Big data privacy in Australia

Similar documents
Step 1: Open browser to navigate to the data science challenge home page

EY s data privacy service offering

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

Demonstrating data privacy for GDPR and beyond

Protecting your data. EY s approach to data privacy and information security

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

ISACA Cincinnati Chapter March Meeting

GDPR: A QUICK OVERVIEW

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

EY Consulting. Is your strategy planning for the future or creating it? #TransformativeAge

What s new in EY Atlas. November 2018

EY s Data Privacy Services. January 2019

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

INTELLIGENCE DRIVEN GRC FOR SECURITY

BHConsulting. Your trusted cybersecurity partner

Danish Cloud Maturity Survey 2018

CYBER RESILIENCE & INCIDENT RESPONSE

Tax News Update: Global Edition (GTNU) User Guide

Global Security Consulting Services, compliancy and risk asessment services

Safeguarding unclassified controlled technical information (UCTI)

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Emerging Technologies The risks they pose to your organisations

SOC for cybersecurity

Vulnerability Assessments and Penetration Testing

Global Information Security Survey. A life sciences perspective

Government data matching and the Privacy Act 1988 (Cth)

EY Norwegian Cloud Maturity Survey 2018

M&A Cyber Security Due Diligence

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Data Management and Security in the GDPR Era

Run the business. Not the risks.

BHConsulting. Your trusted cybersecurity partner

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

IMPROVING NETWORK SECURITY

Security and Privacy Governance Program Guidelines

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Cybersecurity: balancing risks and controls for finance professionals

Enterprise resilience and the role of Standards

Digital innovation? Cyber secure? Digital security: a Financial Services perspective

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

GDPR: The Day After. Pierre-Luc REFALO

Position Description IT Auditor

Fabrizio Patriarca. Come creare valore dalla GDPR

Cyber Risks in the Boardroom Conference

CYBER INSURANCE: MANAGING THE RISK

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

EU General Data Protection Regulation (GDPR) Achieving compliance

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

The New Healthcare Economy is rising up

Cybersecurity Protecting your crown jewels

Security and Architecture SUZANNE GRAHAM

Does someone else own your company s reputation? EY Global Information Security Survey 2018

The GDPR Are you ready?

Securing Your Digital Transformation

Information Security Controls Policy

Cybersecurity Auditing in an Unsecure World

Cybersecurity. Securely enabling transformation and change

Quality Management Systems (ISO 9001:2015 and ISO 29001) Lead Auditor training (EY/IMSA Q03)

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

Cyber Threat Landscape April 2013

MITIGATE CYBER ATTACK RISK

How to get the Enterprise to Understand the Value of Security

Canada Life Cyber Security Statement 2018

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

EY Norwegian Cloud Maturity Survey Current and planned adoption of cloud services

What is ISO ISMS? Business Beam

Addressing the elephant in the operating room: a look at medical device security programs

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Information Security Strategy

Advanced Security Centers. Enabling threat and vulnerability services in a borderless world

DETAILED POLICY STATEMENT

Nine Steps to Smart Security for Small Businesses

How to be cyber secure A practical guide for Australia s mid-size business

GDPR: An Opportunity to Transform Your Security Operations

Cybersecurity requirements for financial services companies

General Data Protection Regulation (GDPR) The impact of doing business in Asia

ISO 27001:2013 certification

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Digital Health Cyber Security Centre

EY Training. Project Management Professional PMP. Exam preparatory course. 30 September 4 October 2018

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Data Breach Incident Management Policy

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

POSITION DESCRIPTION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Information Security Controls Policy

Cyber Security is it a boardroom issue?

Transcription:

Five-article series Big data privacy in Australia Three actions you can take towards compliance Article 5

Big data and privacy Three actions you can take towards compliance There are three actions that organizations can take to help manage big data & privacy. Big data fundamentally changes the way information is gathered, stored, used, altered and managed and it is vital to consider these differences to effectively protect against breach or regulatory issues in the future. Big data privacy impact assessment A big data privacy impact assessment (PIA) will help you identify the privacy related considerations for your proposed use of big data and what is required to mitigate those risks. It can highlight how personal information flows through a project/organization, the possible impacts on privacy that may exist and how to avoid, minimize or mitigate these, as well as how to include privacy by design into projects to ensure compliance. From a regulatory point of view, performing a PIA is critical to demonstrating that organizations have considered all of the risks associated with big data, and how these risks will be mitigated, prior to the initiative being implemented. Beyond compliance, from an operational risk perspective, performing a big data PIA over the big data can avoid any nasty surprises and ensure that the appropriate controls and processes have been considered up front. 2 Big data privacy in Australia Three actions you can take towards compliance

Big data privacy management framework; Privacy by design An effective privacy governance perspective provides the top down guidance around privacy management, including for big data initiatives. The PIA provides the bottom up view of where the data is and what it is being used for, as well as the process and technology controls in place to ensure privacy compliance including security. Other important considerations for any big data initiative include staff culture, training and awareness (people are usually the weakest link), as well as your reliance on third parties (particularly if your big data initiative involves vendors or cloud technologies) as well as incident management. What would you do if something went wrong? How would you deal with the inevitable media and customer fall out? Finally, how would you ensure on a regular basis that these controls are all operating effectively such as through the use of your internal risk management teams or internal audit. The aim of a privacy management framework is to help organisations develop good privacy governance which can lead to improved business productivity, more effective business processes, better risk mitigation and management of privacy breaches and how you respond should one occur. Personal information is a valuable asset in many organizations and embedding a respectful culture around privacy will help you build a reputation that inspires trust and confidence, in addition to meeting your legal obligations. There are four main steps to develop a privacy management framework as outlined by the OAIC. How and who undertakes each step will depend on your specific environment. Broadly, the steps are: Embed a culture of privacy that supports compliance. Establish robust, effective practices, procedures, systems. Up to date, clear policies around personal information management. Evaluate your systems, procedures, processes and practices to enable ongoing effectiveness and compliance. Enhance your response to privacy issues. The OAIC outlines each step in detail and what should be done to develop this framework Big data privacy in Australia Three actions you can take towards compliance 3

Information security risk assessment Data breach in some form is now inevitable for organizations today. A successful hack or an unwitting data leak is now a matter of when, not if. Advanced organisations are building on preventative controls (e.g. access controls) to detect and respond controls, such as holistic security monitoring and incident response procedures. The more personal information you collect and aggregate as an organization, the greater your security obligation is under APP II. An information security risk assessment can help identify potential problem areas within your organization and allows you to address and secure these before a breach occurs. An information security risk assessment is more specific than a PIA because it covers identifying and evaluating risks, threats and problem areas relating to information. Selecting a framework that works for you and developing the right methodology is based on your environment. The elements to consider no matter what the framework or method include: Data quality, information security and data accuracy. Can the data be effectively anonymised/ depersonalised, negating the need for ongoing privacy compliance? Assess third parties that you share information with or source information from. Know your requirements, especially around personal information via creation or reidentification with analytics. Access and prevention Limit internal access to personal information to those who require access to do their job (i.e. providing access on a need to know basis). Maintain a chronological and detailed audit trail of all users. Install network security intrusion prevention and detection systems. Run regular penetration testing on the enterprise data warehouses to identify vulnerabilities. Response planning Effective security monitoring procedures to identify unusual behaviours on your network that could be indicative of a breach. Develop a clear response plan in case of data breach (and train staff on it). Review your information security controls once risks have been uncovered to protect against further exposure. The OAIC also provides a detailed guide on securing personal information which may be helpful in your organization. Use encryption to mask personal identities. Ensure reasonable steps are taken to destroy and/ or de-identify personal information once it has been used for the notified purpose for which it was collected. 4 Big data privacy in Australia Three actions you can take towards compliance

Additional articles in this series Big data and privacy is a serious organizational consideration for anyone using big data analytics. This five-article series will help you understand some of the risks, technical considerations, actions to take and assessments to consider when addressing big data and privacy. The series includes: Big data and privacy: an overview Big data and privacy: know the risks and be in a position to respond fast Big data and privacy: tips to help shape your future capability Big data and privacy: assessment areas to protect personal information Big data privacy in Australia Three actions you can take towards compliance 5

EY Assurance Tax Transactions Advisory EY s holistic approach to big data and privacy This series of articles provides a holistic view of the big data and privacy, information security and data sovereignty issues facing global organizations today. It requires both strategic thinking and tactical action across multiple business dominions including data and analytics, law and risk. In response, we have combined the expertise of partners from these three competencies within EY to provide this rounded, whole-ofbusiness view. For more information on big data and privacy, contact the following contributing partners: Conrad Bates Managing Partner EYC3, data and advanced analytics. conrad.bates@c3.com.au C3 Business Solutions Pty Ltd Alec Christie Partner EY Digital Law, privacy law. alec.christie@au.ey.com Ernst & Young Law Pty Limited Charlie Offer Partner EY CyberSecurity, advisory and risk. charlie.offer@au.ey.com Ernst & Young Services Pty Ltd About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com. About EYC3 eyc3.com ey.com/analytics analytics@eyc3.com EYC3 creates intelligent client organizations using data & advanced analytics. Our team of data scientists, analysts, developers, business consultants and industry professionals work with clients at all stages of their information evolution. We implement information-driven strategies and systems that help grow, optimize and protect client organizations, and create a lasting culture that encourages people to use information creatively and intelligently to improve business outcomes 2016 Ernst & Young, Australia. All Rights Reserved. ED None. M1629993. This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. Liability limited by a scheme approved under Professional Standards Legislation. eyc3.com ey.com/analytics

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback