gdpr - riskpro india€¢trust principles •defined list of ... (usa), kotak mahindra bank ......
TRANSCRIPT
2
Riskpro’s Overview
New Delhi
Mumbai
Bangalore
Ahmedabad
Pune
Agra
Salem
Kolkata
Hyderabad
Chennai
Jaipur
Riskpro is an “Indian” Risk
Management and Compliance
Consulting Firm
We connect Risk Professionals
to Clients for maximum value
add
Riskpro’s four business
verticals are Risk Advisory,
Trainings, Technology and
Recruitment
▪ 6+ years of business
▪ 250+ Clients
▪ 6+ Cities
▪ 40+ Team Members
▪ 10+ strategic partners
Our growth story is continuous.
3
Data Protection
and GDPR
Overview
GDPR Overview
4
GDPR Objectives
Any data relating to identifiable individuals –employees, suppliers, clients
• Names
• Addresses
• Email addresses
• Telephone numbers
• Sensitive information
WhatApplies across all member states of the EU
Applies to all organisations processing the data of EU subjects – wherever the organisation is geographically based
Who
5
GDPR Overview
25 May 2018
Territorial Scope
Hefty Fines
Demonstrate Compliance
More data as part of PII
Data subject rights
Clear cut consent
Short timeframe for breach reporting
GDPR
6
The GDPR Challenge
What Personal data do you process
• What about unstructured data sitting in pdf/word files, images
• Can you pinpoint exactly how it is processed
Data Subject rights (Doing it correctly)
• Access
• Correction
• Portability
• Deletion
• Prevent marketing / promotions
GDPR Compliance
7
Demonstrating compliance with GDPR
Requirement to implement appropriate technical and organisational measures
Maintaining records on processing activities
Data protection impact assessments
Requirement to appoint a data protection officer
Data protection by design and default
Codes of conduct and certification schemes
8
GDPR - How Riskpro can help
• Review current practices against GDPR requirements
• Full data audits
• Establish frameworks to address GDPR
• Align to Best practices
GDPR Maturity Assessment
•Develop a roadmap to smoothly implement GDPR once the gaps are known
•Privacy policy
GDPR Transition Plan
• You may already be doing a lot more than you think.
• Mapping of current framework with GDPR
• We will integrate GDPR framework with ISO 27001, Privacy practices, PCI DSS etc
Integration with other Frameworks
•Carry out a self assessment review of your GDPR implementation against the requirement and issue a review / certification report
GDPR Self Assessment / Certification
• We can provide data protection officers on a retainership basis to help with the implementations
• Recruit a full time DPR if needed
Data Protection Officers
• Riskpro can perform one time or periodic Privacy Impact assessment as required by law
Privacy Impact Assessments
9
GDPR Implementation Approach
1. Gap Assessment
• We perform gap review against an exhaustive list of compliance items
2. Implementation Support
• Data Inventory, DPIA, Training, answers to your questions
3. Policies and Procedures
• Policies for Privacy Framework
• Policies for Information Security Framework
4. Compliance Audit
• A GDPR readiness compliance audit report that can be shared with your clients
What do I start with
1. Each of the above phases can be optional and taken up in any order.
2. We can price our offering for each or any of the above four services.
• For example, implement GDPR on your own and take the Privacy policy Toolkit (item
3) from us as a Zip file.
• Or, you can get a GDPR gap review only to learn what you need to comply with.
11
Technical and
Commercial
Proposal for
GDPR
GDPR Implementation Section
13
GDPR Project Approach – Baseline Offering
1. Gap Assessment
Evaluate the Privacy Culture and control
environment
Assessment of Data Protection Maturity
Gap Review against GDPR regulation and articles
applicable
Recommendations and roadmap
Review of information security framework / Ability
to protect data
2. Data Mapping & Privacy
Assessment
Data Inventory - Identify personal data across
business processes and IT systems
Review of data Inputs, processing and Outputs
Tag Data Assets
Client contracts, retention policy review
Use of third party vendors and data transfers
3. Data Protection Framework
Privacy governance and privacy policy
Security Policies and Procedures
Training and awareness
Data Breach Handling and Reporting processes
Privacy risk assessments and controls
Reporting and Monitoring Controls
14
GDPR Project Approach – Extended Scope
4. Implementation Checks
Outline implementation plan
Support in Closure of Gaps
One round of internal audit against GDPR compliance
5. Final GDPR Compliance Audit
and Training
Independent Assessment at operational and process level to
GDPR guidelines
Issuing final assessment report
One page GDPR Compliance Certificate
Half day or one day training on GDPR regulation
15
Key GDPR Project Deliverables
Milestone Deliverable
Gap Assessment
▪Detailed recommendation of gaps and weaknesses relating to GDPR and data protection regulations
▪A roadmap and overview of privacy program to meet privacy regulations
Personal Data mapping
▪Data Flowcharts and Data Registers identifying all personal data across the company
Policies and Procedures
&
Implementation Support
▪Privacy Policy / GDPR policy along with key privacy notices.
▪Update to ISMS and Information Security Policies
▪Data Retention policies
▪Training material PPT and other awareness materials
▪Incident Reporting and Data breach handling and reporting procedures
▪Risk Assessments
▪Consent / Data request handling procedures
▪Privacy dashboards and reports to Senior Management and Board
▪All key forms, formats and templates to run the privacy program.
Training sessions ▪One to two rounds of GDPR and Data Protection Trainings across the company
16
Sample List of Policies provided as part of GDPR Consulting
Privacy Policies
◼ Data Protection / Privacy Policy / GDPR policy
◼ Automated Processing and Profiling Policy
◼ Privacy by Design / Privacy by Default
◼ Third Party Vendors - Privacy Assessments
◼ Privacy Impact Assessment Guidelines
◼ Privacy Self Assessment
◼ Data Inventory Procedures
◼ Cross Border Transfer Procedures
◼ Privacy Breach - Incident Response Plan
◼ Record Keeping Templates / Formats
◼ Important Privacy Notices
◼ Data Subject Access Rights Procedure
◼ Consent / Data request handling procedures
◼ All key forms, formats and templates to run the privacy
program.
◼ Important clauses in agreements, third party contracts
Information Security Policies (Updates
to existing policies)
▪ Information Security Policy with a focus on
GDPR
▪ Network Security
▪ Access management
▪ Pseudonymisation, Minimisation and
Encryption Policy
▪ Backup and DR Policy
▪ Data Classification Policy
▪ Data Retention Policy
▪ Internal Audit Procedures
▪ Risk Assessment Procedure
25
GDPR Training
GDPR Training Section Break
26
Riskpro Training Credentials
Leading Risk
Management
Training Company
More than 20 Open
House programs
conducted across
major metros
Over 1,250
participants trained
from most Public
Sector Banks, Pvt
Banks and
Corporates
More than 15+ in
house trainings to
major Corporates,
Banks and
Insurance Cos.
More than 30
Trainer Faculty
across Indian Cities
Variety of training
programs across
Info Security,
Credit, Basel, ERM,
Governance, BCM
etc.
Cost Effective
compared to most
Companies
Riskpro is a
Corporate Entity
with expert
Trainers.
Riskpro is not One Trainer Delivery
27
Riskpro Training Clients
Company Training Details
❑ One Day Fraud Risk Training in the Factoring Business
❑ In-depth understanding of fraud schemes, fraud prevention
measures
❑ 4 Days intensive training on Operational Risks in Insurance
Companies- Operations Department. Interactive sessions
with Risk Assessment, Case
❑ One Day BCM Training to BCP Teams
❑ Three Days Credit Risk Analysis Training for Qatar
National Bank, Doha Qatar
❑ Multiple 2 days and 1 day trainings on Operational Risk
and Foundational Risk.
❑ Trained at both centres Bangalore and Hyderabad
❑ 3 Days Risk Management Conclave Workshop
❑ Covering entire Risk Management Process and Key Risk
Factors such as Reputation Risk, Outsourcing risk, BCM
❑ 2 Days Training on Basel II, Credit Risk, Operational Risk
❑ RCSA Workshop
❑ Introduction to Basel II, Corporate Governance and
AML/KYC
❑ Two Days indepth Training on Anti Money Laundering
Practices for their internal Staff in Gurgaon
❑ Highly interactive with numerous case studies
Company Training Details
❑ Half day session on Managing Corporate Governance
Risks at the Board level
❑ Similar trainings and programs at other public forums such
as ASSOCHAM
❑ One Day intensive Enterprise Risk Management Training
covering back office operations, Fund management
services risks
❑ Half Day training on Key Risk Indicators at Corporate
Office
❑ How to successfully choose effective KRI and implement
KRI
❑ One Day training on Corporate Fraud Risks at the
Company’s offsite
❑ Numerous case studies and interactive sessions
❑ Half Day session on Information Security for the Mumbai
Office as part of Security Awareness Week.
❑ Two Days training on Anti Money Laundering (AML) and
KYC for Fidelity
❑ Numerous case studies and interactive sessions
❑ 1 Day Risk Management Workshop
❑ Full Risk Management Process and Key Risk Factors such
as Reputation Risk, Outsourcing risk, ERM & ISO 31000
28
Riskpro Training Clients
Company Training Details
❑ Pan India Training on Operational Risk Management
(ORM) and Anti Money Laundering (AML) training to
Branch executives
❑ More than 100 Bank Executives trained across three cities
❑ Interactive and exercise based sensitisation program
❑ Total 10 days Risk Management Training
❑ Senior Management Training for 2 Days on ERM / ISO
31000
❑ Company wide executives trained in multiple batches over
8 days
❑ More than 100+ executives trained across the company
on Risk Management, ISO, 31000, Reputation Risk and
CSR
❑ High Impact Senior Management Training on the ERM /
ISO 31000 framework
❑ 2 Days training to capture the essentials of a strong risk
management framework.
❑ 2 Days Risk Management Workshop
❑ Full Risk Management Process and Key Risk Factors
such as Reputation Risk, Outsourcing risk, ERM and ISO
31000
❑ 2 Days Risk Management Workshop
❑ Full Risk Management Process and Key Risk
❑ Identification
Company Training Details
❑ One Day Risk Management Training / ISO
31000 Training
❑ Enterprise Risk Management Training with
a focus on Strategic Risk, Reputation Risk
and Outsourcing Risk
❑ One Day intensive Enterprise Risk
Management Training at Sanand, Gujarat
❑ Training Led by Ex Head – Corporate Risk
Management Larsen & Toubro
❑ Half Day - Board of Directors Training on
Directors Responsibility Statement
❑ Section 134(5) and Risk Management
❑ Half Day – Anti Money Laundering and
CERSAI KYC Training
❑ One Day intensive Enterprise Risk
Management Training
❑ One Day Risk Management and Internal
Controls Training
❑ One Day Fraud Risk Management Training
29
Training Agenda
First Half
❖ Introduction to GDPR
❖ Scope of GDPR
❖ Personal and Sensitive Data
❖ Privacy concepts and PII categories
❖ Global Readiness of GDPR
❖ Six principles / Privacy Principles and Accountability
❖ GDPR in Action
❖ Collecting and Processing Personal Data
❖ Data Collectors versus Data Processors
❖ Gap Assessment and Readiness Reviews
❖ Data audits - Inputs, Outputs and processing
❖ Data Subject Consents
❖ Processing Consents
❖ Right to withdraw and the right to be forgotten
❖ Minors and consent
❖ Data subject Consents
❖ Lunch
Second Half
❖ Advanced Concepts in GDPR
❖ Global best practices relating to data protection and privacy
❖ Privacy Impact Assessments (PIA)
❖ Cross Border Transfers
❖ Article 30 and Record Keeping
❖ Privacy by Design and By Default
❖ Third party contracts
❖ GDPR for Indian Companies – Practical
Implementation
❖ Challenges for Indian companies for GDPR compliance
❖ Group Activity: 45 minutes workshop to debate issues for
Indian Companies
❖ Data Breach and Reporting
❖ Identifying Data Breach
❖ Data Breach reporting
❖ End of Day, discussion and Feedback (15 mins)
31
Riskpro’s GDPR Clients Our ClientsG
DP
R C
lien
ts
*Any trademarks or logos used throughout this presentation are the property of their respective owners
“Riskpro is helping
Market Research,
Analytics, SaaS
platform companies
with compliance to
GDPR
33
Other Related
Services
Other Related services
34
Riskpro also does SOC Audits – SSAE 18
SOC 1
• Previously called SSAE 16
• Mainly financial reporting and operations related controls
SOC 2
• Trust Principles
• Defined list of criteria
• Restricted use
SOC 3
• Trust Principles
• Can be shared to general public and on website
35
Type of HIPAA Compliances
Extended Compliance
Exposed to Electronic protected health information (ePHI).
Have to implement a lot more process based as well as technical controls from the security/privacy rules..
Riskpro also need to see the physical location since physical safeguards are also involved and hence a visit is often required.
Simple Compliance
Just develop/sell the software that is used by clients in HIPAA processes then the software & its implementation has to have certain technical controls to be HIPAA compliant
For assessing a software system to be HIPAA compliant, Riskpro can do a checklist approach after understanding the situation.
36
HIPAA Framework – Where you need to be
Administrative
Safeguards
§164.308(a)(1)(i) Security Management Process
§164.308(a)(2) Assigned Security Responsibility
§164.308(a)(3)(i) Workforce Security
§164.308(a)(4)(i) Information Access Management
§164.308(a)(5)(i) Security Awareness and Training
§164.308(a)(6)(i) Security Incident Procedures
§164.308(a)(7)(i) Contingency Plan
§164.308(a)(8) Evaluation
§164.308(b)(1) Business Associate Contracts and Other Arrangements
Physical Safeguards §164.310(a)(1) Facility Access Controls
§164.310(b) Workstation Use
§164.310(c) Workstation Security
§164.310(d)(1) Device and Media Controls
Technical Safeguards §164.312(a)(1) Access Control
§164.312(b) Audit Controls
§164.312(c)(1) Integrity
§164.312(d) Person or Entity Authentication
§164.312(e)(1) Transmission Security
Organizational
Requirements
§164.314(a)(1) Business Associate Contracts and Other Arrangements
§164.314(b)(1) Requirements for Group Health Plans
Policy, Procedures, &
Documentation
§164.316(a) Policy and Procedures
§164.316(b)(1) Documentation
40
Services Slide
41
Riskpro Clients Our ClientsB
an
kin
g/ In
su
ran
ce
Ba
nkin
g -
Intl
*Any trademarks or logos used throughout this presentation are the property of their respective owners
“Riskpro helps a mid
sized Bank in Abu
Dhabi implement Basel
II covering credit risk,
market risk and
Operational Risk. The
project was carried out
for over a year”
42
Riskpro Clients Our ClientsC
orp
ora
te
/ M
NC
s
*Any trademarks or logos used throughout this presentation are the property of their respective owners
“Legal Compliance
Software is a must
today. Riskpro, through
its partner firms has
implemented the
software in several
Corporates”
43
Riskpro Clients Our Clients
Co
rpo
rate
/ M
NC
s
*Any trademarks or logos used throughout this presentation are the property of their respective owners
“Internal Financial
Controls (IFC) is critical
to effective financial
reporting.
Riskpro has helped
several listed
companies with IFC
compliance”
44
Founder and Director▪ CA, CPA, MBA-Finance (USA), FRM
(GARP)
▪ Over 10 years international experience – 6
years in Bahrain and 4 years USA
▪ 18 years exp in risk management consulting
and internal audits, Specialization in
Operational Risk, Basel II, Sox and Control
design
▪ Worked for Ernst & Young (Bahrain), Arab
Investment Company (Bahrain), Navigant
Consulting(USA), Kotak Mahindra Bank
(India) and Credit Suisse(India)
▪ Sox Compliance project for Fannie Mae,
USA ( $900+ Billion Mortgage Company)
Co Founder and Director▪ PGD (Electrical & Electronics & Computer
Programming)
▪ 30 years of experience in Information &
Communications Technology (ICT) Solutions
for Retail, Garments, Manufacturing,
Services Industries.
▪ Has created Companies, Divisions,
Products, Brands, Teams & Markets.
▪ Consulting in Business, Technology,
Marketing & Sales & Strategic Planning.
▪ Advisory, Training, Workshops &
Implementation in Systems Thinking,
Systems Modeling & Balanced Scorecard
▪ Worked with TIFR, Mahindra, Ambience,
Communico-Graphique & Ionidea In
Manoj Jain
Executive Vice President – IT Risk
Advisory▪ BTech MBA (USA)
▪ 22 years of work experience, 16 of which
were in risk management domain, 11 years
of global experience in USA & UK
▪ Ex Chief Risk Officer of Birla Sun Life
Insurance & CMS Info System .
▪ Managed Risk & Compliance for two UK
based insurance KPOs (Paternoster India &
JLT India)
▪ Core expertise in ERM, Capital Valuation,
Operational Risk, Information Security, BCM,
Governance & Internal Audit
▪ CISA, CIA, CMA, FLMI, MBCI qualified
98337 [email protected]
98450 61870
98209 94063
Casper Abraham Shriram GokteResumes
45
Executive Vice President – Risk
Advisory▪ Chartered Accountant, a Certified Internal
Auditor (CIA) and a Certified Risk Mgmt
Professional (CRMA).
▪ She has around 15 years of post
qualification experience into Internal Audits,
Risk, Application Reviews, Operations /
Process/ Internal control reviews, Fraud
Investigations.
▪ She has worked with consulting firms like
Baker Tilly Singhi Consultants Pvt Ltd, Price
Waterhouse Coopers, EY, Aneja Associates
and Corporates like Reliance (Internet
Exchange), GE Capital, CMS Computers etc
Executive Vice President - Banking▪ Ex- Head of Integrated Risk Management
department at Bank of Maharashtra
▪ Responsible for implementation of Risk
management guidelines issued by RBI from
time to time on Credit risk, Market Risk and
Operational risk and reporting regularly to
Risk Management Committee of the Board
and Board of Directors.
▪ Put in place all policies relating to Risk
Management, ALM Policy, ICAAP Policy;
Stress Testing Policy, Business Continuity
Planning Policy, Outsourcing Policy.
Rita
Shewakramani
98204 [email protected]
95660 77326
R. Muralidharan Lalit Dua
Executive Vice President – Internal Audit
and Risk Management▪ Extensive and exclusive experience of Internal
audit, Risk advisory and Governance
processes. Done investigations also
▪ Worked in India and abroad with diversified
business groups including manufacturing,
Real Estate, Pharma, Automotive, Telecom
▪ Experience in setting up of IA department
from scratch and establishing the same a
value adding service department
▪ Conducted risk assessment exercises,
facilitated defining and implementing
mitigation plans and setting up of monitoring
mechanism
▪ Experience of reviewing MIS, annual
operating plan, Capex and Opex budgets
91677 32884
Resumes
46
Executive Vice President – Risk and
Internal Audit ▪ FCMA, CIA, CFE-Retired, CMA, CertIFRS
and AWS Solutions Architect Associate.
▪ Extensive experience in a wide range of
MNCs and Big Four Accounting and Audit
Firms.
▪ Overseas experience in USA, UK, South
Africa, China and UAE.
▪ IT Systems Professional with ERP
implementation experience in the US,
Canada and the UK.
▪ Specialized in Fraud Risk Management.
▪ Cloud Security through Architecture and
Design.
9007501581
Ananda Goswami
Senior Vice President▪ CA, CIA, CFE and CISA
▪ Ankit has over 15 years of risk management
and internal audit experience, SOX & SSAE
compliance, fraud reviews, regulatory
compliance reviews, external
▪ He has headed the audit function for a
midsize financial services company and the
captive offshore unit of ANZ Bank one of the
big 4 Australian banks. He has also worked
in PWC for 8 years and Hewlett Packard for
3 years.
▪ Ankit has extensive experience with internal
audit in financial services and back office
operations and has setup internal audit
functions for captive units of four different
companies.
98804 01236
Ankit Manglik Vivek Dixit
Executive Vice President – Risk
Management and Governance Advisory▪ B.Com; DFM. Numerous Work related and
Leadership trainings in Corporate World.
▪ Experienced, multi faceted, techno functional
corporate professional with 30 yrs in the industry.
Worked in top notch organizations viz. Dell,
Microsoft, IBM, Atos (Origin), Ingersoll-Rand,
Siemens. Played various roles, and managed
multi locational and multi cultural teams. Global
judge for certification of YB and GB Six Sigma
projects in Dell.
▪ Associated with PMI significantly. Initially Vice
President of PMI-Pearl City Chapter when it was
started. Invited as a Speaker for various PMI
events. Ex-Professor of Project Management,
Project Operations Management for MBA
students.
88066 73322
Resumes
47
Senior Vice President – Information Security and Data Privacy▪ BE, CISM, LA (Trained) - ISO 27001:2013,
ISO 22301:2012, BS 10012:2009, ISO
14001, EU GDPR Foundation Course, Six
Sigma Black Belt
▪ A qualified Information Security and Privacy
professional with 20 years of rich experience
in driving various strategic initiatives across
the organization like implementation of ISO
27001, SSAE 16 / ISAE 3402 Type I & II,
Data Protection Compliances, Privacy shield
and GDPR with leading organizations in
HRO, BPO, IT and Manufacturing industry
▪ Worked for Hexaware Technologies, WNS,
Neeyamo and Mahindra & Mahindra
9923202685
Kedar Tokekar
AVP – Internal Audit and Risk
Management▪ Qualified Chartered Accountant and
Company Secretary having 8 plus years
experience in the field of auditing, risk
advisory and business consulting.
▪ Prior to joining Riskpro, he has worked for
Axis Risk Consulting (Now Genpact ERC),
EY, KPMG, Mazars and SOS Kinderdorf
International.
▪ He has diversified experience in Healthcare,
Retail/E-Commerce, BPO/KPO,
Manufacturing, Development Sector,
Hospitality and Insurance
8826016982
Dhiraj Satnalika
Resumes
48
Key Contacts
Corporate Mumbai Mumbai Bangalore
Riskpro India Ventures (P) Limited
www.riskpro.in
B-44, Glaxo Building,
Near Mt. Mary’s Steps
Bandra West, Mumbai 400050
Manoj Jain
DirectorM- 98337 67114
Shriram Gokte
EVP - Risk Management
M- 98209 94063
Lalit Dua
EVP- Internal Audit & Risk Advisory
M – 916773288
Rita Shewakramani
EVP - Risk Advisory
M- 98204 85504
Casper AbrahamDirector
M- 98450 61870
Ankit ManglikSVP- Audit & Risk Management
M -9880401236
Delhi Pune Chennai Chennai
Dhiraj Satnalika
AVP – Internal Audit & Risk
Management
M – 8826016982 / 8826799982
M. L. Jain
Principal – Strategy [email protected]
Vivek Dixit
EVP- Risk and Governance
880 667 [email protected]
R. Muralidharan
EVP – Risk Management
M- 95660 77326
PN Venkataraghavan
EVP - Banking & Risk
M - 98840 72990
Hyderabad Ahmedabad Kolkata Let’s Innovate Together
Anand [email protected]
Manoj Kumar
Ananda Goswami
If you have substantial risk
management experience and want to
join a growing consulting firm, send
an email to [email protected] and
lets join hands and innovate together.