Are measures in place to ensure compliance after May 2018? IIA Scotland - Good Governance 30 January 2018 Are measures in place to ensure compliance after May 2018? Liz Sandwith CFIIA Chief Professional Practice Advisor Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
Agenda – remember there is still time Background Territorial Scope Impact on Non-Compliance, including costs Obligations on organisations Getting ready for 25th May 2018 How do we know if we are ready? Where are we now? 7 questions to ask ourselves Common gaps Have we are internal audit done enough Post May?
Background First, personal data is so pervasive in today’s world that virtually every organisation of scale processes or holds such information in substantial quantities in terms of both customers and employees, making the scope of GDPR unmatched. Secondly, the deadline for compliance is fast-approaching (implementation is required by 25 May 2018). Finally, and perhaps most importantly, penalties for failing to comply are potentially huge: for the most damaging breaches fines of up to 4% of annual turnover, or €20m, whichever is higher.
Territorial Scope
Impact of Non-compliance with GDPR A recent study by Alfresco and AIIM revealed that 21% of senior executives in the UK have little or no awareness about the effect the EU GDPR will have on their organisation. 31% of the organisations questioned had experienced data loss or exposure in the past 12 months due to what they felt was staff negligence or bad practice. Boards should have already prioritised GDPR, has yours? It is estimated that the £400,000 fine issued by the UK’s Information Commissioner’s Office to broadband group TalkTalk for the security failings that allowed hackers to access customer data two years ago would have potentially risen to a massive £59m under GDPR
Cost of GDPR Non Compliance GDPR is non-negotiable and the consequences for non-compliance would be too much for most businesses. Regulatory fines come in two tiers and depend on whether the data controller or processor has committed any previous violations, and the nature of the violations. The lower fine threshold is 2% of a company’s worldwide annual revenue, or €10m, whichever is higher. The higher threshold is 4% or €20 million, whichever is higher.
Obligations on organisations The business benefits of the GDPR Build customer trust Improve brand image and reputation Improve data governance Improve information security Improve competitive advantage
Example of what an organisation is doing now………… Challenges Briefing Board and Senior Management Team Consent: ICO final guidance not available until December 2017 Right to be forgotten Policies and Procedures: review and update Privacy Policy to articulate why we hold customer data and what we do with it. Subject Access Requests: links to individuals rights and the importance of customer information being accurate – revised timelines – one month not 40 days Opportunities Explore the opportunity around ‘Legitimate Interest’ as well as consent Framework to build a process for the customer to confirm their ongoing relationship with the business Build an ongoing sustainable relationship with all customers Customer centricity, building trust with customers in relation to their data – potential competitive advantage Grow and enhance customer trust
Getting Ready for GDPR Develop company wide awareness Help the Board understand the legislation and the resources required to be compliant, including people and financial cost Appoint a Data Protection Officer to drive compliance within the business, it maybe a full time role or assigned responsibility dependent upon the size and demands of the business Audit and review existing systems, processes, procedures and contracts with suppliers and conduct an information audit Ensure procedures are in place to detect, investigate and report a data security breach within 72 hours Is your business ready to transform?
Internal Audit
How do we know if we are ready? ICO on-line self-assessment tool, which includes Step 1 Accountability and Governance Step 2 Key areas for consideration e.g. consent, children, lawful basis for processing Step 3 Individuals rights e.g. communicating privacy information, subject access request Step 4 Breach notification Step 5 Transfer of data i.e. international Questions asked in relation to status – not yet implemented or planned, partially implemented or planned, successfully implemented, not applicable
Key thoughts – mountain or molehill? IIA Scotland - Good Governance 30 January 2018 Key thoughts – mountain or molehill? Key privacy risk focus – highly sensitive data in bulk; consumer data; and processes Start top down business operations vs. bottom up controls / policies GDPR is not an information security programme Clarify responsibilities as a controller and processor Privacy may be disruptive to digital transformation Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
IIA Scotland - Good Governance 30 January 2018 Where are we now? 25 May 2018 is fast approaching A recent poll of 900 business decision-makers around the world indicates that only 31% believe their organisations are compliant with GDPR, while analysis showed that only 2% of respondents actually appeared to be fully compliant (Source: Veritas) Geographic reach of GDPR, which not only applies to organisations located within the EU, but also to organisations located outside of the EU that offer goods or services to, or monitor the behaviour of, EU data subjects US based companies can use the EU-US Privacy Shield, a framework for personal data exchanges, which has been assessed as adequate. Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
7 key questions to ask ourselves IIA Scotland - Good Governance 30 January 2018 7 key questions to ask ourselves What is my readiness status? Where is the information and sensitive personal identifiable information that will fall under GDPR? How will I respond to legal matters e.g. policies and procedures, breach reporting? Is sensitive data protected, stored and backed up securely? How do we identify information for disposition, in accordance with the right to be forgotten? Can we report a breach within the timeline required? How do we reduce our overall risk profile? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
Common Gaps identified IIA Scotland - Good Governance 30 January 2018 Common Gaps identified Data Protection by default – privacy not yet a priority Rights of data subjects / customers Third party management – data processor Conditions to consent Security of processing Data Breach Reporting and Communication – who needs to be notified Accountability (HR, Compliance, IT and Customer Services, the business, the CEO, Board) Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
IIA Scotland - Good Governance 30 January 2018 As Internal Auditors have we done enough? Liz Sandwith CFIIA
As internal audit are we focussing on the wider definition of personal data
IIA Scotland - Good Governance 30 January 2018 Have we as internal auditors sufficiently briefed the Board and the Audit Committee about GDPR? Have we undertaken a top-down risk assessment. What will that do to the delivery of our 2018/19 internal audit plan? The time spent building relationships with Board and Audit Committee will now be incredibly valuable As internal audit, do we have the ability to support the DPO to drive change and to empower them to act? It doesn’t end at May 2018. Moving forward the Board and Audit Committee will require an increased level of assurance around internal control, compliance and reporting processes. Remember, the sword of Damocles is potentially hanging over us all in terms of fines if we get it wrong, make a mistake or take our eye of the ball. Have we done enough? What do we need to do today? What is the organisation looking for from internal audit in terms of today, May 2018, and going forwards? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
IIA Scotland - Good Governance 30 January 2018 Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
We know it doesn’t end at May so………………. IIA Scotland - Good Governance 30 January 2018 We know it doesn’t end at May so………………. Moving forward the Board and Audit Committee will require an increased level of assurance around internal control, compliance and reporting processes for GDPR Remember, the sword of Damocles is potentially hanging over us all in terms of fines if we get it wrong, make a mistake or take our eye of the ball. So what will the continuous auditing process involve? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
IIA Scotland - Good Governance 30 January 2018 Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA
We’d love to hear from you… IIA Scotland - Good Governance 30 January 2018 We’d love to hear from you… liz.sandwith@iia.org.uk Chartered Institute of Internal Auditors, UK and Ireland, official group @CharteredIIA Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA