EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Similar documents
Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

EY s data privacy service offering

EY s Data Privacy Services. January 2019

GDPR: A QUICK OVERVIEW

Demonstrating data privacy for GDPR and beyond

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

GDPR. Lessons Learned

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Protecting your data. EY s approach to data privacy and information security

Big data privacy in Australia

EU General Data Protection Regulation (GDPR) Achieving compliance

Data Management and Security in the GDPR Era

The GDPR Are you ready?

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

The Role of the Data Protection Officer

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

ISACA Cincinnati Chapter March Meeting

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Cybersecurity Considerations for GDPR

General Data Protection Regulation (GDPR)

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

How the GDPR will impact your software delivery processes

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Accelerate GDPR compliance with the Microsoft Cloud

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

BHConsulting. Your trusted cybersecurity partner

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

EXAM PREPARATION GUIDE

EU data security and privacy trends

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Google Cloud & the General Data Protection Regulation (GDPR)

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

GDPR COMPLIANCE REPORT

Regulating Cyber: the UK s plans for the NIS Directive

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

M&A Cyber Security Due Diligence

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Safeguarding unclassified controlled technical information (UCTI)

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Turning Risk into Advantage

General Data Protection Regulation (GDPR) NEW RULES

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

ENISA s Position on the NIS Directive

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

General Data Protection Regulation (GDPR)

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Recommendations on How to Tackle the D in GDPR. White Paper

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Step 1: Open browser to navigate to the data science challenge home page

Information Security Strategy

BHConsulting. Your trusted cybersecurity partner

DATA PROTECTION BY DESIGN

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

ISO 27001:2013 certification

GDPR: A GUIDE TO READINESS

GDPR Privacy Webinar. Prioritizing Your Path towards GDPR Compliance Annika Sponselee and Nicole Vreeman 28 February 2018

TRULY INDEPENDENT CYBER SECURITY SPECIALISTS. Cyber Major

Knowing and Implementing the GDPR Part 3

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Arkadin Data protection & privacy white paper. Version May 2018

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

DATA PROTECTION POLICY THE HOLST GROUP

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

GENERAL DATA PROTECTION REGULATION (GDPR)

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

Meeting GDPR requirements in your S2 Security environment

Vulnerability Assessments and Penetration Testing

MITIGATE CYBER ATTACK RISK

GDPR Impacts. SEV GDPR Workshop Athens Giles Watkins, UK Country Leader. Wednesday 7th February,

GDPR: An Opportunity to Transform Your Security Operations

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Privacy by Design and the GDPR

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

SOC for cybersecurity

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

GDPR: Is it just another regulation or a great opportunity for operational excellence? Athens, February 2018

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

enter into application on 25 May 2018

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Securing Your Digital Transformation

PS Mailing Services Ltd Data Protection Policy May 2018

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GDPR compliance: some basics & practical to do list

European Union Agency for Network and Information Security

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Best Practices in Securing a Multicloud World

Transcription:

EY s data privacy service offering How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

In May 2018, the European Union s new General Data Protection Regulation (GDPR) ushers in unprecedented levels of data protection for EU residents. Backed by fines of up to 20 million or 4% of global revenue, whichever is higher, the GDPR gives individuals new, expanded rights over their personal data and heightens the responsibilities and liabilities of controllers and processors, regardless of their geographic location. EU GDPR is a global game changer. No organization storing or processing the personal data of EU residents can afford to be complacent, wherever the organization is based and irrespective of its current privacy maturity level. As well as the urgency of working towards compliance, there is also the opportunity to take a strategic approach to GDPR. EY s risk-based, multi-disciplinary approach targets GDPR investment where it matters most for regulatory compliance and competitive advantage. Drawing on our extensive privacy knowledge and proven tools and methodologies, we help to identify clients highest risks, and design and execute a tailored road map for compliance and beyond. GDPR timeline January 2012 European Commission (EC) proposed GDPR December 2015 GDPR agreed 25 May 2018 GDPR takes full effect Transition period of two years Monitoring and Compliance Ensuring compliance: Monitoring Continuous improvement March 2014 EU Parliament adopted compromise text 14 April 2016 GDPR formally adopted by EU member states 2 EY s data privacy service offering

GDPR: what you need to know When GDPR comes into force, it will introduce a raft of new rights for individuals and principles to facilitate and protect the flow of personal data in the market. Among the key changes, organizations must prove that they have a robust accountability framework in place for data protection, an ongoing data protection impact assessment and a privacy-by-design approach. The latter ensuring that data protection safeguards are built into products and services from the earliest stage of development. Key rights for individuals include the right to erasure (right to be forgotten), and the requirement for consent to be explicitly given for specific uses and transfer of sensitive data. Notification regime limited to sensitive data processing/prior checking approach Legitimate interest Right to be forgotten Broad definition of personal data An (almost) harmonized EU data protection regime Data protection officer International data transfers One-stop-shop Extended territorial effect Scope-Defiinitions Formalities Key Changes Data subjects rights Legal grounds grounds for data processing High bar for consent Data portability Children Clear and plain language Profiling Transparency Data minimisation Accountability Appropriate safeguards New principles Security and breach notifiication Enforcement/sanctions Penalties for companies Liability of data processor Impact assessments Security & data breach notification Privacy by design and by default EY s data privacy service offering 3

EY approach towards GDPR compliance Five stage transformational approach 1 Understand Getting to grips with the impacts and implications of data privacy The fact that data privacy regulations in general, and GDPR in particular, have broad impacts across the organization, can make it hard to pinpoint their specific effects. It can also be difficult to look beyond the regulatory and technological issues to grasp the competitive opportunities that privacy presents. You should understand your current content and how much GDPR impacts you, in particular looking into: The business and governance models Gather information related to the organization and its adopted strategies to understand the current data protection governance model. Assess the industry and market, the organization s management structure and its digital and data strategy, as well as the data protection measures and awareness in place. 1. Understand 4. Recommend 2. Assess 5. Run 3. Define 2 Assess Strategic alignment and risk appetite Determine the strategic alignment and risk appetite in a workshop. Define the tone at the top towards strategy, risk culture, direction and conduct. the gaps between the current and desired state. This provides input for our team to develop your practical and tailored roadmap to GDPR compliance, including clearly stated goals and purpose. This approach not only drives GDPR compliance, but also increases the data maturity of the business as a whole helping clients to extend their data usage capabilities, and boost the effectiveness of their data analytics and dashboarding. Our broad transformation approach mirrors the cross-functional nature of the GDPR We bring our own multidisciplinary team of professionals, combining knowledge and experience across legal, cybersecurity and data analytics, to engage with stakeholders from all parts of the organization, to bring GDPR to life. 3 Define GDPR maturity and gap assessment To plan out your responses to GDPR, you must first identify the gaps between where you are today in terms of data privacy and where you need to get to in the future. You also need to conduct a Data Protection Impact Assessment (PIA) and map out the flows of data across your operations. All of these elements are part of EY s GDPR assessment and roadmap offering. Often combined with the GDPR awareness workshop, this approach starts with our privacy team executing our proven GDPR assessment to pinpoint Establish the mechanism to address the requirements of the GDPR Data subject rights Define processes to ensure data subject rights are enforceable. Facilitate compliance through privacy by design, e.g., embed user access Data flow mapping and records of processing activities (ROPA) Mapping data flows is vital for identifying your organization s data privacy requirements and implementing data protection processes that comply with relevant regulations, including GDPR. However, all too often, businesses undertake data flow mapping with an IT mindset, meaning it produces outputs that quickly become outdated and are too detailed for use in the business. This is because an IT-orientated data flow mapping tends to focus on specific technical fields rather than the types of data used by business processes. In contrast, an EY data flow mapping rights in online applications. Evaluate and redesign processes for retrieval, correction and erasure of personal data throughout the organization. Vendor and partner management Identify and prioritize the vendor relationships, which include personal data processing activities. Evaluate the contracts, security measures Our five-phased approach is a framework from which we can build a tailored approach for each organization, to operationalize GDPR, and provide compliance and beyond. 4 Recommend Based on company assessments getting situational insights and making a privacy risk assessment, EY recommend the processes and measures defined in the previous phase 3, by leveraging existing processes within the organization. Ensure that data protection governance and documentation are in place by introducing internal guidelines and process documentation. 5 Run Privacy control framework Facilitate compliant personal data management through a holistic privacy control framework, integrating data protection throughout the organization, including project management, process and product development, as well as risk and vendor management. EY can help with Privacy strategy and governance Privacy design and implementation 4 EY s data privacy service offering

Data protection and privacy framework Leverage acknowledged frameworks, gather information and create an understanding of the existing data protection and privacy posture of the organization, including policies, standards and guidelines. Legal and regulatory framework Understand the organization s status and compliance toward the applicable laws and regulations, specifically GDPR and sector-specific laws and regulations. Data transfers with vendors and partners Understand the organization s vendors and partners, including providers of cloud services and outsourcing. Create an overview of data transfers abroad, and understand the legal and regulatory impact Raising awareness Ensure data protection and privacy awareness through appropriate information, and specific data protection awareness trainings and workshops. An EY GDPR awareness workshop helps clients understand why privacy is much more than just a compliance or security issue. After the workshop, your business will understand how you are impacted by GDPR and be well equipped to navigate today s complex privacy landscape. delivers business-driven results at high pace, by focusing on the business-relevant aspects of data and applying leadingedge data discovery tools and strong data governance. encompassing the full privacy life cycle shown below, will help you embed data privacy and data protection into the design of all your processes and applications that process personal data. 5 Review of privacy expectations 1 Appropriate collection of data Map data flows to enhance the implementation support of data privacy. The identified data streams can be used to determine the requirements for privacy (on the basis of applicable laws and regulations) and setting up data protection. On this basis, formalize the records of processing activities which will serve as the foundation for a privacy risk assessment and the DPIA if applicable. Data Protection Impact Assessment (DPIA) and privacyby-design A high quality DPIA process throughout the organization is imperative for ensuring compliance with GDPR. An EY DPIA, EY can support you in the design and execution of DPIAs using our established GDPR toolset, and supplement this with training to raise data privacy awareness and compliance across the organization. Assess personal data collection and processing activities with a data protection impact assessment to identify the risks inherent to the personal data processing activities. Reduce such risks by redefining the processes in accordance with the principles of privacy by design and privacy by default. 4 Appropriate retention and disposal Privacy life cycle 3 Managed disclosure Privacy risk assessment 2 Relevant use of data GDPR is a regulation which should trigger responses commensurate with the privacy risk exposure of the organisations. A privacy risk assessment shall be conducted to develop solid recommendations for the implementation and remediation steps in light of company s risk appetite and level of compliance gap. and oversight governance against compliance with GDPR and define a strategy to renegotiate personal data processing agreements. Ensure appropriate security measures and vendor management are in place by defining a lean oversight governance. Monitoring and incident handling Define a process for personal data breach monitoring and reporting. Develop a process for personal data breach reporting towards the data protection authority and towards the data subjects. Design templates and communication approval processes to ensure that the notification deadline of 72 hours can be met. Governance, policy, standards and guidelines Redefine the data protection governance model, including a detailed description of the roles and responsibilities with regard to management of external relationships and communication with regulators. These actions as well as the ones defined in phase 5 will help to comply with the accountability principle, moving towards compliance. Roadmap The roadmap contains the necessary actions identified during the assessments and workshops. It focuses on compliance towards the applicable laws and regulations, and the defined privacy and data protection strategy. Data flow mapping Managed services On-site and web-based data privacy and GDPR awareness Data protection impact assessments Privacy program and data management Compliance monitoring Privacy and data analytics, including anonymization and pseudonymization Maturity assessment Gap assessment Data breach notification and incident management Data breach stress tests Third-party and vendor management Continuous improvement EY s data privacy service offering 5

Why EY? Extensive privacy knowledge and experience EY employs over 200 Certified Information Privacy Professionals (CIPPs) across EU and privacy lawyers to help organizations to better understand data privacy risk and GDPR compliance. Close cooperation with EY legal specialists means EY CIPPs can translate legal requirements into a risk-based, customized approach. Highly experienced For over a decade, EY has assisted multi-national organizations in understanding privacy and data protection and regulations such as GDPR. Using their deep industry and client knowledge, EY has helped clients across financial services achieve both compliance and competitive advantage through effective GDPR programs, from gap analysis through to ongoing managed services. Global teams EY teams work within common global structures so they can easily draw on EY s global industry and functional experts to bring insights on legislation, regulations and business practice across the globe. EY has proven success in rollout across multiple countries. Professional approach EY uses a risk-based, multi-disciplinary approach supported by robust tools and methodologies to help you to understand the impact of GDPR on your organization, achieve timely and consistent GDPR compliance and leverage GDPR for wider strategic benefit. How EY can help 1 Approach Comprehensive transformation approach to guide our clients 2 Risks Identification of high risks and focus on compliance with current legislation while keeping sight of the GDPR readiness 3 Cooperation Close cooperation with EY regulatory and compliance to transpose regulatory requirements into customized approach 4 Solutions Multi-disciplinary solutions by integrating the IT, risk and business perspectives of privacy EY s unique approach 5 Assessments Unique combination of maturity and Privacy Impact Assessments 6 Tools Maturity and Privacy Impact Assessment, data discovery tools and enablers to support our engagements 6 EY s data privacy service offering

Is your organization ready for the EU General Data Protection Regulation? Now it is time to take appropriate actions towards becoming compliant with GDPR. Areas of consideration based on EY approach are as follows: Expanded scope Are you a data processor or a data controller processing personal data inside the EU or processing the personal data of EU citizens? DPOs Do you conduct large-scale systematic monitoring (including employee data) or process large amounts of sensitive personal data? New rights Do you know how will comply with the new rights: the right to be forgotten, the right to data portability and the right to object to profiling? Accountability Do you conduct large-scale systematic monitoring (including employee data or process large amounts of sensitive personal data? Privacy by design Do you design data protection and privacy requirements into the development of your business processes and new systems? Mandatory breach notification Would you be able to notify a data protection supervisory authority of a data breach within 72 hours? EY s data privacy service offering 7

EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2018 Ernst & Young Business Advisory Services S. à R. L. All Rights Reserved. ED none This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com/luxembourg Contacts To find out more about any of our privacy-related services and how EY can help you use GDPR as a catalyst for change, beyond compliance, please contact: Olivier Maréchal GDPR Advisory Services Leader Partner, Advisory Leader for Financial Services +352 42 124 8948 Olivier.Marechal@lu.ey.com Philippe Belche Senior Manager, Legal Advisory Services +352 42 124 8646 Philippe.Belche@lu.ey.com Patrice Fritsch Directeur Associé Managed services +352 42 124 8950 Patrice.Fritsch@lu.ey.com Karim Bouaissi Senior Manager, IT Risk Assurance, Financial Sector +352 42 124 8779 Karim.Bouaissi@lu.ey.com Alexandre Minarelli Director, IT Risk & Assurance Leader, Commercial and Public Sector +352 42 124 8669 Alexandre.Minarelli@lu.ey.com Alejandro del Rio Manager +352 42 124 8301 alejandro.del-rio@lu.ey.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback