Demonstrating data privacy for GDPR and beyond

Similar documents
Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

EY s data privacy service offering

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

What s new in EY Atlas. November 2018

EY s Data Privacy Services. January 2019

Tax News Update: Global Edition (GTNU) User Guide

Protecting your data. EY s approach to data privacy and information security

ISACA Cincinnati Chapter March Meeting

Big data privacy in Australia

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Step 1: Open browser to navigate to the data science challenge home page

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

EY Consulting. Is your strategy planning for the future or creating it? #TransformativeAge

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Coworking 2.0. Stavební Fórum October

EY Training. Project Management Professional PMP. Exam preparatory course. 30 September 4 October 2018

GDPR. Lessons Learned

Project Management Professional PMP. Exam preparatory course

Safeguarding unclassified controlled technical information (UCTI)

EY Norwegian Cloud Maturity Survey 2018

GDPR: A QUICK OVERVIEW

Global Information Security Survey. A life sciences perspective

Digital trends in real estate, hospitality and construction. Building blocks for future growth. Brochure title RR. Brochure subtitle RR

Danish Cloud Maturity Survey 2018

SOC for cybersecurity

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

EY GlobalOne Individual Portal

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Does someone else own your company s reputation? EY Global Information Security Survey 2018

Cybersecurity: balancing risks and controls for finance professionals

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

IT Attestation in the Cloud Era

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

ISO 27001:2013 certification

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Quality Management Systems (ISO 9001:2015 and ISO 29001) Lead Auditor training (EY/IMSA Q03)

Google Cloud & the General Data Protection Regulation (GDPR)

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

The GDPR Are you ready?

EY and GE Digital Industrial Internet Alliance

If you were under cyber attack would you ever know?

Achieving third-party reporting proficiency with SOC 2+

Digital innovation? Cyber secure? Digital security: a Financial Services perspective

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Embedded SIM Study. September 2015 update

GDPR Impacts. SEV GDPR Workshop Athens Giles Watkins, UK Country Leader. Wednesday 7th February,

Workday s Robust Privacy Program

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

BHConsulting. Your trusted cybersecurity partner

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

SOC 3 for Security and Availability

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

GDPR and the Privacy Shield

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

The New Healthcare Economy is rising up

Adopting SSAE 18 for SOC 1 reports

Transitioning from SAS 70 to SSAE 16

Introductory guide to data sharing. lewissilkin.com

Adtech and GDPR What to consider when choosing your partner

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

CSF to Support SOC 2 Repor(ng

Accelerate GDPR compliance with the Microsoft Cloud

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Achieving effective risk management and continuous compliance with Deloitte and SAP

GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

Data Processing Agreement

EY Cyber Response Services. Plan. React. Recover.

Magento GDPR Frequently Asked Questions

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

General Data Protection Regulation (GDPR)

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Making trust evident Reporting on controls at Service Organizations

Prohire Software Systems Limited ("Prohire")

GENERAL DATA PROTECTION REGULATION (GDPR) CLIENT INFORMATION GENERAL DATA PROTECTION REGULATION CLIENT INFORMATION

GDPR Compliance. Clauses

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Design by Privacy: A holistic approach to privacy by design

Turning Risk into Advantage

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Data Sheet The PCI DSS

POMONA EUROPE ADVISORS LIMITED

Data Loss Prevention:

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Disaster recovery strategic planning: How achievable will it be?

When is privacy not something to keep quiet about? Insights on governance, risk and compliance

Lead Forensics Software Data Compliance Policy

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

The SOC 2 Compliance Handbook:

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

ADVANCED AUDIT AND ASSURANCE

Transcription:

Demonstrating data privacy for GDPR and beyond EY data privacy assurance services Introduction The General Data Protection Regulation (GDPR) is ushering in a new era of data privacy in Europe. Organizations that want to demonstrate robust data privacy to their stakeholders need the assurance of an independent, professional opinion. EY s data privacy assurance services offer a range of approaches that can be tailored to the needs of every client.

GDPR and the privacy agenda Organizations around the world face a revolution in data privacy. Regulators in many markets are enforcing existing privacy regulations more actively than in the past, and jurisdictions, including the US, are introducing strong new data privacy laws. Above all, Europe s GDPR enters force in May 2018. First proposed in 2012, the GDPR will apply uniformly across the EU and affect any organization operating in the EU. Its reach extends to support organizations, not just those collecting personal data. The effects of the GDPR will be far-reaching. Other EY research explores this in detail and can be found at ey.com/fsgdpr. But, for commercial organizations, the most important points are: GDPR imposes significant responsibilities in areas, such as documentation, reporting, governance and product design. It applies to organizations designated both as data controllers (those that determine how and why personal data is used) and data processors (those that collect, organize, store, use or disclose data on behalf of controllers), regardless of contractual relationships. It allows for fines of up to 20m or 4% of global revenues, whichever is the highest. Furthermore, the GDPR is only one driver of the privacy agenda. Consumer awareness of data privacy risks are growing rapidly across Europe. As customer expectations rise, organizations are realizing that demonstrating effective data privacy is critical to building customer trust. This combination of drivers means that many companies now view data privacy as a strategic goal, not just a compliance target. The ability to demonstrate robust data privacy could soon become a source of competitive advantage in many markets. 2 Demonstrating data privacy for GDPR and beyond EY data privacy assurance services

GDPR challenges and how EY can help Organizations that want to demonstrate their compliance with the GDPR first need to ensure that they meet its requirements. In practice, many organizations are finding this a challenging goal and some have a significant distance to go. EY offers a range of services, including a detailed privacy transformation program, 1 to help organizations comply with the GDPR. When it comes to demonstrating clients compliance with the GDPR, EY s data privacy assurance services give clients independent assistance about their data protection controls. The benefits of data privacy assurance include: Indicating compliance to supervisors and other external stakeholders Showing that organizations have implemented processes to protect personal data Demonstrating that organizations execute procedures to limit the possibility of a data breach The three services that support achieving these benefits are GDPR Certification, International Standards on Assurance Engagements (ISAE) 3000 and Service Organization Control (SOC 2) reporting. Although these are not mutually exclusive, deciding which service an organization requires depends partly on which GDPR category it falls into (see graphic). 1 http://www.ey.com/publication/vwluassets/ey-gdpr-what-you-need-to-know/$file/ey-gdpr-what-you-need-to-know.pdf Demonstrating data privacy for GDPR and beyond EY data privacy assurance services 3

What does your organization need? Organization wants to demonstrate GDPR compliance Organization should request this type of opinion: No details in a report are required Compliance opinion only (valid for three years) GDPR Certification Report needs to include assurance Limited time and/or experience with SOC 2 Opinion over privacy controls ISAE 3000 Transparency (based upon defined criteria) Opinion over privacy processes and controls SOC 2 4 Demonstrating data privacy for GDPR and beyond EY data privacy assurance services

Client challenge: The business has an internal or external need to demonstrate the quality of its implemented privacy processes without detailing its complexity. How EY can help: EY can provide the business with GDPR Certification, which is a onepage statement stating the conformity to the requirements in the GDPR. It demonstrates that the business s privacy processes have been audited, but it does not include detailed disclosure. Certificates are valid for a period of time and can be displayed to the public. Once GDPR compliance has been achieved, certification is typically a relatively quick and straightforward process. Client challenge: The business has an external need to demonstrate or disclose the implementation of privacy processes and the operating effectiveness of the controls in these processes. How EY can help: EY can audit the design and operating effectiveness of the privacy processes. There are several auditing standards which can be used to provide assistance in the privacy processes. ISAE 3000 Report (Third-Party Memorandum): EY can provide a proprietary control framework to be accustomed to the organization s own processes. This enables the audit activities to be performed on agreed criteria on the organization s implemented privacy controls and to conclude on these controls effectiveness. SOC 2 Report: A SOC 2 contains a full description of your internal processes and the business s data privacy controls. It is a rulesbased set of criteria, which at minimum have to agree back to commonly accepted set defined by the accounting board. With its implementation an EY SOC 2 opinion can be still be tailored to the organization s requirements, demonstrating to stakeholders that the business meets the highest standards of data privacy. It provides valuable information to users, supporting them to make their own assessments of data privacy risks. Demonstrating data privacy for GDPR and beyond EY data privacy assurance services 5

Conclusion Companies that want to demonstrate their compliance with GDPR or a strategic commitment to data privacy should give urgent consideration to data privacy assurance. The GDPR enters force in May 2018, so assurance or certification processes need to begin as soon as possible. Organizations that are not yet fully compliant need not wait before planning their privacy assurance needs. EY has extensive experience in the technical aspects of data privacy, and our professionals have deep knowledge of ISAE and SOC standards. We look forward to working with you. Talk to us EY uses a risk-based, multidisciplinary approach supported by robust tools and methodologies to help you manage risks around privacy, achieve timely and consistent GDPR compliance, and leverage the GDPR for wider strategic benefit. To discuss how EY can help you use the GDPR as a catalyst for change, including those described in this brochure, please contact: Tony De Bos EY EMEIA Financial Services Data Protection and Privacy Leader T: + 31 88 407 2079 M: + 31 62 908 4182 E: tony.de.bos@nl.ey.com Dennis Houtekamer EMEIA Service Organization Control Reporting Leader T: + 31 88 407 8766 M: + 31 62 125 2728 E: dennis.houtekamer@nl.ey.com 6 Demonstrating data privacy for GDPR and beyond EY data privacy assurance services

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2018 EYGM Limited. All Rights Reserved. EYG No. 03145-184GBL EY-000058767.indd (UK) 05/18. Artwork by Creative Services Group London. ED None In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback