the impact of gdpr compliance on it and ... -...
TRANSCRIPT
© 2017 MetricStream, Inc. All Rights Reserved.
Experts on Panel
Bojana BellamyPresident
Centre for Information Policy Leadership
Vibhav AgarwalDirector
MetricStream
© 2017 MetricStream, Inc. All Rights Reserved.
• The effect of GDPR on IT and security teams
• Technical and security measures to support data protection
• The interaction between IT and IS with data privacy compliance and legal
• A risk based approach to GDPR compliance
• Q&A
Agenda
CIPL at a glance
55+Member
Companies
5+Active
Projects & Initiatives
20+Events
annually
15+Principals
and Advisors
We SHAPE privacy policy,
law and practice
We CREATE and
implement best practices
We INFORM through
publications and events
We NETWORK with global
industry and government leaders
BRIDGING REGIONSBRIDGING INDUSTRY & REGULATORSBRIDGING PRIVACY AND DATA DRIVEN INNOVATION
ACTIVE GLOBAL REACH
A GLOBAL PRIVACY AND SECURITY THINK TANK
Twitter.com/the_cipl
https://www.linkedin.com/company/centre-for-information-policy-leadership
www.informationpolicycentre.com
2200 Pennsylvania Ave NW Washington, DC 20037
Park Atrium, Rue des Colonies 111000 Brussels, Belgium
30 St Mary AxeLondon EC3A 8EP
ABOUT US
• The Centre for Information Policy Leadership (CIPL) is a global privacy and security think tank
• Based in Washington, Brussels and London
• Founded in 2001 by leading companies and Hunton & Williams LLP
• CIPL works with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for data privacy and responsible use of data to enable the modern information age
www.informationpolicycentre.com
Key GDPR Changes at a Glance
Harmonisation and progressive
aspects
•Harmonised rules, but not fully (e.g. employee data, children data)
•One Stop Shop: Lead DPA for pan-European matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals
•Risk-based approach
•Some reduction of administrative burden (no national registration of processing. or prior authorisation)
•BCR, seals and certifications
•Greater cooperation and consistency by DP regulators
Broader scope
• Obligations on both controller and processor
• Extraterritorial application to foreign controller and processor
• Wider definition of personal data and sensitive data; anonymous data and pseudonymisation
• Processing data of children under 16 requires parental consent
Increased obligations
•DP principles tightened (consent, transparency/notices)
•Profiling rules
•Privacy Impact Assessment
•Privacy by Design
•Breach notification - to DPAs and individuals
•Direct obligations and liability for processor
•Accountability -privacy programme
•Internal record of processing
•DP Officer
Strengthened rights of
individuals
• Right to erasure
• Data portability
• Right not to be subject to automated decision making
• Right to object
Increased enforcement, fines, liability
• Regulatory fines up to 4% of annual worldwide turnover
• Individual action
• Class action
• Criminal sanctions (in national laws)
• Larger role for European Data Protection Board (EDPB)
• Amsterdam (Kick-off), Paris (DPO, Risk), Brussels (Certifications), Madrid (Transparency, Consent, Legitimate interest) , Dublin (Smart Regulation)
5 Workshops and working sessions
• DPO
• Risk and DPIA
• One Stop Shop and Lead DPA
• Certifications
• Transparency, Consent, Legitimate Interest
5 CIPL Papers Submitted to WP29
ePrivacy Regulation Consultation Response
• DPO, Data Portability, Lead SA, DPIA4 CIPL Responses to WP29 Guidance
GDPR Readiness Survey Report
• Smart Regulation
• ePrivacy Regulation
• Profiling and Automated Decision-Making
3 CIPL Papers in Progress
CIPL GDPR Project Deliverables to Date
www.informationpolicycentre.com
www.informationpolicycentre.com
DP Program –Corporate
Digital Responsibility
DPO led, documented,
risk-based, verified,
demonstrated
Data transfers strategy
Data strategy and Big Data enablement
DPIA and Risk Assessment
Privacy Engineers
Vendor management
Breach management
DPArelationship
management
Legal uncertainty
and disputes management
GDPR: Key Areas of Strategic Impact
Impact and interaction with global program
Readiness
Level
of
Imp
act
CIPL & AvePoint Joint
GDPR Readiness Survey – Oct 2016
Individual rights
Data breach notification
Privacy Management Programme
Use/Contracting with processors
Legitimate interest, Privacy by Design, DPIA and risk - the main areas requiring most clarification
SENIOR
MANAGEMENT
KEY CONCERNS
CCC
• Enhanced sanctions
• Data breach reporting
• Stricter rules on consent &
data reuse
• Individual rights
• Changes to internal privacy
program
www.informationpolicycentre.com
Accountability in GDPR – Privacy Programme
Controllers must:
• Be responsible for compliance with GDPR
• Implement appropriate and effective technical and organisational measures to comply with the GDPR
• Demonstrate compliance & effectiveness of the measures
Taking into account:
• The nature, scope, context, and purposes of the data processing
• The risk for individuals - physical, moral, material damages
Currently organizations do not widely use, or have access to, technology tools and software to aid with data privacy compliance tasks.
Only a minority use technology to automate and industrialize:
DPIAs;
Data classification and tagging policies;
Data processing records / inventories;
Delivery of new data portability right.
Where else can technology help?
Right of access, consent management, privacy transparency dashboards, Privacy Program demonstration, etc.
Compliance Tools, Technology, Software
Enable new business models, digitalisation and data innovation
Address expectations for increased transparency, user control and value, corporate responsibility
Ensure data sustainability and digital trust
Address regulatory changes - impact and implementation
Mitigate legal, commercial and reputational risks
www.informationpolicycentre.com
GDPR – Opportunity to Rethink Data Privacy and Information Management Strategy
www.informationpolicycentre.com
Systematic Changes Ahead for Organisations
Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates)
DP Officer (DPO) - becomes a more strategic, senior and multi-skilled role
Holistic and joined-up approach - between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations
DP becomes board-level issue – higher enterprise risk; larger business, legal and compliance impact; security breach notification and management
DP becomes a business issue - wide impact on company’s globalisation, digital transformation and data strategy
GDPR implementation – requires company-wide change management program
www.informationpolicycentre.com
EU GDPR - Key Red Flags for IT, CIO, CISO
Coordinated action DPO, CIO,
CISO
Wide regulated personal data
Internal inventory of processing
Privacy Impact Assessments, based on risk to individuals
Privacy by Design and Privacy by
Default Security breach management &
notification
Third party providers
(software and services)
Tension privacy v. security
www.informationpolicycentre.com
Holistic Approach to Privacy and Security
• Protecting assets and information creates privacy risks
• Enabling business growth and innovation
• Privacy can be breached without a breach of security
• Two sides of the same coin
• There is no privacy without security
ConvergencePrivacy > Security
ConflictGovernance
Understand your data, its relevance and the risks – customers, employees, third parties contacts, website users
Create and maintain accourate records of processing
Appoint DPO, or allocate responsibility for DP compliance
Establish legal basis for each data processing – consent, legitimate interest, contract necessity, etc.
Draft privacy notices and policies for individuals
Create DPIA processes / templates and carry out DPIA for existing and new processing and new projects
Draft vendor DP due diligence and contracting templates
Create legal mechanisms for sharing data globally
Establish procedures for rights of individuals
Develop and test breach response and notification procedures
Training and communication of the staff and relevant functions
On-going compliance and monitoring / auditing
GDPR Compliance Steps
Thank you
Bojana [email protected]
Centre for Information Policy Leadership www.informationpolicycentre.com
Hunton & Williams Privacy and Information Security Law Blogwww.huntonprivacyblog.com
FOLLOW US ON TWITTER
@THE_CIPL
FOLLOW US ON LINKEDIN
linkedin.com/company/centre-for-information-policy-leadership
© 2017 MetricStream, Inc. All Rights Reserved.
Top Concerns of CIOs within Enterprises*
*cioinsights.com
© 2017 MetricStream, Inc. All Rights Reserved.
Key Requirements for GDPR
Centralized repository/ library of articles, controls, and requirements for GDPR compliance
Establish an integrated framework to conduct Data Privacy Impact Assessments (DPIAs) through surveys and questionnaires
Enable the implementation of robust data privacy processes and controls
Generate delta control reports, as well as other reports and dashboards to assess GDPR compliance
Manage issues generated from risk and control assessments
© 2017 MetricStream, Inc. All Rights Reserved.
GDPR - Focus on Key Areas
Assess Compliance
Ongoing Compliance
Data Privacy Risks, Controls
& Process setup
Update Risk register, Control
register and Process register with GDPR data
Perform survey based Impact assessments
across assets and processes across
Bus and Third parties
Data Privacy Impact
Assessments
Data Protection Audits
Addition of testing strategies and
steps to audit Data breach response
plan and PII storage
Controls Compliance
Comprehensive Extended Org-wide Controls assessment
process for GDPR related controls
Workflow to assess enterprise
& IT Risks quantitatively
based on inherent factors and control
effectiveness
Risk Assessments
© 2017 MetricStream, Inc. All Rights Reserved.
Implementation of an Industry Standard Solution
Management
Reporting
Data Privacy
Impact
Assessments
Relational
Data Model
Controls
Compliance &
Risk
Assessment
Centralized IT
Repository
Third Party
Compliance
Assessment
© 2017 MetricStream, Inc. All Rights Reserved.
Way forward…
Define the overall management strategy for
managing GDPR compliance
Create an Risk and Compliance process with
ownership and governance to meet the GDPR mandate
Implement a Technology solution to ensure
traceability and accountability across the
workflow
Assess IT controls and IT risks leveraging the latest controls, questions and
procedure libraries
Monitor the assessments and perform management reporting via reports and
dashboards
Strategy Design Implement Assess Monitor
Consultancy Technology solution
© 2017 MetricStream, Inc. All Rights Reserved.
About MetricStream
Vision Integrated Governance, Risk and Compliance for Better Business Performance
Solutions
• Risk Management• IT Risk Management• Business Continuity Management• IT Compliance Management• SOX Compliance Management
• Enterprise Risk Management• Internal Audit Management• Compliance Management• Policy and Document Management• Regulatory Change Management
• Over 1,400 employees • Headquarters in Palo Alto, California with offices worldwide• Over 400 enterprise customers• Privately held – Backed by global leading VCs, Sage View Capital,
Goldman Sachs
Differentiators
• Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs• Cross-industry Best Practices and Domain Knowledge• ComplianceOnline.com - Largest Compliance Portal on the Web
Organization
Partners
MetricStream GRC Summit 2017Date: November 6 - 7, 2017
Location: Lancaster London Hotel, London, UK
Register now – www.grc-summit.comUse Discount Code WEB200 & Register Now for JUST £599
Days Speakers Sessions Attendees2 60 50 250
GRC for High Performers
Topics in Discussion Include:
Is your company ready for GDPR – A Chief Privacy Officer’s Perspective
Emerging Audit trends and challenges Converging Across Emerging and Evolving Risks – Building
An Enterprise Strategy
© 2017 MetricStream, Inc. All Rights Reserved.
Q&A
Thank you for participating!
A copy of this presentation will be made available to all participants in next 48 working hours.
For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars
Bojana BellamyPresident
Centre for Information Policy Leadership
Vibhav AgarwalDirector
MetricStream
Contact Us:
Website: www.metricstream.com | Email: [email protected]
Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554
THANK YOU
© 2017 MetricStream, Inc. All Rights Reserved.