Data Privacy Program – a customized solution for the new EU General Regulation on Data Protection, Maria Maxim, Senior Manager – Fraud Investigation & Dispute Service, Ernst&Young
3. Page 3
Security and Data Privacy within business environment
Source – from Ernst &Young’s Insights on IT Risks – Evolving IT risk landscape report
Rise of
online
fraud
Payment Card
Industry data
security standard
IAB Forum - Data Privacy
4. Page 4
High value data identification for a business unit
Corporate data
► Price/cost lists
► Target customer lists
► New designs
► Source code
► Intellectual property
► Pending media releases (not yet cleared for
release)
Transaction data
► Bank payments
► B2B orders
► Vendor data
► Sales volumes
► Purchase power
► Revenue potential
► Sales projections
Customer data
► Customer list
► Spending habits
► Contact details
► User preference
► Product customer profile
► Payment status
► Contact history
Personal data
► Full name
► Birthday, birthplace
► Biometric data
► Genetic information
► Credit /Debit card numbers
► National identification number
IAB Forum – Data Privacy
5. Page 5
Threats and results
Considering what could go wrong is important for understanding what needs to be done to effectively manage
and protect personal data
Could Result In…
► Identity theft (customers, employees,
business partners)
► Brand and reputation damage
► Litigation
► Regulatory action
► Direct financial loss
► Loss of market value
► Loss of consumer and business
partner confidence
► Becoming the example of what could
go wrong
Common Threats
► Lost or stolen media
► Over-sharing of personal
information
► Good intentions but misused data
► Third party service provider
weaknesses
► Web site compromise
► Hackers (inside and outside)
► Unwanted marketing
communications (telephone, email)
► Fraudulent transactions
► Social engineering, including
phishing
IAB Forum - Data Privacy
6. Page 6
2015 Top 10 Data incidents
Affected persons: 111,022,154
Source: http://healthitsecurity.com/news/healthcare-data-breaches-top-reported-data-security-
incident
7. Page 7
Some statistics
In top 10 for 2015, the data privacy incidents compromised
personal data owned by 111,022,154 people (SUA)
The most affected industries:
Health care– 26.9% (60% lost of storage devices; 7% external
attacks)
Education– 16,8%
Governmental institutions– 15,9%
Retail – 12,5%
Source: http://healthitsecurity.com/news/top-10-healthcare-data-breaches-of-2015
“Researchers found that more cybercriminals used more zero-day attacks, including phishing
scams and ransomware, in 2015.
The number of zero-day vulnerabilities in 2015 increased by 125 percent from a year ago.
Meanwhile, 430 million new malware variants were found in 2015.”
8. Page 8
Statistics
Breaking Down the H1 2016 Data Breach Statistics*:
► 3.04 million records compromised every day
► 126,936 records compromised every hour
► 2,116 records compromised every minute
► 35 records compromised every second
► The 554 million compromised records also represents a 31%
increase from the previous six months, when 424 million records
were lost or stolen.
Source: the Breach Level Index on http://breachlevelindex.com/#sthash.VsBJEWXR.dpuf
Type of data breaches are various:
► Identity theft
► Unauthorized access to the systems, databases
► Account access
► Financial access
► Accidental loss
► Theft of mobile devises (laptops, etc)
Eurobarometer: 71% of the interviewed persons accepted that sharing their
personal data is part of the digital era, being “the rule” of their modern life. Just 2% stated
that they never provide their data for an online service!
10. Page 10
European Union Legislative Framework
► Directive (EU) 1995/46*** on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (repealed by GDPR – 25th of May, 2018)
► Directive (EU) 2002/58 concerning the processing of personal data and the protection of privacy in the electronic
communications sector
► European Commission on contractual clauses / transfer to third countries
► Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by
competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework
Decision 2008/977/JHA. / to be implemented by 6th of May 2018
► EU General Regulation on Data Privacy 679/2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
IAB Forum - Data Privacy
11. Page 11
Implementation of the new EU General Regulation on Data Privacy!
► Cooperation of the national data privacy authorities (DPAs)
One stop shop mechanism
Common Investigations
No need for mutual assistance conventions
► Harmonization of the flows: registries vs. data processing notification
► Privacy Impact Assessment
► Incident response plan: 72 hour for DPAs notification
► All data privacy requirements must be implemented and tested by 2018
Data privacy rights to be fully observed (internal controls for consent, information, processes
and procedures, remediation measures, contractual clauses, etc.)
Security and confidentiality protocols to be implemented (data classification; corporate
governance, record keeping), etc.
► In 2018, the applicable fines increase up to Euro 10 – 20 mill. / 2-4% world
wide turnover in case of undertakings
► All the data controllers and data processors have the legal obligation
to be able to demonstrate the compliance of processing activities!
IAB Forum - Data Privacy
GDPR applies
directly in all EU
member states
Principle of
accountability
All data controllers
and processors
must comply with it!
13. Page 13 IAB Forum – Data Privacy
► Determine if your information security and data protection program provides adequate protection for personal information
throughout your business units
► Identify data categories and information and privacy compliance requirements
► Inventory the location and use of personal information across the enterprise
► Run the gap analysis asap
► Identify your partners / third parties
► Define privacy and data protection requirements for third parties, and a process that involves periodic and
ongoing assurance
► Review the regulatory changes in the countries in which you transfer personal data
► Review your contracts / data processing agreements
► Integrate privacy considerations in significant business initiatives
► Consider the privacy impact resulting from the use of new technologies and new business partners
► Consider whether your privacy staff is still equipped to deal with the organization’s key risks and compliance obligations, and
see if your privacy procedures and training are effective in guiding employees on the appropriate use of personal data
► Establish a program to periodically reassess the accuracy of the personal data and privacy and security requirements
What next? To do list
14. Page 14
1 2 3
MajorSteps
4
Risk assessment
• An assessment of the systems and
personal data collections should be
reviewed – end to end process, from
the collection to the retention stages,
also including the international
transfer cases;
• Determine the alignment of existing
practices with the organization’s
privacy obligations and regulatory
compliance requirements.
Policies and procedures
• Based on step 1, set up and / or
adjust a series of policies of
procedures, such as but not limited
to: data classification framework,
code of conduct, binding corporate
rules, various other internal working
procedures and instructions;
Systems and security
• Develop the flow of processing
personal data in the IT systems and
related databases, considering the
following areas of interest:
• Data classification;
• Usage rights;
• Approval management;
• Data storage and transfer;
• Privacy by default / by design.
Support
• Internal controls implementation
• Policies and procedures
• Consultation desk
Contractual clauses for
partnerships
• Controller – processor relationship.
Records
• The processing of personal data
should be recorded in line with the
purpose, processors, etc.
Training
• Train the trainer / workshops /
employees training.
Complaint resolution
• Data subjects have the right to
object, access their data, ask for
personal data rectification;
• The answer should be submitted in
time.
Incident response
• The client should report the incidents
in due time and the measures taken
should diminish the effects
Management / organization
• Data privacy officer / organization
should be in place (or entities which
process personal data on a large
scale, including public institutions).
Assess Develop Implement Monitor
Data Privacy Program: EY overall approach
IAB Forum - Data Privacy
15. Page 15
Matrices of Risks
► Regulations
► Likelihood of occurrence
Consequence and operational impact gross
► Existing policies
► Remediation measures:
Policies and work instructions,
Confidentiality agreements, net
Communication of the guidelines,
Operational audits,
Training
► Re-assessments.
Assess annually the identified risks
16. Page 16
Recommendations:
► Gap Assessment – GDPR
► Privacy Impact Assessment
► Third Party relationship: specific contractual clauses on
parties’ responsibility
► Incident Response Plan
► Remedies for data loss / cost for recovery
The compensation and the liability cap
Consequential damages / lack of profit to be excluded
Insurance coverage, if the case
Certification mechanism
IAB Forum - Data Privacy
17. Page 17
THANK YOU!
Maria Maxim | Senior Manager | Fraud Investigation & Dispute Service
Ernst & Young S.R.L.
Bucharest Tower Center Building, 22 Floor, 15-17 Ion Mihalache Blvd., Bucharest, 011171, Sector 1,
Romania
Office: +40214024000 | Fax: +40213104965 | maria.maxim@ro.ey.com
Mobile: +40799098594
Website: http://www.ey.com
IAB Forum - Data Privacy