Safeguards on Personal Data Privacy.

Similar documents
Privacy By Design: Privacy smart from the start. Agenda. 1. About Deloitte. 2. Privacy Incidents Around the World. 3. Privacy Smart from the Start

Technology and data privacy Global perspectives

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

Data and Cyber Crisis how to manage a crisis and reduce loss. Melissa Russell Special Counsel February 2016

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Introduction to the Personal Data (Privacy) Ordinance

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

2014 Luxury & Fashion Industry Conference for Multinationals

Introduction to the Personal Data (Privacy) Ordinance

EU data security and privacy trends

Introduction to the Personal Data (Privacy) Ordinance

Building Trust in the Cloud Era - Protect, Respect Personal Data

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Security Breach Notification Reflections on the U.S. Experience

Partner Guidelines to sign Agreement. May, 2017

Hong Kong s Personal Data (Privacy) Ordinance

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Altius IT Policy Collection Compliance and Standards Matrix

Convergence Myth to Reality Jericho Forum

HUAWEI CLOUD (International) FAQs. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

What To Do When Your Data Winds Up Where It Shouldn t

Workday s Robust Privacy Program

Global Privacy and Data Protection Risk:

GDPR: A QUICK OVERVIEW

01.0 Policy Responsibilities and Oversight

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Subject: Kier Group plc Data Protection Policy

The APEC Model. Global Partnership through Regional Initiatives

Altius IT Policy Collection Compliance and Standards Matrix

Compliance. Peter Oosthuizen Partner Service Team Leader

Developing and Implementing Data Protection Law: Malaysia and Beyond

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Data Protection and GDPR

Upcoming PIPEDA Changes What is changing and what to do about it

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

CISCO IP PHONE 7970G NEW! CISCO IP PHONE 7905G AND 7912G XML

Achieving effective risk management and continuous compliance with Deloitte and SAP

Data Protection Policy

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Checklist: Credit Union Information Security and Privacy Policies

Cloud Security Implications for Financial Services

Project Better Energy Limited s registered office is Witan Gate House, Witan Gate West, Milton Keynes, Buckinghamshire, MK9 1SH

Tokenisation: Reducing Data Security Risk

Data Management and Security in the GDPR Era

PRIVACY NOTICE WHO WILL PROCESS YOUR PERSONAL INFORMATION? WHY IS YOUR PERSONAL INFORMATION REQUIRED?

How the GDPR will impact your software delivery processes

Consulting services for cybersecurity

The OMG GRC GRID. High Level Overview. Object Management Group GRC Program

UNIFIED CARRIER LICENCE TELECOMMUNICATIONS ORDINANCE (Chapter 106)

By 2020, a corporate no-cloud policy will be as rare as a no-internet policy is today. 1

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Customers want to transform their datacenter 80% 28% global IT budgets spent on maintenance. time spent on administrative tasks

OSIsoft PI Cloud Services Privacy Statement

Dealing with Security and Security Breaches

END-OF-SALE AND END-OF-LIFE ANNOUNCEMENT FOR THE CISCO MEDIA CONVERGENCE SERVER 7845H-2400

Cisco Aironet In-Building Wireless Solutions International Power Compliance Chart

Data Protection Policy

NEW JERSEY S HIGHER EDUCATION NETWORK (NJEDGE.NET), AN IP-VPN CASE STUDY

Laws and Regulations & Data Governance

The Impact of Cybersecurity, Data Privacy and Social Media

Enterprise with Integrity

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Cisco Extensible Provisioning and Operations Manager 4.5

Transforming networks and services for communications service providers

Purchasing. Operations 3% Marketing 3% HR. Production 1%

For our services, the data controller (the company that s responsible for your privacy), is Rent a Van 365 Limited. Registered address:

EU General Data Protection Regulation (GDPR) Achieving compliance

Rates. Local Call Rates. Overseas Call Rates (v019) Monday to Friday 8:00pm to 7:59am 8 per min Saturday and Sunday All Day

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

LCU Privacy Breach Response Plan

GDPR: A technical perspective from Arkivum

Dimension Data s Managed Intrusion Detection and Prevention Service

General Data Protection Regulation (GDPR) The impact of doing business in Asia

VOICE/DATA SIMCARD USA UNLIMITED

Authentication and Fraud Detection Buyer s Guide

Cyber Security for the future of financial services

Data Security: Public Contracts and the Cloud

CipherCloud CASB+ Connector for ServiceNow

Data Privacy Management in a Digital Age

Hot Topics in Privacy

Hot Topics in Privacy

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Canada Life Cyber Security Statement 2018

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Server Virtualisation Assessment. Service Overview

Privacy Policy Effective May 25 th 2018

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Data Breach Notification: what EU law means for your information security strategy

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

Introduction to Personal Data Protection DCU Risk & Compliance Office October 2015

Playing in the Big (Data) Leagues: Consumer Data Mining Data Privacy and Compliance

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Transcription:

Safeguards on Personal Data Privacy. Peter Koo Partner, Enterprise Risk Services Deloitte Touche Tohmatsu Maverick Tam Associate Director, Enterprise Risk Services Deloitte Touche Tohmatsu

Deloitte ERS practice in China and Asia-Pacific Deloitte Global Approximately 169,000 people in over 140 countries Our China Practice Having more than 8,000 people in 14 offices including Beijing, Chongqing, Dalian, Guangzhou, Hangzhou, Hong Kong, Macau, Nanjing, Shanghai, Shenzhen, Suzhou, Tianjin, Wuhan and Xiamen. Serving one-third of all companies listed on the Stock Exchange of Hong Kong Deloitte Asia Pacific A team of over 12,000 people located in 31 offices including Brunei, Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam Beijing 200+ Shanghai 240+ Shenzhen 60+ Taipei 180+ Hong Kong 100+

Achieving Corporate Governance

IT Governance Framework

Implementing the Data Loss Protection Framework: Combined top down, bottom up, side-ways.. Set Policy (People) Deploy Controls (Process) Enforce and Monitor Controls (Technology) DLP Encryption IAM Data Redaction Archive DR Branch Offices WAN Business Analytics Data warehouse Back up tape Customers Partners WWW Customer Portal WAN Outsourced Development Production Data Disk storage Remote Employees VPN Enterprise e-mail Staging File Server Back up disk

Privacy and Data Protection Laws and Regulations Canada Federal/Provincial PIPEDA, FOIPPA, PIPA UK Data Privacy Act European Union EU Data Protection Directive and Member States Data Protection Laws South Korea Act on Promotion of Information and Communications Network Utilization and Data Protection Japan Personal Information Protection Act U.S. Federal GLBA, HIPAA, COPPA, Do Not Call, Safe Harbor Hong Kong Personal Data (Privacy) Ordinance Numerous State Laws Breach Notification 40 states from CA to NY Taiwan Computer- Processed Personal Data Protection Law Chile Law for the Protection of Private Life Philippines Data Privacy Law proposed by ITECC Argentina Personal Data Protection Law, Confidentiality of Information Law South Africa Electronic Communications and Transactions Act India Law pending currently under discussion Australia Federal Privacy Amendment Bill State Privacy Bills in Victoria, New South Wales and Queensland, new e- mail spam and privacy regulations New Zealand Privacy Act

Personal Data (Privacy) Ordinance ( PDPO ) Data Protection Principles PDPO Data Protection Principles Principle 1: Purpose and manner of collection This provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that subject. Principle 2: Accuracy and duration of retention This provides that personal data should be accurate, up-to-date and kept no longer than necessary. Principle 3: Use of personal data This provides that unless the data subject gives consent otherwise personal data should be used for the purposes for which they were collected or a directly related purpose. Principle 4: Security of personal data This requires appropriate security measures to be applied to personal data (including data in a form in which access to or processing of the data is not practicable). Principle 5: Information to be generally available This provides for openness by data users about the kinds of personal data they hold and the main purposes for which personal data are used. Principle 6: Access to personal data This provides for data subjects to have rights of access to and correction of their personal data.

Some Relevant Guidelines and Codes of Practice Code of Practice on the Identity Card Number and Other Personal Identifiers Code of Practice on Human Resources Management Code of Practice on Consumer Credit Data Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators Privacy Guidelines: Monitoring and Personal Data Privacy at Work Guidance on the Collection and Use of Personal Data in Direct Marketing Guidance on Data Breach Handling and the Giving of Breach Notifications More

Importance of Compliance Public concerns and consequences for Personal Data Privacy Incidents: 1. Legal Compliance Contravenes an Enforcement Notice: - Imprisonment for 2 years - Level 5 Penalty: HK$50,000 - Daily penalty of $1,000 for continuous offence Compensation to individuals Potential to erase ALL Personal Data 2. Reputation Negative media exposure Investigation by Privacy Commissioner, Legislation Council, etc 3. Customer Confidence

Other Industry Specific Requirements Payment Card Industry Data Security Standard (PCI-DSS) To help payment card industry organisations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The requirement for PIC DSS includes: Maintaining secure network Securing the stored cardholder information Implementing strong access control to the stored data Circular on Customer Data Protection issued by HKMA Designated officer and incident handling process Data security policies and awareness Portable storage devices End-user computing Mobile computing Physical security controls over customer data Outside service providers

Data Leakage Happens In business, well-intentioned employees simply getting their jobs done may inadvertently put information at risk, sometimes resulting in data leakage.

AICPA / CICA General Accepted Privacy Principles Developed from a business perspective, referencing significant domestic and international privacy regulations Summarize complex privacy requirements into a single privacy objective that is supported by 10 privacy principles. Each principle is supported by objective, measurable criteria that need to be met Illustrative policy requirements, communications, and controls, including monitoring controls, are provided as support for the criteria

Role Based Access Control A role-based access control (RBAC) model is to provide access to roles that create or consume information in the course of a business activity. The role is assigned permissions at the business activity level to define the relationship with an information class and related information assets. RBAC may be accomplished either through functional capabilities in a business system or through application of metadata and business description rules.

Centralized Identity & Access Management HR System Centralized User Management Identity & Access Management System Identity Repository Self Service Batch Process Network Storage Email ERP Inventory System Windows Domain

Key Preparation Tasks Identify key data privacy regulatory requirements Inventory the personal data held by your organization Build up privacy awareness within your organization Develop privacy and data protection roadmap

Thank You!

Our Contacts Deloitte Touche Tohmatsu 35/F One Pacific Place 88 Queensway Hong Kong Tel: 2852-1600 Fax: 2541-7392 Peter Koo Partner Enterprise Risk Services Tel: 2852-6507 E-mail: petkoo@deloitte.com.hk Maverick Tam Associate Director Enterprise Risk Services Tel: 2852-5810 E-mail: mtam@deloitte.com.hk Should you require further information, please feel free to contact us or go to our web site at www.deloitte.com 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback