EY s Data Privacy Services. January 2019

Similar documents
EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

Demonstrating data privacy for GDPR and beyond

EY s data privacy service offering

Protecting your data. EY s approach to data privacy and information security

GDPR: A QUICK OVERVIEW

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

Big data privacy in Australia

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

BHConsulting. Your trusted cybersecurity partner

GDPR. Lessons Learned

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

ISACA Cincinnati Chapter March Meeting

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Safeguarding unclassified controlled technical information (UCTI)

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

General Data Protection Regulation (GDPR)

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

The GDPR Are you ready?

Data Management and Security in the GDPR Era

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

M&A Cyber Security Due Diligence

BHConsulting. Your trusted cybersecurity partner

EU General Data Protection Regulation (GDPR) Achieving compliance

ISO 27001:2013 certification

SOC for cybersecurity

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

General Data Protection Regulation (GDPR) The impact of doing business in Asia

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

EXAM PREPARATION GUIDE

Turning Risk into Advantage

Google Cloud & the General Data Protection Regulation (GDPR)

falanx Cyber ISO 27001: How and why your organisation should get certified

Advanced Security Centers. Enabling threat and vulnerability services in a borderless world

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

MITIGATE CYBER ATTACK RISK

CYBER INSURANCE: MANAGING THE RISK

Cybersecurity Considerations for GDPR

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Incident Response Services

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

The value of visibility. Cybersecurity risk management examination

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

Risk Advisory Academy Training Brochure

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Fabrizio Patriarca. Come creare valore dalla GDPR

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

GDPR COMPLIANCE REPORT

Regulating Cyber: the UK s plans for the NIS Directive

Cybersecurity The Evolving Landscape

Global Information Security Survey. A life sciences perspective

Accelerate Your Enterprise Private Cloud Initiative

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEWSFLASH GDPR N 8 - New Data Protection Obligations

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Effective Cyber Incident Response in Insurance Companies

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

IBM Resilient Incident Response Platform On Cloud

The Role of the Data Protection Officer

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

An Overview of ISO/IEC family of Information Security Management System Standards

Achieving effective risk management and continuous compliance with Deloitte and SAP

Cybersecurity. Securely enabling transformation and change

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

If you were under cyber attack would you ever know?

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Securing Your Digital Transformation

GDPR Compliance. Clauses

Cyber Risks in the Boardroom Conference

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

General Data Protection Regulation (GDPR)

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

SECURITY & PRIVACY DOCUMENTATION

GDPR Update and ENISA guidelines

Cyber Security Incident Response Fighting Fire with Fire

Department of Management Services REQUEST FOR INFORMATION

Vulnerability Assessments and Penetration Testing

locuz.com SOC Services

EU data security and privacy trends

Accelerate GDPR compliance with the Microsoft Cloud

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

The Resilient Incident Response Platform

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

IT Consulting and Implementation Services

Digital innovation? Cyber secure? Digital security: a Financial Services perspective

Transcription:

EY s Data Privacy Services January 2019

Introduction Data privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information. Changing regulatory requirements including GDPR are combining with rising customer expectations to create growing challenges around data privacy. However, companies that take a compliance-centric approach to data privacy are missing out on an opportunity to gain competitive edge. EY s data privacy service offering helps clients blend data privacy with transparency equipping them to win customers trust and loyalty in a GDPR world. EY s Data Privacy Services 1

2 EY s Data Privacy Services

Demonstrating data privacy for GDPR and beyond In May 2018, the EU s new GDPR ushered in unprecedented levels of data protection for EU residents, backed by fines of up to 20 million or 4% of global revenue, whichever is higher. Although GDPR brings a welcome harmonization of fragmented data protection laws across EU Member States, its wide-reaching impact and stringent rules require a fundamental organizational shift, even for businesses compliant with existing legislation. When the steep financial penalties for non compliance and data losses are added to the cost of reputational damage, sanctions, remediation and the potential impact on digital transformation, the risk of inaction is clear. GDPR Impact People GDPR is a transformational effort that touches on all aspects of an organization, reaching across people, processes and technology. Process Organizations will need to determine which business and IT processes are impacted by GDPR requirements. GDPR will require organizations to redesign their processes to incorporate steps that address key privacy requirements. Organizations must implement process monitoring controls to provide transparency that the processes consistently satisfy GDPR requirements and are updated as necessary. Organizations will need to identify the relevant stakeholders across business units, including HR, who can contribute to compliance remediation planning and execution. The GDPR will require organizations to adequately train employees responsible for handling EU data with their obligations for supporting GDPR compliance. Technology Organizations must understand their IT environment, data assets, and data processing applications to identify the impacts that GDPR requirements present and to develop a remediation plan to update the IT environment to support GDPR compliance. Organizations should consider various tools available for automating GDPR compliance operations to an enterprise scale. EY s Data Privacy Services 3

GDPR challenges and how EY can help Apart from the urgency of working towards compliance there is also the opportunity to take a strategic approach to GDPR. EY s risk-based, multi-disciplinary approach targets GDPR investment where it matters most for regulatory compliance and competitive advantage. Drawing on our extensive privacy knowledge and proven tools and methodologies, we help to identify clients highest risks, and design and execute a tailored road map for compliance and beyond. Organizations that want to demonstrate their compliance with the GDPR first need to ensure that they meet its requirements In practice, many organizations are finding this a challenging goal and some have a significant distance to go. EY offers a range of services - including a detailed attestation program, leading to a future GDPR certification. When it comes to demonstrating clients compliance with the GDPR, EY s data privacy assurance services give clients independent assistance about their data protection controls. The benefits of data privacy assurance include: Indicating compliance to supervisors and other external stakeholders Showing that organizations have implemented Processes and controls to protect personal data Demonstrating that organizations execute procedures to limit the possibility of a data breach The three services that support achieving these benefits are: GDPR Independent Review Services Attestation Report based on International Standards on Assurance Engagements (ISAE) 3000 GDPR Certification Although these are not mutually exclusive, deciding which service an organization requires depends partly on which GDPR category it falls into (see graphic). What does your organization need? Organization wants to demonstrate GDPR compliance Report is for internal purpose only (Assurance pre and post implementation) Report is for external purpose and seek certification EY Attestation and Certification path Compliance, DPO Function, Processes and Control Review only EY Attestation Service: Set Up Attestation procedures ISAE 3000 Attestation report Organization should request this type of service: GDPR Independent Review EY Certification GDPR Certificate 4 EY s Data Privacy Services

Your challenge Your business has an internal need either to obtain a diagnostic before GDPR transformation project or demonstrate the quality of its implemented privacy processes and controls. How EY can help EY can provide the business with GDPR Independent Review Services, which comprise assurance services customized and tailored to your business needs. Being either focused on specific or full scope privacy processes and controls (or your DPO function), it aims to demonstrate that the business s processing activities have been audited. Reports being provided are addressed to management and other authorized internal stakeholders to either prepare implementation project or obtain post-implementation assurance. Once GDPR compliance is reached, attestation and certification are typically straightforward process. Your challenge Your business has an external need to demonstrate or disclose the implementation of privacy processes and the operating effectiveness of the controls in these processes. How EY can help EY can audit the design and operating effectiveness of the privacy processes and the operating effectiveness of the controls in these processes to help the business to obtain GDPR Attestation and GDPR Certification, both based on the CARPA scheme as issued by CNPD, the Luxembourg national data protection regulator. EY can help throughout your business GDPR journey to certification with the following services: EY Attestation Report: CNPD CARPA mechanism provides a set of criteria to comply with before being certified. This enables the audit activities to be performed based on regulator s criteria on the organization s implemented privacy controls and to conclude on these controls effectiveness. This will result in ISAE 3000 report being issued, leading to GDPR Certification. GDPR Certification: EY will seek to become accredited by CNPD to act as GDPR Certification Body. EY will then make a formal communication to CNPD in the role of an authorized body and propose a formal GDPR certificate to be issued by CNPD. To reach this state, EY, as a certification body, will review the conformity and the scope of your privacy processes and controls based on the ISAE 3000 GDPR Attestation Report. EY s Data Privacy Services 5

Navigating the GDPR challenges To help our clients, EY has developed DPO One - an integrated platform consisting of tools and services. How EY s DPO One Platform can support your entire organization in operationalizing the GDPR? Our value proposition Why our clients should use DPO One 1 2 3 4 Management in Control Avoidance of costs DPO One enables to show that the C-suite and DPO is in the control of the GDPRrelated activites. Reduce risk & regulatory exposure DPO One supports the client identifying and reducing privacy risks within their practice. As such, it enables them to reduce regulatory exposure and helps meeting the different GDPR requirements. Having a clear picture of the GDPR compliance activities and knowing where the high risks sit, can lead to avoidance of costs such as fines (e.g., 4% of global annual revenue), audit costs and other expenditures. Constant multidisciplinary support DPO One enables the client to have the constant support of a global organization as EY on their activities and challenges related to GDPR. The operating model allows multidisciplinary support from Advisory, Regulatory, FIDS,... 5 6 7 8 End-to-end Scalability and up-to-date DPO One is one of the most complete GDPR-specificsolutions in the market, covering all the requirements of the regulation. Integrated and integrable solution All the modules (and related services) of the solution are integrated, ensuring consistency. The solution itself is integrable with the client s environment. DPO One is scalable, both from a platform and service point of view. The client can start small, and acquire new modules and services only when required. Updates provided both from a platform and content perspective (e.g., regulatory updates). Recognized industry practice DPO One leverages the recognized industry practices developed by EY at a global level, allowing clients to increase their maturity posture in an efficient manner. DPO One is based on four building blocks: 1. Dashboarding: DPO One comes with a dashboard, providing your organization with a single overview of the GDPR compliance activities based on the selected modules. 2. Modules: DPO One consists of several technical modules to operationalize the various aspects of GDPR. 3. Intelligence: DPO One facilitates the identification and maintenance of the regulatory requirements to keep the selected modules up to date. 4. DPO One Support: The DPO One offering is not just a platform and tooling, but also involves our multidisciplinary DPO support team, adding human intelligence to the platform. 6 EY s Data Privacy Services

Benefits of the DPO One Solution Ready to go The platform is ready for deployment Industry practice Services are based on EY s recognized industry practices and experiences Platform The platform supports workflow, dashboarding and communication functionalities Pick and choose Pick and choose modules based on your requirements Cloud-based DPO One is cloudbased and will be hosted in the Microsoft Azure environment DPO One Dashboarding Modules Intelligence DPO One Support The various GDPR requirements are embedded within the DPO One modules Advanced dashboards Reporting Advanced reports Advanced Modules Data retention Consent & information provisioning Advanced vendor & processing management Data subject request (front end) Advanced e-learning platform Advanced privacy by design Advanced data security Advanced international data transfers Data discovery Cookies Standard Modules DPO one support ROPA Control framework & testing Data subject request Supervisory authority support Privacy by design International data transfers DPO one essentials PIA Vendor & processing management Data breach E-learning & awarness Data security Benchmarking Risk register Dashboard Reporting EY s Data Privacy Services 7

Incident reporting Mandatory breach notification One of the key changes the GDPR introduces is that organizations must notify the supervisory authority of data breaches without undue delay, within 72 hours, unless the breach is unlikely to be a risk to individuals. If there is a high risk to individuals, those individuals must be informed as well. 72h During the 72 hours after a data breach has been discovered, an organization must: Carry out a thorough investigation Inform regulators and impacted individuals of the breach Identify what personal data has been impacted and how Draft a comprehensive containment plan If a notification is not made within the 72-hour window, the GDPR requests that the controller provides reasonable justification for the delay; potentially adding additional disruption to regular business operations and exasperating administrative hassle..and all of this within 72 hours. GDPR specifies what type of information the notification must include. At a minimum, the data protection authority will expect to see: Nature of Breach 1. Who accessed what and when 2. Who are these users 3. How is that data being used 4. Impacted individuals EY offers a unique service that covers the Incident and Breach Management, helping the organization to meet the GDPR requirements while supporting client to simultaneously address the issues associated with the breach and maintain ongoing operations. EY s Data Incident Response Plan will not only support the client in the crucial 72-hour operational effectiveness process, but also help to identify and distinguish whether the company was a victim of a cyber-attack or a solely data attack. EY will provide the necessary support to the organization in both cases accordingly. Record of work that has been done to prevent a breach Estimated impact of the breach Forensics details Communication support Legal support Notify authorities within 72 hours and affected individuals without undue delay Mitigation or remediation plan 8 EY s Data Privacy Services

Practice making decisions in a simulated crisis While some types of crises are predictable in the generic sense, each one has its own distinct characteristics. Moreover, inevitably, the crisis that hits the hardest is the one a firm doesn t expect. Building top executives experience in making decisions in crisis is vital. Firms often conduct tactical simulations or tabletop exercises lower down the organization, on liquidity or cyber, but it is important that these simulations are also undertaken at the most senior levels of the firm, so leaders know how they should operate in crisis. Such simulations often help firms determine how they would react for specific crises, e.g., how they would respond to a data breach or prolonged outage involving a key vendor. EY s Data Privacy Services 9

Where we are currently helping out clients? Data Protection Officer (DPO) Support of existing DPOs and help with choosing and training future DPOs Guidance on matters related to data protection and processing operations Assurance & Attestation (SOCR, Independent Reviews) Provide the formal GDPR attestation reporting and other independent reviews to support clients on their path to full GDPR compliance. We intend to become certification body in due course under CNPD s CARPA certification mechanism framework. Breach Management Support Support maturity of client s crisis management, incident management and cyber breach response through: Gap assessment on breach readiness Design & implementation Assess severity and breach impact Validation of breach process Privacy Programme Support Regulatory Action Support Privacy programme & subject matter support Privacy Strategy Establishing Compliance programme Running privacy programme Crisis Management Vendor Due Diligence PIAs, Data Discovery, SARs, RoPA, Training Provide support in meeting requests from Supervisory Authorities (SA) Assist with preparatory work prior to visits from SAs 10 EY s Data Privacy Services

GDPR Maturity Assessment/ Benchmark Benchmark of the GDPR maturity of the organization as they continue to establish their response to the legislation. Internal Audit Supporting clients on internal audit reviews and help to streamline privacy audits with analytics and RPA. Vendor due diligence, GDPR Supply chain assurance Assess a controllers compliance to contract and or compliance to GDPR Or benchmark ongoing maturity of the controller. GDPR Compliance Audit/Assessment Detailed assessment/audit of the organization s compliance to the GDPR To identify and assess the controls that have been established to (PbD) mitigate the risk of a data loss BCR Review & Readiness DPO One Review of the organization s existing BCR/SCC framework Conduct readiness assessment of the controls required to develop the BCR/SCC Assist with the authorization procedure of the BCR DPO One is a platform supporting GDPR management processes including: Intelligence Workflow Risk dashboard SME and Managed services EY s Data Privacy Services 11

Contact us To find out more about our privacy-related services and how can EY help you use GDPR as a catalyst for change, beyond compliance, please contact: Michael Hofmann Partner, Advisory Services, GDPR Leader, Cyber Security +352 42 124 8895 michael.hofmann@lu.ey.com Olivier Maréchal Partner, Financial Services Advisory Leader +352 42 124 8948 olivier.marechal@lu.ey.com Patrice Fritsch Principal, Managed Services +352 42 124 8950 patrice.fritsch@lu.ey.com Alexandre Minarelli Director, IT Risk & Assurance Leader, Commercial and Public Sector +352 42 124 8669 alexandre.minarelli@lu.ey.com Alejandro Del Río Manager +352 42 124 8301 alejandro.del-rio@lu.ey.com

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2019 Ernst & Young Business Advisory Services S. à R. L. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com/luxembourg

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback