incident response Notifications Metrics, reports and dashboard Dataflow Assessment data flows using PIA based on risk based approach Fixing reported gaps based on priority setting Fixing reported gaps based on priority setting Continue dataflow assessments Continue dataflow assessments Vendor Vendor risk management framework Vendor risk assessment and update contracts Vendor risk assessment and update contracts Awareness Awareness Awareness Awareness GDPR Lessons Learned Slide: 11

12 Risk based approach to assess data flows based on a well established PIA process Dataflow inventory Risk assessment dataflow Defining risk appetite Prioritize dataflows Perform PIA Define actions In order to fully assess privacy and compliance risks, organizations will need to understand how (customer and employee) data are used. Therefore, the first step of our PIA process consists of making an inventory of the dataflows, which includes i.a. a complete overview of data sources (systems and files), where data are stored, how it is processed, who it is shared with and how long it is retained. The dataflows will be inventoried during a (+/- 2hour) workshop with internal stakeholders. Our dataflow tooling can be used to validate the outcome of such workshop. The second step of our PIA process consists of categorizing the dataflows by the associated risks (high/medium/low risk). Such risk assessment which consists of a (brief) questionnaire enhances organizations to prioritize dataflows, establish whether a PIA would be obligated based on the GDPR and creates an audit trail in this respect. Subjects of the risk assessment include i.a.: Personal data Special data Volume of data Sensitivity of process Using the gathered insights on the dataflows, the risk appetite will be defined to support expected GDPR changes, prioritize dataflows and define actions. EY will support in both (i) developing a qualitative statement to articulate privacy risk and (ii) defining a clear appetite statement that can be measured and aligns to your strategy and (iii) identify metrics from your Privacy Risk Control Framework that speak to your risk appetite and align where possible to strategic objectives Based on both the defined risk appetite of the organization and the established risk(s) per dataflow, it will be established on what dataflows the PIAs will be performed and the order in which they will be carried out. The dataflows with risks that would impact the organization most given its risk appetite will be performed first. EY has developed an in-depth Excel based questionnaire to gather the insights necessary to assess the impact of the dataflows on the natural persons involved. This questionnaire covers most subjects of the GDPR (more comprehensive than the risk assessment) and contains guidelines and primarily closedended questions (yes/no, multiple choice, rating scale, etc.), making the PIA user-friendly for the business. If so desired, the PIA questionnaire can be modified or integrated with existing risk assessments (e.g. BIA or ISRA). Further to perform the PIA, actions will be defined to mitigate the risks on the natural persons identified during the PIA. Subsequently, this list of actions will be divided based on the risk appetite of the organizations, mitigating the highest risks first. GDPR Lessons Learned Slide: 12

13 Lessons learned Privacy governance Privacy is no longer exclusively situated within the legal realm but has evolved into a multi-disciplinary issue Organisations are struggling to establish a comprehensive model to lead privacy transformation A new, collaborative model is needed to unite the multiple dimensions of privacy within the organisation Many organisations are unaware of their data flows and have launched ambitious data flow mapping initiatives Data flow mapping Data flow mapping exercises are all too often performed in manner that is too detailed and resource consuming A more limited scope is sufficient to facilitate the creation of a privacy register Data discovery tooling can be used to further detect structured and unstructured data Legacy Privacy impact assessments (PIA) need to be performed for the organisation s data flows and a risk-based approach should be adopted to focus on high impact data flows Through data flow mapping, non-compliances with the GDPR s requirements such as the right to be forgotten and data retention are identified A targeted approach allows for prioritisation of actions and the identification of those which can be pursued centrally to facilitate integration with the entire organisational data governance (including Privacy by Design) GDPR Lessons Learned Slide: 13

14 Lessons learned Rightful usage The concept of rightful usage (legitimate use or explicitly obtained consent) forms an integral part of the privacy impact assessment (PIA) related to the mapping and discovery of organisational data flows Organisations too often adopt an isolated approach focused on a singular data flow In contrast, an overarching approach forms a starting point for additional activities requiring the basis of legitimate use or consent as it centralises the overview of rightful usage of data Right to be forgotten The majority of applications are not currently supporting the key changes brought by the GDPR around the right to be forgotten, data portability and data retention In particular, many organisations struggle with supporting the right to be forgotten due to the complexity and wide distribution of data across different databases, backups etc. The use of big data analytics has attracted widespread attention and has proven to provide added business value Big data analytics Challenges around privacy arise due to the lack of consent amongst data subjects In essence, these challenges are not new, and thus lend themselves to the established response of pseudonomisation or anonymization of data to ensure the preservation of privacy, while still leveraging the strategic value of data. GDPR Lessons Learned Slide: 14

15 Impact on IT and Security 03

16 Impact IT and Security (1/2) An overview of impact and solutions GDPR Impact Solutions Data Protection Policy and data classification Privacy Risk and Controls Classify Personal identifiable information (PII) Ensure necessary and proportionate use only Enforce policies and standards Integrate privacy controls and assessment into the existing control framework and risk assessments Perform risk assessments on processes and data flows (in stead of systems/applications) Draft, review and update existing data protection policies and standards Use specific tooling to classify your PII Use specific tooling to enforce data protection policy and standards Update existing risk framework and assessments Integrate privacy controls in the existing tools and controls testing Data Lifecycle Management Define data flows Document conditions for processing (i.e. legal ground, data minimization, information provision, purpose limitation) Implement and maintain privacy register Integrate GDPR in data governance and management Implement or enhance (existing) tooling to support data flow mapping and document data attributes Implement privacy register based on tooling Data subject rights Privacy by design and architecture Support rights of data subjects i.a. to access, modify and erase their PII, transfer PII to another organization (data portability) and object to the processing. Take into data protection of PII in [existing design and build procedures] Enhance existing security architecture to support privacy by design including libraries of tools to support [design and build procedures] Implement procedure/functionality for data subjects to submit requests and provide transparency on data subjects rights Implement procedure to assess the requests of data subjects to exercise rights Tooling for providing access on user request Tooling for transferring data to another organization (data portability) Tooling for erasure by ways of disposal, pseudonomization/anonymization Implement procedure for assessing risk of data flows Perform PIA's (privacy impact assessments) on new and current processes Redesign design and build procedures by including data protection principles GDPR Lessons Learned Slide: 16

17 Impact IT and Security (2/2) An overview of impact and solutions GDPR Impact Solutions Data security Technical security measures to protect PII in line Describe procedures in information security policy and standards on data with policies and procedures protection and implement such procedures Implement encryption (rest, use motion) Implement tooling to encrypt data on different technology layers, i.a. network, Align identity access management with appropriate end-user, server, database, application, and unstructured documents use in line with GDPR Update roles and authorizations in existing identity access management Data retention and disposal Identify retention periods for each category PII Dispose or anonymize PII after retention period Create a data retention and disposal policy. Describe the retention periods per record (using the mandatory privacy register); Implement the retention periods in applications or implement specific tooling in combination with archiving system Monitoring Implement monitoring to ensure that PII is used in Implement data discovery tooling to ensure that all data is recorded and line with policies, standards and GDPR accounted for as part of the privacy register Detect deviations, i.a. unauthorized disclosures Use specific monitoring tooling to record the deviations of policies, disclosures and data flows, privacy data analytics Incident response and Breach notification Vendor management Data analytics and profiling Include data breaches in existing incident response procedures Mandatory notifications of data breaches to authority/data subjects Having an up-to-date overview of all vendors that process PII Ensure vendors only process PII in line with policies, standards and GDPR (e.g. monitoring vendors and performing audits) Ensure profling/analytics is performed in line with strict conditions Data subjects right to object to profiling/analytics Update existing incident procedure Keep internal register on data breaches Implement or update procedure and tooling for assessing data breaches and notifying to authority/data subjects Implement vendor management framework, including controls vendors should comply with. Implement procedures and tooling for monitoring vendors Bind vendors to data protection principles by concluding processing agreement Implement procedures to ensure conditions for profiling/analytics are met, including alternatives (pseudonimization/anonymization) Implement functionality to exclude individuals from profiling/analytics GDPR Lessons Learned Slide: 17

18 Role of the DPO 04

19 Roles and responbilities GDPR Lessons Learned Slide: 19

20 Credentials 05

21 Credentials (1/2) 1 Large Credit Services Company Credit service company 4 GDPR assessment & data flow mapping Financial institution (UK) We performed an audit on the internal controls of the client and assessed whether they comply with the Dutch privacy laws. Our opinion was based on a public framework and resulted in a report comparable to ISAE We performed a GDPR assessment, including a gap analysis of various business units (BUs) and systems. World largest search engine 2 3 Privacy and compliance assessment International information provider We identified non-compliance gaps and improvement opportunities for our client. We created a high level roadmap that illustrates the activities which should to be performed to comply with the GDPR. Privacy and compliance scan Insurance company We performed a privacy compliance scan to identify gaps based on the Dutch Data Protection Act and the GDPR. 6 We advised on the data retention periods, under UK financial services regulatory regimes, for the world s largest search engine operator which also owns and operates a UK payment services and e- wallet provider.. EY Data Privacy Workshops performed at multiple financial services organisations We provided a workshop to create awareness within the company of the client. By using cases, simulations and interactive break-out sessions, we assessed privacy from different angles to allow the client to understand the impact of privacy on its organization. We performed workshops to raise awareness and knowledge and drafted a roadmap to implement the necessary actions identified during the assessments and workshops. GDPR Lessons Learned Slide: 21

22 Credentials (2/2) 7 US based IT provider 9 Privacy gap assessment and implementation Large pension fund We advised a US-based IT provider which specializes in providing IT back office support to banks on the interaction between regulatory retention periods, AML and data protection laws. For our client, we established risk management, compliance management and a function & governance structure. In addition, we carried out risk identification & assessment, drafted policies (privacy policy, IT policy), assisted in develop risk mitigation strategies, designed reporting templates and raised awareness within the company through workshops. 8 Global oil & gas company We provided support to the global privacy officer and global internal audit department, as a subject-matter expert regarding implementation of and compliance with the global privacy policy. 10 Large bank based in UK Recently, we drafted the data retention policy which included time periods for which different classes of data should be retained, methods for storing data and guidance on whether data should be erased or archived for a large UK based challenger bank. GDPR Lessons Learned Slide: 22

23 Contact us 06

24 More information and contacts EMEIA contacts Privacy offerings Tony de Bos Data Protection and Privacy leader EMEIA Executive Director Financial Services Advisory NL Saskia Vermeer de Jongh Privacy workshop GDPR key changes Senior manager and Attorney IP/IT and Privacy saskia.de.jongh@hvglaw.nl Bernadette Wesdorp Senior Advisor Data Privacy and Data Protection bernadette.wesdorp@nl.ey.com Wout Olieslagers Consultant and Attorney IP/IT and Privacy wout.olieslagers@hvglaw.nl GDPR Lessons Learned Slide: 24

25 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com