THE INTRINSIC VALUE OF ENSURING DATA PRIVACY

Similar documents
CYBER INSURANCE: MANAGING THE RISK

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

GDPR: A QUICK OVERVIEW

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

BHConsulting. Your trusted cybersecurity partner

Cyber Security Incident Response Fighting Fire with Fire

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Are we breached? Deloitte's Cyber Threat Hunting

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

M&A Cyber Security Due Diligence

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Securing Your Digital Transformation

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

CYBER RESILIENCE & INCIDENT RESPONSE

Emerging Technologies The risks they pose to your organisations

EU General Data Protection Regulation (GDPR) Achieving compliance

EY s data privacy service offering

Cyber Threat Landscape April 2013

SOC for cybersecurity

Effective Cyber Incident Response in Insurance Companies

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

Google Cloud & the General Data Protection Regulation (GDPR)

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

GDPR is coming in less than 2 months Are you ready?

EY s Data Privacy Services. January 2019

Sage Data Security Services Directory

Big data privacy in Australia

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

The Role of the Data Protection Officer

Data Management and Security in the GDPR Era

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Cyber Security is it a boardroom issue?

Cyber Espionage A proactive approach to cyber security

Security and Privacy Governance Program Guidelines

The GDPR Are you ready?

Run the business. Not the risks.

BHConsulting. Your trusted cybersecurity partner

A new approach to Cyber Security

Cyber Risks in the Boardroom Conference

Cybersecurity, safety and resilience - Airline perspective

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Cybersecurity Considerations for GDPR

Regulating Cyber: the UK s plans for the NIS Directive

FOR FINANCIAL SERVICES ORGANIZATIONS

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Protecting your data. EY s approach to data privacy and information security

Avanade s Approach to Client Data Protection

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity. Securely enabling transformation and change

INTELLIGENCE DRIVEN GRC FOR SECURITY

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

GDPR: The Day After. Pierre-Luc REFALO

Information Security Strategy

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Moving from Prevention to Detection March 2017

Cybersecurity: balancing risks and controls for finance professionals

The value of visibility. Cybersecurity risk management examination

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

European Union Agency for Network and Information Security

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Canada Life Cyber Security Statement 2018

Real estate predictions 2017 What changes lie ahead?

Risk Advisory Academy Training Brochure

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

How to be cyber secure A practical guide for Australia s mid-size business

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

THE POWER OF TECH-SAVVY BOARDS:

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

SECURITY SERVICES SECURITY

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Clarity on Cyber Security. Media conference 29 May 2018

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Incident Response Services

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

2017 RIMS CYBER SURVEY

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber risk Getting the boardroom focus right

Data Protection and GDPR

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

CYBER SOLUTIONS & THREAT INTELLIGENCE

Transcription:

THE INTRINSIC VALUE OF ENSURING DATA PRIVACY ROBERT VAN VIANEN PARTNER, CYBERSECURITY & PRIVACY ADVISORY BDO NETHERLANDS KAREN SCHULER PARTNER DATA & INFORMATION GOVERNANCE LEADER BDO USA

ii THE INTRINSIC VALUE OF ENSURING DATA PRIVACY According to the 500 global business leaders surveyed in the BDO Global Risk Landscape report 2017, disruptive technologies, reputational risk and cybersecurity are the challenges most likely to test businesses over the next ten years. Additionally, BDO USA s 2017 Cyber Governance Survey found that 79% of public company boards are more involved with cybersecurity today than they were 12 months ago, with 78% having increased company investments within the past year to better defend against cyberattacks. In this paper BDO seeks to demonstrate how building a mature information security and data privacy programme can enhance the professionalism of a company s employees and reinforce an organisation s public reputation. It provides insight on the intrinsic value and sometimes more difficult to quantify hidden benefits that organisations can achieve through meeting and exceeding their data protection obligations.

THE INTRINSIC VALUE OF ENSURING DATA PRIVACY 01 THE IMPORTANCE OF DATA PRIVACY IN PROTECTING AGAINST CYBERCRIME The GDPR comes into effect on 25/5/18. Compliance with the new regulations will require good data hygiene in the form of purposeful collection, protection of sensitive information and adherence to retention programmes that remove expired information. In assuring each of these, companies can expect to achieve more than mere compliance and penalty avoidance, but also to lower the cost of infrastructure and operations and to help employees and managers gain quick access to good information to support business decisions. In recent years there has been a huge shift in the importance placed on data privacy. Cybersecurity is no longer just an IT issue. It has captured the attention of boards and senior executives. According to BDO USA s 2017 Cyber Governance Survey, this is the fourth consecutive year that board members have reported increases in both the time and expenditure devoted to cybersecurity, of which information governance and data privacy is a direct component. 78% of company directors say they have increased company investments during the past year to defend against cyberattacks, with an average budget expansion of 19%. PUBLIC COMPANY BOARDS MAINTAIN POSITIVE TRENDS ON CYBERSECURITY Reference: 2017 BDO Cyber Governance Survey As a business owner or company executive, are you considering: XXThe benefits and intrinsic value of investing in data security and data privacy, beyond merely ensuring legal compliance? XXHow tackling data security and data privacy can benefit your organisation? XXHow you can lead and contribute in the right way to realising these benefits? BDO CAN HELP 2014 2015 2016 2017 Increased Board Involvement 59% 69% 74% 79% Increased Cybersecurity Investments 55% 70% 80% 78% Incident Response Plan in Place NA 45% 63% 61% Cyber Breach in Past Two Years NA 22% 22% 18%

02 THE INTRINSIC VALUE OF ENSURING DATA PRIVACY IMPLICATIONS OF GDPR FOR BUSINESSES IN 2018 Art. 32 security requirements of the GDPR requires companies and organisations to become more structured and formal in how they protect personal information, including requirements for purposeful collection, transparency, data minimisation and support for data subject rights. Key requirements of the GDPR include: XXMandatory data inventory and record-keeping of all processing of European personal data XXMandatory data-breach notification to regulators and individuals whose information is compromised XXThe right to be forgotten, which allows individuals to request that their personal data be erased XXRoutine privacy impact assessments (PIAs) XXMandatory data protection officers (DPOs) The Talk Talk cyber breach (UK, October 2015), affected nearly 160,000 customers and resulted in a record fine of 400,000. Under GDPR, if that attack occurred again, the potential penalty could be as high as 17 million. In order for employees to properly handle information on a day to day basis, the GDPR warrants a full awareness and training programme involving the privacy aspects of information. Is is best practice to combine data privacy and cyber security awareness and training programmes and employees will be required to attend such training programmes and to be able to access the management oversight, tools and audits for effectiveness in order to verify that programmes are working as designed. The GDPR contains fixed conditions for companies to pass on the requirements for data privacy in formal legal agreements. It is worth noting that organisations are increasingly being held accountable by their corporate clients who are implementing third-party risk management programmes.

THE INTRINSIC VALUE OF ENSURING DATA PRIVACY 03 THE HIDDEN VALUE HOW TO LEVERAGE GDPR TO YOUR ADVANTAGE For many managers, the GDPR is just one of many new laws that have to be implemented within their organisation. The GDPR, however, should be seen as the starting point of a process in which you create a stronger foundation for your organisation s strategy. A solid information governance programme can bring real benefit in both new opportunities for revenue, as well as in cost reduction for data storage and reduced inefficiencies when employees are unable to locate or use outdated information, to inform decisions. Working on data security in a systematic, professional manner means assessing risk and focusing efforts and investments on the areas where they are needed. Organisations that do this are able to streamline performance, reduce costs and reap hidden benefits in the following areas: XXRisk Management & Corporate Accountability XXData control operations XXClient, Supplier and Employee relations The added benefits of possessing a mature data privacy programme are scarcely considered and organisations are simply concentrating on compliance and avoiding fines. This creates a tick-box culture that does not inspire going beyond minimal requirements with respect to cybersecurity and data privacy. ROBERT VAN VIANEN, PARTNER, CYBERSECURITY & PRIVACY ADVISORY, BDO NETHERLANDS At BDO, we deliver a range of information governance, data privacy and cybersecurity services. When it comes to GDPR, we use a three-phased approach. First, we evaluate the impact that GDPR will have on your organisation. We then assist you to implement the changes required to achieve compliance. Once compliant, we review your program on an annual basis in order to ensure continued compliance. CHANGE MANAGEMENT Provide skilled change management professionals to ensure the project is run in a structured manner, reporting regularly to company management, driving the project forward at a pace that fits company culture culture and meets the required deadlines. EDUCATION & TRAINING Provide company employees with an in-depth understanding of the key requirements of the new legislation and the impact on the organisation. Deliver workshops to collaboratively define an approach to ensure cultural change. ACHIEVE GOVERNANCE FRAMEWORK DEFINITION Put in place a relevant structure for GDPR to be implemented in a controlled and governed environment. This includes implementing an Information Governance Framework within the organisation. POLICIES & PROCEDURES Review clients' existing policies & procedures to identify any gaps against the upcoming legislation. If required, a set of policies & procedures can be created for clients based on best practices. Reference: BDO GDPR Services

