Más contenido relacionado

Presentaciones para ti(20)

Similar a Accelerating the Path to GDPR Compliance(20)


Más de Hernan Huwyler, MBA CPA(20)


Accelerating the Path to GDPR Compliance

  1. Accelerating the Path to GDPR Compliance 03/19/2018 - Hernan Huwyler - Cyprus
  2. 2 What does May 25th 2018 means? Demonstrate compliance efforts • Documented privacy program • Documented legal basis for processing activities • Ongoing data lifecycle management according to the privacy policy • Data consents • Monitoring data flows and audit trails • Data privacy impact assessment procedure • Incident response and breach notification procedure • Privacy audits plan • Budget for privacy control maintenance #GDPR at @DeloitteCY
  3. 3 What does May 25th 2018 means? End of the readiness actions • Appointment of a Data Protection Officer > mandatory or voluntary • Implemented procedures to support new rights of data subjects • Updated records of processing activities • Checked consent procedures • Updated privacy notices and statements • Renegotiated contracts with 3rd parties • Reviewed user access and data quality • Minimized data breach risks and completed de-risking actions • Completed training and awareness #GDPR at @DeloitteCY
  4. 4 Need to define the priority of GDPR compliance in the corporate data security program
  5. 5 Tips for data governance Accountability • Clear ownership of data in the privacy policy to coordinate GDPR compliance efforts • Data custodian for technical control > system administration and technical measures such as encryption and backups • Data owner for functional control > data management practices to comply with GDPR • All types of data > ERP/CMR, cloud, on-premises, big data, and unstructured data • Involve project stakeholders
  6. 6 Tips for data governance Destroy Transfer Use Store Internal rules Data controller Privacy policy Collect GDPR requirements Legitimate interests Safeguarding controls Accountability Privacy preferences Providing personal information Data subject Assuring privacy and compliance controls Data processor
  7. 7 Tips for discovery efforts A good map of records of processing activities (ROPA) saves time • Track personal information from the data subject through processes, systems and database • Consider all techniques • Interviews and workshops with data owners and process experts > accelerate with surveys • Functional documentation and data flow maps • eDiscovery • Classify data > confidential, restricted, private, public • New personal data > online identifiers, location, biometric • Prepare to maintain the records of processing activities
  8. 8 Tips for discovery efforts Good to add • Owner, custodian and BU • Notice, choice and consent • Collection mechanism • Technical information of data > format, structure • Storage location > paper archives, cloud, in-house, server, networks, email, country • Storage medium • Security classification > confidential, restricted • Source > system generated, manual input • Where data is processed • Collected by • Used by • Deletion type • Audit trail • Volume > gigas, records • Transfer > recipients, countries, contract details, processor/controller relationship • Privacy risk rating Essential • Inventory > definition, data subjects, category and contact details • Purpose and legal basis • Data flow to/from • Disclosed to • Retention period • Security measures
  9. 9 Tips for discovery efforts • are the data subjects? • has access to their personal data? Who • the personal data is stored? • the personal data is transfered? Where • the personal data is under the organization control? Why • the personal data is kept until? • is shared with third-parties? When • safety mechanisms and controls are in place? What
  10. 10 Tips for de-risking Discard irrelevant personal data to reduce risks • Minimize the collection and holding of personal information • Validate the need for relevant personal data with business owners • Keep cardholder data storage to a minimum • Delete duplicate copies, personal copies and just- in-case backups • Create a workable document retention policy for comprehensive categories of documents • Logically, group actions • Use last access time date metadata in files and databases
  11. 11 Tips for privacy risk-approach Identify the crown jewels • Personal data that makes money • Major business impact if compromised • Clients, prospects, marketing database • Financial data • Human resources • Large consolidated databases • Special category data #GDPR at @DeloitteCY
  12. 12 Tips for privacy risk-approach CRM database Financial data Health Payroll and tax Vendor db Insurance Contact directory Employee travel Website visitors GPS monitoring Office visitors Cameras Sensitive Restricted Non-public Low Easy to replace and infrequent access High Comercailly critical and frequent access Crown jewels High value Medium value High value Medium value Low value Personal information classification Business value
  13. 13 Tips for going live Top-down risk-based approach • Risk impact on data subjects' rights • Prioritize remediation plans to riskier areas • Most sensible data, most shared, most records • Follow infosec standards > ISO 27001/2 & 29100 • Test procedures to address subject access requests and data breach notification > are they scalable? • Operationalize changes such as data protection by design and DPIAs • Validate data transfers • Scramble, anonymize and pseudo-anonymize • Tools for vulnerabilities scanning on infrastructure and networks
  14. 14 Priority matrix Privacy policy Data ownership Training Privacy audits DPIA policy Binding Corporate Rules Data consents Data flow monitoring DPO training Contract review Awareness Incident mgmt Notices Effort Low Medium High Risk Low High Do now Plan now Plan major project Fill in Delegate Delegate
  15. 15 Team organization Implementation team Operation team • GDPR steering committee • Core team (cross-functional) • Compliance, infosec and change mgmt > consultants • Supporting functions • Risk, audit, IT, RH, legal, procurement, marketing • Across BUs • Build or repair strategy • Manage implementation work streams Tip > separate budgets • GDPR sponsor at the board > legal director, CIO, CFO • Data protection officer, privacy leader or GDPR compliance unit • Maintenance of compliance and security controls • Centralized or not strategy • Clear defined roles
  16. 16 RACI matrix for coordination Steering committee Implementation team GDPR Implementation program • Analyze gaps (changes) • Assess compliance risks • Design the implementation program • Define technical measures • Monitor program milestones DPO CISO A R C A R C C A R I I A R I R C
  17. SAP Example Mapping personal information
  18. 18 SAP and GDPR Assess Prevent Detect • Privacy risk assessment • Profiles • Data category with data classification label • Access control with strong autentification • Security setting evaluation • Encryption, pseudonymisation , anonymization, and data masking • Access control • Privileged access control • Data retention and deletion policies • Segregation of duties • Auditing • Activity monitoring • Vulnerability scanning • Alerts for anomalous activities
  19. 19 Technical documentation Master tables • Customers > KNA1, KNBK, KNVK • Vendors > LFA1, LFBK • Addresses > ADRC, ADR2, ADR3, ADR6 • Business partners > BP000, BP030 • Users > USR03 • Credit cards > VCNUM Tip: Use Where-Used List for Domain in Tables (RSCRDOMA) Scope Environments • SAP ERP Central Component (ECC) • Business Intelligence (BI) • Customer Relationship Management (CRM) • Digitalized documents • Testing/pre-production Backups Legacy systems Customized functionalities SAP HCM infotypes • Ethical origin, military status, and disability > infotypes 0002 and 0077 • Severely challenged persons > 0004 • Addresses > 0006 • Bank details > 0009 • Related person > 0021 • Internal medical services > 0028 + all the subtypes • Residence status > 0094
  20. 20 Audit access rights to t-codes and objects Master tables • Create, change and display customers, prospects, and contact persons > XD0*, VD0*, VAP* • Customer reports > S_ALR_87012179, S_ALR_87012180 • Create, change, and display vendors > XK0*, MK0* • Vendor report > S_ALR_87012086 • Maintain general tables > SE11, SM30, SM31 • Browse data > SE16 Tips • Validate with the data owner • Explain the least privilege principle • Obtain or update consents for SAP users • Activate SAP logs SAP HCM • Create, change, and display employee > PA10, PA20, PA30 • Create, change, and display candidate > PB10, PB20, PB30
  21. 21 Encryption Unstructured data • Reports from SAP data • Data transfers (ETLs) • Document management systems (e.g. Documentum) Databases • SAP tables • SAP log • Testing environment Encryption at data level, not only at server level Tip > before encrypting, depurate productive environments from old data (according the document retention policy) SAP Cloud Platform • Used during cloud instances • applications built by SAP partners • Interfaces with eCommerce solutions (e.g. Amazon, Azure)
  22. 22 Data scrambling SAP testing environments • Principle > real data should not be used in testing • Techniques to maintain referential integrity > scrambling, pseudo- anonymization, de- identification and removal of sensitive information • Tip > Review the access administration in testing environments / avoid data masking
  23. 23 The review of listing and display access for personal information is generally not covered in the SAP user reviews 02 01 Cover the risks of users exporting or downloading SAP tables or reports containing personal information and privileged access management 04 03 05 06 The GDPR leader should communicate requirements to the SAP system managers involved in access security The data owner is accountable for performing and documenting the access review for each respective SAP module Use the ROPA to review the most critical datasets of personal information to ensure the principle of least privilege Document tasks to revoke viewing accesses for roles and users and the approvals User review
  24. 24 Additional solutions ROPA management Managing the data inventory and flows with an online application or by SAP GRC File transfer Sending and receiving encrypted and posteriorly deleted files and SAP downloads (only inside the EU) Archiving and backups Archive SAP bases to reduce the personal data in production (including cloud-based solutions) Awareness and e-learning Videos and “skill pills” to raise awareness of changes Data loss prevention Detecting, monitoring and confirming the transfer of personal information (eg. emails) File transfer Archiving and backups Awareness and e-learning
  25. Updating policies
  26. 26 Corporate privacy policy How the right people use the right data for the right purpose • Clear personal data security objectives • how to protect the confidentiality, availability and integrity • how to support new data subject rights • how to provide access of personal information only to authorized employees and 3rd parties • support of privacy awareness trainings • Approved and endorsed by upper management • Responsibilities to data owners, data custodian, data users, DPO, IT, risk management and internal audit • Communicated across the organization and 3rd parties and regularly updated #GDPR at @DeloitteCY
  27. 27 Corporate privacy policy Privacy statements • Being transparent in handing personal data of employees, candidates, clients, prospects, suppliers and business partners • Processing and transferring personal data only for specific business purposes before consent • Using sensitive data only if necessary and where legally allowed • Ensuring that personal data are up-to-date, complete and accurate • Allowing data subjects to access, correct, deleted, limit and block of their personal data • Protecting the personal data from unauthorized loss, alteration, disclosure and access • Tip > divide the policy for groups of employees, clients and vendors, or when acting as processor #GDPR at @DeloitteCY
  28. 28 • data breach incident management • duty of disclosure • classification and acceptable use of information assets • backup and business continuity • access control y password • handling international transfers • clear desk and clear screen policy • use of network services • software development • data processing agreements Organizational Operational Corporate privacy policy Policy on Privacy Management Supporting policies on Hierarchy
  29. 29 Corporate privacy policy Content • Privacy vision, objectives and responsibilities • Principles and roles to limit • the collection • how the consents are ensured, when risk impacts are done • the use • how data is secured and given access to, • the disclosing • define circumstances for disclosure, and complains, notification of breaches • Data categories • Transfers to other business units and third parties #GDPR at @DeloitteCY
  30. 30 Corporate privacy policy Privacy vision, objectives and responsibilities • Staff should manage personal data under GDPR and local laws with reasonable safeguards measures • DPO (or equivalent) is responsible for updating the policy after regulatory or business changes • Definition of cases of legitimate interest • Performing contracts • Business process execution and reporting • Commercial activities and marketing • Compliance with legal obligations • Protecting the vital interests #GDPR at @DeloitteCY
  31. 31 Corporate privacy policy Tip > test for legitimate interest • purpose • Are you pursuing a legitimate interest? • necessity • Is the processing necessary for that purpose? • balancing • Do the individual’s interests override the legitimate interest? #GDPR at @DeloitteCY
  32. 32 Corporate privacy policy Data managing practices • Staff should manage personal data under GDPR and local laws with best safeguards measures • DPO (or equivalent) is responsible for updating the policy after regulatory or business changes • Original purpose > personal data only used for the purposes for which they were originally collected • Secondary purpose > personal data may be processed for legitimate purposes different from the original purpose only if the secondary purpose is closely related (e.g. audits, dispute resolution, insurance) • Retention period limited to > 1 the period to serve the legitimate purpose, and 2 the reasonable period to comply with an applicable legal requirement #GDPR at @DeloitteCY
  33. A roadmap to demonstrate compliance
  34. 34 Act Sustain Plan Program Prepare Data minimization Privacy policy Remediation DPIA Cyber capabilities Security controls Train and awareness Data audits The GDPR roadmap Stakeholders buy-in Implementation team
  35. 35 Demonstrate compliance Evidence Objective Board engagement in communicating privacy and GDPR compliance • Privacy program approved by the board • Board agendas and minutes covering GDPR issues • Evaluation of privacy reports, action plans involving board members, list of project stakeholders, budgets, approval • Nice to have: job roles assigning privacy responsibilities, privacy core team and experts, meetings and guidance with other internal functions dealing with personal data • General: ISO/IEC 27001 compliance certificate Related to article 5
  36. 36 Demonstrate compliance Evidence Objective • If required, board minute designating a DPO (art. 37, 38) • including evidence of independent reporting (org. chart, reports to the board), delegated tasks (contract, job description), proper budget, qualifications and certifications (CV, identity and background checks) and communication to supervisory authority • For non-EU data controllers/processors • mandate to designate a representative in the EU and external communication in privacy notes and website (art. 27) Privacy Officer, Privacy Counsel, CPO, Representative Board engagement in communicating privacy and GDPR compliance Related to article 5
  37. 37 Demonstrate compliance Evidence Objective • A data privacy policy approved by the board or top management • Integrated with the data security policy • Addressing privacy principles, lawfulness of processing, purpose limitation, transparency, data minimization, accountability, deletion after use quality integrity and confidentiality • Mechanisms to maintain the data quality: data owner • Annually updated Board engagement in a privacy policy Related to article 5
  38. 38 Demonstrate compliance Evidence Objective • Supporting privacy policies • Code of conduct including privacy, staff handbooks, use of IT assets, information classification, document retention, document destruction, marketing • DPIA procedure • for new or changing high risks programs, systems and processes The board is engaged in supporting the privacy policy Related to article 5
  39. 39 Demonstrate compliance Evidence Objective • Contracts and data processing agreements with 3rd parties details the legal reasons for processing • Procedure for secondary uses of personal data • How to manage personal information for other purposes other than it was originally collected • Mechanism for de-identifying data (art 89) for archiving purposes in the public interest, or scientific and historical research purposes, or statistical purposes The lawfulness of processing is ensured Related to article 6
  40. 40 Demonstrate compliance Evidence Objective • Policy for collection and use of sensitive personal data • How to document legal basis for processing sensitive data contract, vital interests • How to identify racial or ethnic origin, political opinions, biometric data and other sensitive data • Additional controls linked to the data classification policy • Ensure that specific written consents are retained • Contact clauses limiting processed after prior instructions from the controller Lawfulness of processing of special categories of personal data and criminal convictions and offences is ensured Related to articles 9 & 10
  41. 41 Demonstrate compliance Evidence Objective • Procedure to obtain valid consents • Consents are gotten before processing data with relevance, clear and plain language, simplicity and accessibility • Clear responsibility who is responsible for controlling that processing is consistent with consents • Procedures to respond to requests to opt-out of, restrict or object to processing how to effectively stop processing, responsible person and response actions • Procedure for children’s consents how to verify parents/guardians identities Consents are valid Related to articles 7 & 8
  42. 42 Demonstrate compliance Evidence Objective • Records of consent are stored in a secure environment (including how and when consent was provided) • The purpose of the processing and the consent language the user has agreed to is stored at the time consent is provided • Relevant metadata associated to consent (IP address, geolocation, browser type and device type) is recorded along with consent • Terms of service acceptance and its version are recorded at the point of registration, including whether a social identity is used to register Consents are properly retained Related to articles 7 & 8
  43. 43 Demonstrate compliance Evidence Objective • Procedure to obtain valid data privacy notices • Effective communication of how to exercise the rights of the data subject, notices are gotten before collecting data, defined the mechanisms such as statements, icons, pop-up notifications, scripts, who approves and control the notices (legal knowledge), who is responsible for controlling that processing is consistent with notices and the description of activities is accurate • Protocol for a data breach notification to affected individuals, to regulators, credit agencies, law enforcement Processing of personal data is transparent Related to articles 12, 13 & 14
  44. 44 Demonstrate compliance Evidence Objective • Subject Access Request procedure and similar • Defined channels: email, online form, in writing • Formalized who is responsible for responding (on time), who is authorized to access data to respond, who controls / approves the final action, coordinating with other operative units, cover internal data and external data used by other processors and third parties, KPI reports (number of request, complains, explanations of root causes) • Minutes of management meetings justifying any refusal Right of access is ensured Also managed for: rectification (art 16) erasure (art 17) restrict processing (art 18) update (art 19) portability (art 20) object (art 21) and limit profiling (art 22) Related to article 15
  45. 45 Demonstrate compliance Evidence Objective • Clear instructions from the controller to the processor • Document how they are given and how they are accepted • Annual review contracts with third party data processors • Approval of a privacy expert (or DPO) • Use of an approved contract template or approve exceptions Tip: document the meetings with vendors when discussing privacy issues Responsibility of the controller in outsourcing is defined Related to article 28
  46. 46 Demonstrate compliance Evidence Objective • Linked to the data inventory and data flows • List of all processing activities • Where, type of data, type of processing by third parties, cross border data transfers • Evidence of updates • Approvals of information Proper records of processing activities (ROPA) are maintained Related to article 30
  47. 47 Demonstrate compliance Evidence Objective • Records of the transfer mechanism used for cross- border data flows • standard contractual clauses, binding corporate rules, EU-US privacy shield, approvals from regulators • authorized transfer (e.g. consent, performance of a contract, public interest) • linked to the ROPA Proper data transfers mechanisms are in place Related to articles 45 to 49
  48. 48 Demonstrate compliance Evidence Objective • User management policy • role-based accesses and segregation of duties • defined responsible for approving access rights • Technical security measures • risk-based controls such as intrusion detection, firewalls, monitoring or encrypting personal data • documented user accesses and security measures • confidentiality and privacy provisions in employment/vendor contracts • internal security audits and mitigation responses Security of processing is implemented by technical and organizational measures Related to article 32
  49. 49 Demonstrate compliance Evidence Objective • DPIA guidelines and templates • Consultation to all stakeholders • Follow-up of action plans for detected risks • Evidence of monitoring to close issues and action plans • Changes to systems and controls are tested as effective • Eventual consultation to the supervisory authority Data protection impact assessment is documented Related to articles 35 & 36
  50. 50 Demonstrate compliance Evidence Objective • Data privacy incident or breach response plan • Monitoring of abnormal data activity (e.g. downloads) • Escalation procedures involving the privacy expert • Protocols for • Breach notification to affected individuals • Breach reporting to regulators, credit agencies, law enforcement • Log of incidents with forensic analysis • Periodic testing and simulation • Insurance A procedure for a data breach notification is in place Related to article 33
  51. 51 Demonstrate compliance Evidence Objective • DPIA procedure covering • new or • changes to existing systems and procedures • Integrated into system development and business processes • Access controls to least privilege • Involvement of a privacy expert (or DPO) • Assessed the risk of affecting data subject rights • Assessed technical measures (e.g. pseudonymisation) A procedure for a privacy by design and by default is in place Related to article 25
  52. 52 Demonstrate compliance Evidence Objective • Evidence of full access to information and staff • Reasonable budget • Autonomous and free from other incompatible tasks • Documented tasks for a privacy program • Advising on privacy risks • Facilitate changes to embed privacy controls in all policies and updating them annually! A DPO acts as an independent oversight role Related to articles 37 to 39
  53. 53 Demonstrate compliance Evidence Objective • Documented training and awareness campaigns • Materials: training course notes, posters, presentations, leaflets, briefings, web pages, emails, quizzes and privacy competitions • Metrics: attendance, test results and training quality • Conducted an enterprise privacy risk assessment • Cooperated as point of contact for the supervisory authority A DPO acts as an effective oversight role Related to articles 37 to 39
  54. 54 Demonstrate compliance Evidence Objective • Documentation of periodic risk-based data audits • started from the ROPA, focused on processes with complains or incidents, sensitive information, low security and international transfers, both internal and third party audits • Compared practices against policies and GDPR requirements • walk-throughs documents, selected samples to test how consents are obtained and how contracts are monitored • Reported compliance issues and metrics to the board and all stakeholders A DPO monitors GDPR compliance Related to articles 37 to 39
  55. 55 Demonstrate compliance Evidence Objective • Evidence of • monitoring changes in GDPR requirements • participation in training and conferences • subscription to legal services to receive updates • meetings with the legal counsel The DPO tracks new risks and changes in GDPR Related to articles 37 to 39
  56. 56 Who is responsible for GDPR compliance? #GDPR at @DeloitteCY
  57. 57 Who should own and coordinate the privacy program? #GDPR at @DeloitteCY
  58. 58 Who can be the DPO? #GDPR at @DeloitteCY
  59. 59 Does GDPR require a consent for all processing of personal data? #GDPR at @DeloitteCY
  60. 60 Who is responsible for a personal data breach? #GDPR at @DeloitteCY
  61. 61 Who should report a personal data breach? #GDPR at @DeloitteCY
  62. 62 Can a client deny to provide a piece of personal information? #GDPR at @DeloitteCY
  63. 63 What are the key messages from this session? #GDPR at @DeloitteCY
  64. First step for GDPR compliance is to realize this is a journey If problems weren’t created overnight, nor can solutions be implemented overnight