gdpr - lessons learned - ey.com · gdpr lessons learned slide: 5 gdpr key changes (1/2) applies to...

GDPR

Lessons Learned

01Introduction

GDPR Lessons Learned Slide: 3

Privacy is a hot topic

Privacy and Data Protection is increasingly in the spotlight and undergoing a paradigm shift in light of the new General Data Protection Regulation (GDPR) and uncertainty post Brexit

Personal Information (PI) is a valuable asset through intelligence and monetisation opportunities

Privacy awareness of the public has increased significantly, exacerbated by frequent personal data breaches catching media attention

Demonstrating good privacy governance and practices will be considered by the FCA and other regulators


GDPR coming into force in May 2018 and organizations need to act now

The volume of people, process and technology change required by the 25 May 2018 deadline of the GDPR should not be underestimated

Many organisations are compliant, on paper, with existing legislation, but are yet to face the challenge of implementing the requirements through the entire personal data lifecycle

As business models have been digitised, the volume of data held by organisations has increased significantly, resulting in organisations not understanding how much PI they hold, why they retain it and how it is being used

GDPR Timeline

14 April 2016

GDPR formally adopted by member states

Transition period of 2 years

25 May 2018

GDPR takes effect

January 2012

European Commission (EC) proposed GDPR

March 2014

EU Parliament adopt compromise text Dec 2015

GDPR agreed


GDPR key changes (1/2)

Applies to all data controllers and processors established in the EU and organizations

that target EU citizensExpanded scope

► Consumer consent to process data must be freely given and for specific purposes

► Customers must be informed of their right to withdraw their consent

► Consent must be ‘explicit’ in the case of sensitive personal data or trans border dataflow

Consent

► The right to be forgotten — the right to ask data controllers to erase all personal data without undue delay in certain circumstances

► The right to data portability — where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible

► The right to object to profiling — the right not to be subject to a decision based solely on automated processing

New rights

Organizations must undertake Privacy Impact Assessments when conducting risky or

large scale processing of personal data

Privacy Impact Assessments

Organizations should design data protection into the development of business

processes and new systemsPrivacy by Design


GDPR key changes (2/2)

DPOs must be appointed if an organization conducts large scale systematic monitoring

or processes large amounts of sensitive personal data

Data Protection Officers (DPOs)

Organization must prove they are accountable by:

► Establishing a culture of monitoring, reviewing and assessing data processing procedures

► Minimizing data processing and retention of data

► Building in safeguards to data processing activities

► Documenting data processing policies, procedures and operations that must be made available to the data protection supervisory authority on request

Accountability

New obligations on data processors — processors become an officially regulated entityObligations on

processors

► Organizations must notify supervisory authority of data breaches ‘without undue delay’ or within 72 hours, unless the breach is unlikely to be a risk to individuals

► If there is a high risk to individuals, those individuals must be informed as well

Mandatory breach notification

Fines for a breach of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000, whichever is greater

Fines of up to

4% of annual worldwide

turnover


The importance of privacy – moving beyond compliance

Moving beyond Compliance –Business Incentives

Need to comply with laws, regulations, contracts and other agreements

Increasing pressure from regulators Rising fines and penalties

Minimise reputational damage

Significant costs associated with recovery from breaches and potential lawsuits from those affected

Compliance Incentives Move beyond compliance to build trusting relationships with stakeholders that drive loyalty and retention

Privacy is a competitive differentiator in a data- and technology-driven world

Enhance brand and reputation

Satisfy stakeholders’ expectations, especially in light of increasing public awareness of and concern about data privacy

Proactively prevent loss of customers and market share as a result of data breaches

Data protection as moral responsibility towards customer and part of CSR profile

Prevent data breaches and avoid associated remediation costs

Protect future revenue sources and create new ones through from data with customer consent


GDPR can frustrate or support the digital proposition

Internet of Things Digital marketing, sales and service

Partner and ecosystem

Organisations need to identify which is the minimum amount of personal identifiable information they need in order to perform their data analysis, or perform

anonymization or pseudonymization.

More and more Internet of Things devices are introduced and generate large volumes of

data which can be used by organizations to support their market and client insights and

improve digital proposition. For example mobiles,

connected cars and wearables.

Organization are transformation their business

into digital propositions. These propositions are build on

technology and data. Precondition is the reuse of

data.

Organization are more and more connected with partners in an ecosystem. To utilize the

advantages data need to be shared across the ecosystem,

while supporting privacy regulations.

Companies nowadays collect a high amount of data, which might lead to the collection and / or creation of personal identifiable information

02Transformation approach


Data Protection and Privacy Transformation approach

Comprehensive in reach through its four phases: understand, assess, design and implement

Multi-disciplinary by integrating the legal, IT, risk and business perspectives of privacy

Close cooperation with EY Law to translate legal requirements into a risk-based, customised approach

Identification of high risks and focus on becoming compliant with current legislation, while keeping sight of the organisation’s GDPR readiness

Proven success in roll-out in various countries

EY’s unique approach


A phased approach combining Overall GDPR maturity assessment and PIAs on high risk data flows

Key activities

Framework Overall maturity assessment

Customize Privacy Impact assessment (PIA)

Implementation plan

Privacy framework policy and standards

Data governance (including DPO position)

Update implementation plan

Accountability

Privacy by Design

Monitoring and incident response

Notifications

Metrics, reports and dashboard

Dataflow Assessment data flows using PIA based on risk based approach

Fixing reported gaps based on priority setting

Continue dataflow assessments

Fixing reported gaps based onpriority setting

Continue dataflow assessments

Vendor Vendor risk management framework

Vendor risk assessment and update contracts

Vendor risk assessment and update contracts

Awareness Awareness Awareness Awareness

Phase 1 Phase 2 Phase 3


Risk based approach to assess data flows based on a well established PIA process

Dataflow inventory

In order to fully assess privacy and compliance risks, organizations will need to understand how (customer and employee) data are used.

Therefore, the first step of our PIA process consists of making an inventory of the dataflows, which includes i.a. a complete overview of data sources (systems and files), where data are stored, how it is processed, who it is shared with and how long it is retained.

The dataflows will be inventoried during a (+/- 2hour) workshop with internal stakeholders. Our dataflow tooling can be used to validate the outcome of such workshop.

Risk assessment dataflow

The second step of our PIA process consists of categorizing the dataflows by the associated risks (high/medium/low risk).

Such risk assessment – which consists of a (brief) questionnaire –enhances organizations to prioritize dataflows, establish whether a PIA would be obligated based on the GDPR and creates an audit trail in this respect.

Subjects of the risk assessment include i.a.:

• Personal data

• Special data

• Volume of data

• Sensitivity of process

Prioritize dataflows

Based on both the defined risk appetite of the organization and the established risk(s) per dataflow, it will be established on what dataflows the PIAs will be performed and the order in which they will be carried out.

The dataflows with risks that would impact the organization most –given its risk appetite – will be performed first.

Perform PIA

EY has developed an in-depth Excel based questionnaire to gather the insights necessary to assess the impact of the dataflows on the natural persons involved.

This questionnaire covers most subjects of the GDPR (more comprehensive than the risk assessment) and contains

guidelines and primarily closed-ended questions (yes/no, multiple choice, rating scale, etc.), making the PIA user-friendly for the business. If so desired, the PIA questionnaire can be modified or integrated with existing risk assessments (e.g. BIA or ISRA).

Define actions

Further to perform the PIA, actionswill be defined to mitigate the risks on the natural persons identified during the PIA.

Subsequently, this list of actions will be divided based on the risk appetite of the organizations, mitigating the highest risks first.

Defining risk appetite

Using the gathered insights on the dataflows, the risk appetite will be defined to support expected GDPR changes, prioritize dataflows and define actions.

EY will support in both (i) developing a qualitative statement to articulate privacy risk and (ii) defining a clear appetite statement that can be measured and aligns to your strategy and (iii) identify metrics from your Privacy Risk Control Framework that speak to your risk appetite and align where possible to strategic objectives


Lessons learned

• Many organisations are unaware of their data flows and have launched ambitious data flow mapping initiatives

• Data flow mapping exercises are all too often performed in manner that is too detailed and resource consuming

• A more limited scope is sufficient to facilitate the creation of a privacy register

• Data discovery tooling can be used to further detect structured and unstructured data

Data flow mapping

• Privacy impact assessments (PIA) need to be performed for the organisation’s data flows and a risk-based approach should be adopted to focus on high impact data flows

• Through data flow mapping, non-compliances with the GDPR’s requirements such as the right to be forgotten and data retention are identified

• A targeted approach allows for prioritisation of actions and the identification of those which can be pursued centrally to facilitate integration with the entire organisational data governance (including Privacy by Design)

Legacy

• Privacy is no longer exclusively situated within the legal realm but has evolved into a multi-disciplinary issue

• Organisations are struggling to establish a comprehensive model to lead privacy transformation

• A new, collaborative model is needed to unite the multiple dimensions of privacy within the organisation

Privacy governance


Lessons learned

• The use of big data analytics has attracted widespread attention and has proven to provide added business value

• Challenges around privacy arise due to the lack of consent amongst data subjects

• In essence, these challenges are not new, and thus lend themselves to the established response of pseudonomisation or anonymization of data to ensure the preservation of privacy, while still leveraging the strategic value of data.

Big data analytics

• The concept of rightful usage (legitimate use or explicitly obtained consent) forms an integral part of the privacy impact assessment (PIA) related to the mapping and discovery of organisational data flows

• Organisations too often adopt an isolated approach focused on a singular data flow

• In contrast, an overarching approach forms a starting point for additional activities requiring the basis of legitimate use or consent as it centralises the overview of rightful usage of data

Rightful usage

• The majority of applications are not currently supporting the key changes brought by the GDPR around the right to be forgotten, data portability and data retention

• In particular, many organisations struggle with supporting the right to be forgotten due to the complexity and wide distribution of data across different databases, backups etc.

Right to be forgotten

03Impact on IT and Security


Impact IT and Security (1/2)An overview of impact and solutions

GDPR Impact Solutions

Data Lifecycle Management

• Integrate GDPR in data governance and management

• Implement or enhance (existing) tooling to support data flow mapping and

document data attributes

• Implement privacy register based on tooling

• Define data flows

• Document conditions for processing (i.e. legal

ground, data minimization, information provision,

purpose limitation)

• Implement and maintain privacy register

Data Protection Policy and data classification

• Draft, review and update existing data protection policies and standards

• Use specific tooling to classify your PII

• Use specific tooling to enforce data protection policy and standards

• Classify Personal identifiable information (PII)

• Ensure necessary and proportionate use only

• Enforce policies and standards

Privacy Risk and Controls

• Update existing risk framework and assessments

• Integrate privacy controls in the existing tools and controls testing

• Integrate privacy controls and assessment into the

existing control framework and risk assessments

• Perform risk assessments on processes and data

flows (in stead of systems/applications)

Privacy by design and architecture

• Take into data protection of PII in [existing design

and build procedures]

• Enhance existing security architecture to support

privacy by design including libraries of tools to

support [design and build procedures]

Data subject rights

• Implement procedure/functionality for data subjects to submit requests and

provide transparency on data subjects rights

• Implement procedure to assess the requests of data subjects to exercise rights

• Tooling for providing access on user request

• Tooling for transferring data to another organization (data portability)

• Tooling for erasure by ways of disposal, pseudonomization/anonymization

• Support rights of data subjects i.a. to access,

modify and erase their PII, transfer PII to another

organization (data portability) and object to the

processing.

• Implement procedure for assessing risk of data flows

• Perform PIA's (privacy impact assessments) on new and current processes

• Redesign design and build procedures by including data protection principles


Impact IT and Security (2/2)An overview of impact and solutions

GDPR Impact Solutions

Monitoring • Implement data discovery tooling to ensure that all data is recorded and

accounted for as part of the privacy register

• Use specific monitoring tooling to record the deviations of policies, disclosures

and data flows, privacy data analytics

• Implement monitoring to ensure that PII is used in

line with policies, standards and GDPR

• Detect deviations, i.a. unauthorized disclosures

Data security • Describe procedures in information security policy and standards on data

protection and implement such procedures

• Implement tooling to encrypt data on different technology layers, i.a. network,

end-user, server, database, application, e-mail and unstructured documents

• Update roles and authorizations in existing identity access management

• Technical security measures to protect PII in line

with policies and procedures

• Implement encryption (rest, use motion)

• Align identity access management with appropriate

use in line with GDPR

Data retention and disposal

• Describe the retention periods per record (using the mandatory privacy

register);

• Implement the retention periods in applications or implement specific tooling in

combination with archiving system

• Identify retention periods for each category PII

• Dispose or anonymize PII after retention period

• Create a data retention and disposal policy.

Vendor management

• Having an up-to-date overview of all vendors that

process PII

• Ensure vendors only process PII in line with policies,

standards and GDPR (e.g. monitoring vendors and

performing audits)

Incident response and Breach notification

• Update existing incident procedure

• Keep internal register on data breaches

• Implement or update procedure and tooling for assessing data breaches and

notifying to authority/data subjects

• Include data breaches in existing incident response

procedures

• Mandatory notifications of data breaches to

authority/data subjects

• Implement vendor management framework, including controls vendors should

comply with.

• Implement procedures and tooling for monitoring vendors

• Bind vendors to data protection principles by concluding processing agreement

Data analytics and profiling

• Implement procedures to ensure conditions for profiling/analytics are met,

including alternatives (pseudonimization/anonymization)

• Implement functionality to exclude individuals from profiling/analytics

• Ensure profling/analytics is performed in line with

strict conditions

• Data subjects right to object to profiling/analytics

04Role of the DPO


Roles and responbilities

05Credentials


Credentials (1/2)

Large Credit Services Company – Credit service company

We performed an audit on the internal controls of the client and assessed whether they comply with the Dutch privacy laws. Our opinion was based on a public framework and resulted in a report comparable to ISAE 3000.

Privacy and compliance assessment – International information provider

We identified non-compliance gaps and improvement opportunities for our client. We created a high level roadmap that illustrates the activities which should to be performed to comply with the GDPR.

Privacy and compliance scan – Insurance company

We performed a privacy compliance scan to identify gaps based on the Dutch Data Protection Act and the GDPR.

We performed workshops to raise awareness and knowledge and drafted a roadmap to implement the necessary actions identified during the assessments and workshops.

GDPR assessment & data flow mapping – Financial institution (UK)

We performed a GDPR assessment, including a gap analysis of various business units (BUs) and systems.

World largest search engine

We advised on the data retention periods, under UK financial services regulatory regimes, for the world’s largest search engine operator which also owns and operates a UK payment services and e-wallet provider.

.

EY Data Privacy Workshops performed at multiple financial services organisations

We provided a workshop to create awareness within the company of the client. By using cases, simulations and interactive break-out sessions, we assessed privacy from different angles to allow the client to understand the impact of privacy on its organization.

1

2

3

4

5

6


Credentials (2/2)

US based IT provider

We advised a US-based IT provider – which specializes in providing IT back office support to banks – on the interaction between regulatory retention periods, AML and data protection laws.

Privacy gap assessment and implementation – Large pension fund

For our client, we established risk management, compliance management and a function & governance structure. In addition, we carried out risk identification & assessment, drafted policies (privacy policy, IT policy), assisted in develop risk mitigation strategies, designed reporting templates and raised awareness within the company through workshops.

7

8

9

Large bank based in UK

Recently, we drafted the data retention policy – which included time periods for which different classes of data should be retained, methods for storing data and guidance on whether data should be erased or archived – for a large UK based challenger bank.

10

Global oil & gas company

We provided support to the global privacy officer and global internal audit department, as a subject-matter expert regarding implementation of and compliance with the global privacy policy.

06Contact us


More information and contacts

@@@

EMEIA contacts

Bernadette Wesdorp

Senior Advisor Data Privacy and Data Protection

[email protected]+ 31 6 21252753

Tony de Bos

Data Protection and Privacy leader EMEIAExecutive Director Financial Services Advisory NL

[email protected]+ 31 6 29084182

Privacy offerings

Privacy workshop

GDPR key changes

Saskia Vermeer – de Jongh

Senior manager and Attorney IP/IT and Privacy

[email protected]

+ 31 6 29083580

Wout Olieslagers

Consultant and Attorney IP/IT and [email protected]+ 31 6 524 656 93

mailto:[email protected]




EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2016 EYGM Limited.All Rights Reserved.

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com

gdpr - lessons learned - ey.com · gdpr lessons learned slide: 5 gdpr key changes (1/2) applies to...

Documents