04 THE INTRINSIC VALUE OF ENSURING DATA PRIVACY RISK MANAGEMENT & CORPORATE ACCOUNTABILITY STAY INFORMED, DEMONSTRATE ACCOUNTABILITY AND IMPROVE YOUR REPUTATION Executives typically agree that data privacy and security are important, yet few of them have in-depth knowledge in this area to reassure clients, consumers and investors that their organisation has sufficient protective measures in place. According to BDO USA s 2017 Cyber Governance Survey, 23% of corporate directors do not know whether their organisation has a cyberbreach/incident response plan in place. A formal programme with a third-party assessment and results reported to the board can help key stakeholders remain informed, reduce risk and support strategic and investment decisions. A well-informed executive board that has been regularly engaged in the organisation s cybersecurity dealings also significantly strengthens its defensive position in the event of a breach or complaint. The accountability principle under the GDPR requires organisations to create and maintain a record of processing activities so they are able to demonstrate compliance, as well as the factors used in the balancing decisions on risk. Those who are able to demonstrate accountability and have met their legal obligations strengthen their position and reputation with supervisory authorities, clients, consumers and investors. In recent years high-profile data breach events have left no doubt that even large, well-known companies are unable to guarantee the protection of the growing mountain of sensitive personal information. And the consequences of failures can be severe. For example, as a result of reputational damage and within one week of the breach disclosure, Equifax saw its shares drop 20% - an amount equivalent to roughly US$4 billion. BDO USA s 2017 Board Survey found that 52% of organisations have processes in place to conduct regular cyber security risk assessments, but only 40% of organisations have a process in place to conduct third party/ vendor risk assessments. This means that many organisations do not have repeatable processes in place to consider and assess their cyber risk exposure and how these may impact the business.

THE INTRINSIC VALUE OF ENSURING DATA PRIVACY 05 DATA CONTROL OPERATIONS CONTROLLING YOUR DATA AND ASSOCIATED COSTS The GDPR requires data minimisation in the form of collecting, using and retaining only what is necessary for the purposes of processing. Extraneous or expired information is not to be processed. This is in stark contrast with the gather it all and sort it out later / keep everything indefinitely - just in case - because storage is cheap philosophies that many businesses have accidentally adopted. Over the years, we have found that while disk space is indeed cheap, storing and maintaining data is certainly not. The GDPR s push toward cleaning out the corporate closet can be used to eliminate unnecessary information and the associated storage costs. The side benefit to this is that without the haystack of expired, extraneous information, managers and employees will be able to find the proverbial needle they need faster - and be less apt to use outdated, inaccurate information to support decisions. But perhaps most important is the benefit of improved corporate citizenship by reducing the risk of identity theft and financial fraud to the employees, prospective customers and clients whose information is entrusted to the data controller.

06 THE INTRINSIC VALUE OF ENSURING DATA PRIVACY CLIENT, SUPPLIER AND EMPLOYEE RELATIONS BUILDING TRUST An organisation with a good data privacy and information security programme can demonstrate to its business partners, employees and clients that their data is in good hands. This makes the organisation a reliable and trusted partner with which to do business. One thing that an information-secure organisation never does is hide behind a software supplier - or any vendor for that matter - that states it is GDPR-certified or GDPRready ROBERT VAN VIANEN, PARTNER, CYBERSECURITY & PRIVACY ADVISORY BDO NETHERLANDS GDPR requires contractual provisions that clearly state responsibilities, and this should be best practice even for entities not subject to GDPR. An overall third-party information risk management programme should be instituted to assess risk for any vendors with access to personal data, and to require specific protective controls that are relevant and proportionate to the risk. A professional and responsible data security programme proves that your organisation takes protecting the privacy of its clients and employees seriously KAREN SCHULER, PARTNER, DATA & INFORMATION GOVERNANCE LEADER BDO USA By shouldering that responsibility, an organisation engaging with its suppliers to discuss proper data security can expect both structural improvement and a more mutually beneficial longterm relationship. STRENGTHENING EMPLOYEE RELATIONS Human behaviour is the number one cause of data incidents and data breaches. The introduction of the GDPR - aimed at instilling more control - creates an excellent opportunity to educate employees and raise awareness of data privacy and cyber best practices. The provision of security and privacy awareness training empowers employees, who represent the most important actors in your data protection programme. XXData security involves holding people at all levels of the organisation accountable for their professionalism. This increases possibilities for new standards of effectiveness and efficiency XXA clear picture of the data flow provides insight into how matters can be improved and be made safer as well as more efficient and less expensive XXIt offers an opportunity to work on process optimisation XXIt lays the foundations for identifying new growth opportunities, such as big data.

07 CONCLUSION CALL IN THE EXPERTS Ensuring a mature, professional data privacy programme is extremely important for every organisation. Regardless of the legislation, penalty clauses and all the threats that exist in this area, any and all organisations would benefit from investing in, and guaranteeing the protection and proper handling of data under their management. Information is often a corporation s most valuable asset. By developing the comprehensive governance, risk and compliance programs required by the GDPR, organisations lay a solid foundation for proper information governance and data privacy. Moreover, the extent to which an organisation is ready for impending technological developments could determine the future growth and success of that organisation in the coming decades. BDO s Global Cybersecurity practice is comprised of professionals from a diverse range of backgrounds, including experienced IT, operations, and data privacy consultants, as well as forensic technology, business advisory and accounting practitioners. We are structured to provide comprehensive, customised services for each client, focusing on your specific operating model, technical demands, regulatory environment and industry dynamics. Whether it s financial services, healthcare, retail, natural resources or any other industry we understand your needs. Our global footprint extends to every corner of the globe and so does cybercrime. Let us help your organisation, wherever you are, to mitigate the cyber risks you re facing. Information is at the heart of every organisation, and ensuring the security of that information is crucial KAREN SCHULER, PARTNER, DATA & INFORMATION GOVERNANCE LEADER BDO USA

08 THE INTRINSIC VALUE OF ENSURING DATA PRIVACY ABOUT THE AUTHORS ABOUT BDO S GLOBAL CYBERSECURITY LEADERSHIP GROUP Robert Van Vianen Robert is a managing partner in the Cybersecurity & Privacy advisory practice within BDO Netherlands, whose main focus is on the Public Sector, including healthcare. Robert has more than 17 years experience in the areas of cybersecurity, data privacy and risk management. Our corporate methodology incorporates several proprietary models for supporting organisations in developing and improving their cyber security posture. From establishing compliance and building a proactive approach through the ongoing development of capabilities, to effective security risk management, we work with our clients to quickly attain higher levels of maturity and resilience. GLOBAL CYBERSECURITY LEADERSHIP GROUP BDO USA +1 703 770 1019 ggarrett@bdo.com GREGORY A. GARRETT HEAD OF INTERNATIONAL CYBERSECURITY Karen Schuler Karen Schuler has more than 25 years of experience managing global organisations that provide privacy, security, and e-discovery services. As a testifying expert and well-known presenter and author on high risk corporate issues impacting global organisations, she has held executive level positions for some of the largest service providers, is a former member of the United States Securities & Exchange Commission, and is BDO s Data & Information Governance Practice Leader. BDO South Africa +2782 606 7570 or +2782 465 4539 gcroock@bdo.co.za BDO Australia +6173 237 5688 leon.fouche@bdo.com.au GRAHAM CROOCK DIRECTOR, IT AUDIT, RISK & CYBER LABORATORY LEON FOUCHE PARTNER AND NATIONAL CYBERSECURITY LEAD JASON GOTTSCHALK PARTNER, CYBERSECURITY PRACTICE LEADER BDO UK +4479 7659 7979 jason.gottschalk@bdo.co.uk BDO Netherlands +3165 150 8151 sandra.konings@bdo.nl BDO Norway +4748 171 714 andreas.vogt@bdo.no BDO Israel +9725 2675 5544 ophirz@bdo.co.il SANDRA KONINGS PARTNER, CYBERSECURITY ANDREAS VOGT, PH.D. DIRECTOR / HEAD OF SECTION, BDO SECURITY & EMERGENCY SERVICES OPHIR ZILBIGER, CISSP, CRISC PARTNER, HEAD OF SECOZ CYBERSECURITY CENTRE FOR MORE ON BDO CYBERSECURITY, VISIT: CYBERSECURITY.BDO.GLOBAL

THE INTRINSIC VALUE OF ENSURING DATA PRIVACY 09

FOR MORE INFORMATION: CYBERSECURITY.BDO.GLOBAL Twitter: @BDOglobal Email: marketing@bdo.global This publication has been carefully prepared by BDO. BDO, we, us, and our refer to one or more of BDO International Limited, its network of member firms ( the BDO network ), and their related entities. BDO International Limited and each of its member firms are legally separate and independent entities and have no liability for another such entity s acts or omissions. Neither BDO International Limited nor any other central entities of the BDO network provide services to clients. Please see www.bdo.global/about for a more detailed description of BDO International Limited and its member firms. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDO International Limited, the member firms of the BDO network, or any other central entities of the BDO network. BDO is the brand name for the BDO network and for each of the BDO member firms. This publication contains general information only, and none of BDO International Limited, its member firms, or their related entities is, by means of this publication, rendering professional advice or services. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact a qualified professional adviser at your local BDO member firm to discuss these matters in the context of your particular circumstances. No entity of the BDO network, its partners, employees and agents accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it. Editorial: BDO Global Office, Belgium Copyright BDO Feburary 2018. Brussels Worldwide Services BVBA. All rights reserved. www.bdo.global HB010212

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback