Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation

Published byDamon Jenkins Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation"— Presentation transcript:

1 General Data Protection Regulation
Overview for Internal Auditors Presented by: Aaron Weller, Ebay Sr. Director Privacy and Security Michael Spadea, PwC Managing Director, Privacy and Security September 21, Proprietary and confidential. Prepared for the IIA Puget Sound Chapter. Not intended for any other purpose

2 Five key things to know about the GDPR

3 1. GDPR is a transformative new data privacy law in the EU
The General Data Protection Regulation (GDPR) is a new law in the European Union (EU) providing for uniform data protection regulation throughout the EU. When it goes into effect on May 25, 2018, it will represent one of the highest standards of privacy and data protection in the world and will provide EU Data Protection Authorities (DPAs) the ability to regulate and bring enforcement against companies across the globe. It will supersede the existing EU Data Protection Directive, which came into effect almost 20 years ago in 1998. 2018 In April 2016, the European Union Member States approved a transformative new data protection and privacy regulation that will replace the existing EU Data Protection Directive that has been in place for the past 20 years. The Directive was not a law but rather a baseline set of requirements whereby each EU Member State had to pass into law its own law/regulation that governed organizations that processed personal data in their respective regions. The GDPR is a single, uniform law that seeks to harmonize data protection and privacy laws across all EU Member States while providing greater regulatory reach, which I’ll speak to in a moment. Companies were provided a two-year implantation timeline to prepare for the May 25, 2018 implementation date, which we’ve outlined on the slide here. Two-year implementation phase Jan 2012 European Commission publishes GDPR legislative proposal Dec 2015 GDPR approval reached Apr 2016 GDPR formally adopted by EU Early 2018 Operational readiness for privacy program capabilities May 2018 GDPR in effect, enforcement actions begin

4 2. It is a major expansion to the scope of EU data protection law
GDPR applies to every company that collects personal data from EU data subjects, regardless of where the company is established It applies to data processors as well as data controllers It applies to companies that offer goods or services in the EU, regardless of whether payment is required, or monitor the behavior of EU residents It broadens the term Personal Data – “any information that directly or indirectly can be related to an identified or identifiable natural person” It may impact US operations if EU products and business processes can not be easily carved out or EU data is transferred to/used in the US One of the biggest and most impactful changes of the GDPR is the extraterritorial regulatory oversight and enforcement reach that it gives the EU regulators – under the existing Directive, the EU regulators have had limited authority to regulate and bring enforcement against companies that weren’t headquartered in their member states or didn’t physically process data in their countries; With the GDPR, they will have the authority to regulate and bring enforcement actions against any company that handles personal data (employee/consumer/business contact) of EU residents regardless of where that company is headquartered or where the data is processed. Additionally, companies that are classified as data processors (i.e., service providers) are now directly liable and in-scope for the regulation whereas they were previously only covered from a contractual compliance standpoint. This impacts a of TMT companies, like cloud providers. Major impact to the collection /processing of: EU Consumer Data EU Employee Data EU Business Customer Data

5 3. It includes a dense and complex set of privacy requirements
Strategy & Governance Privacy by Design Data Processor Accountability Policy Management Information Security Individual Rights Processing Training & Awareness Cross-Border Data Strategy Data Lifecycle Management Privacy Incident Management Demonstrate accountability through compliance, monitoring and auditing, and policy management process Appoint a Data Protection Officer Maintain records of processing activities (e.g. data inventories) Provide expanded rights to data subjects, including control (e.g. consent), deletion or portability, restriction of processing Proactively identify and mitigate privacy risk at the onset of new initiatives, then continually thereafter Only share personal data with third parties that are able to demonstrate compliance with GDPR Breach notification to regulators within 72 hours Implement and manage technical and organizational privacy program controls Strict new contracting requirements for engaging with third parties Formally assess privacy impact across new and evolving initiatives In addition to the significant changes in regulatory enforcement scope / jurisdiction, the GDPR brings with it a series of new and complex privacy and data protection requirements. This slide highlights some of those categories… in light of time, I’ll touch on a couple key ones: Accountability (i.e., Strategy, Governance, Policy Management) – this is not a one-time compliance exercise. There is an expectation from the regulators that companies will have formal, defensible privacy and data protection programs in place to be able to demonstrate compliance to the regulators at their request; similar to Sarbanes-Oxley but without the requirement to report on it proactively or have an external audit Privacy by Design – requirement to formally design privacy and security into all initiatives where personal data is involved (e.g.,, products, services, marketing and data initiatives, HR initiatives, etc). Additionally, for high-risk processing activities, there are more stringent requirements to perform a Data Protection Impact Assessment and report to the regulatory proactively if you’re unable to mitigate risks. Individual Rights Processing – there a number of new requirements to provide additional rights to data subjects: Notice and consent requirements for certain uses of data Right to withdraw consent previously provided Right to access / understand what data the company has about you and the processing activities (e.g., have you built a profile about me that suggests I like sports) Erasure / right to be forgotten Data portability – the requirement to be able to port data in a machine readable format to allow a customer to switch providers.

6 4. The risks of non-compliance are severe
Regulatory Risk Enhanced territorial scope impacts operations far beyond the EU • Aggressive regulators with broader audit rights • Increased scrutiny for high-risk data processing activities • Localization requirements and other regulator restrictions Financial Risk Potentially massive statutory fines for violations – up to 4% of the total global annual revenue/sales • Increased risk of civil suits and class actions for violating rights of individuals • People, process, and technology impact to execute required privacy program capabilities So what happens if you don’t comply with the new law? There are a number of risks associated with non-compliance that companies need to be mindful of: Regulatory risk associated with an enforcement action similar to what we see here in the US with regulators such as the FTC that bring enforcement actions against companies requiring them to have their programs audited for the next 20 years Financial risks – companies can be fined up to 4% of global annual revenue for non-compliance Also introduces the ability for data subjects to pool their resources and bring class action lawsuits against organizations which was not an ability data subjects had under the current law Operational risks – inability to demonstrate compliance to enterprise customers or consumers could impact companies ability to do business in the EU Reputational risks Operational Risk Barrier to entry for business that lack GDPR compliance • Shorter breach reporting windows • Adverse outcomes with business partners or customer negotiations over privacy obligations • Individual empowerment to object to data processing and other requests Reputational Risk Data breaches damage the brand • Poorly perceived data collection and use practices impacts consumer sentiment • Influences relationships with the regulators • Poor reputations drive watchdog and advocacy groups

7 5. Stakeholders across the enterprise will be impacted
The GDPR requirements have a pervasive impact across the organization requiring organizations to take a cross-functional approach to implement and sustain compliance. Appointing a Data Privacy Officer Enhancing consumer notice & transparency Enforcing Privacy by Design Conducting Privacy Impact Assessments Enabling data portability Ensuring Rights of access, authentication Enhancing development lifecycle Managing consent indicators and logs Enterprise Impact Marketing & HR Customer Service & Ops IT Privacy Office CISO Legal Enacting data transfer mechanisms Defining data controllers & processors Managing contract process and model clauses Driving data breach notification Promoting security throughout the data lifecycle Assisting with data breach notification Driving incident response While GDPR is a privacy and security legislation and compliance obligation, and is typically being owned by privacy/legal with significant support from security offices, it really does have far reaching implications across the enterprise and requires support from a number of departments to truly comply. Respecting consent Ensuring employee privacy Automating decision-making processes Training employees on privacy Supporting execution of Privacy Impact Assessments Ensuring rights of access & remediation Permitting the right to be forgotten Fielding questions, inquiries, concerns

8 Benchmarking GDPR Activities

9 Benchmarking – PwC pulse survey results – July 2017
In July 2017 PwC surveyed 300 CPOs, CIOs, General Counsels, CMOs, CCOs and VPs in related departments at US, UK and Japanese companies with a European presence (75% of companies > $500M in annual revenue). The purpose was to understand C-suite views on the emerging GDPR regulations and assess companies’ readiness with GDPR compliance. GDPR is 'one of the top business priorities' for 98% of large US, UK, and Japanese companies -- up 6% from December -- and 'the top priority' for 56%. Of the 10 major work streams we see in the GDPR adoption process, less than 50% of our clients have completed GDPR preparation on four of the largest work stream areas: data processor accountability, privacy by design, cross-border data strategy, and data lifecycle management Large Companies ($ 500M + Revenue) Large Companies ($ 500M + Revenue) Concern, not top priority 2% Concern, not top priority 2% For these last few slides, I wanted to share some output from a GDPR survey PwC just completed of 300 executives to get a pulse on where GDPR falls on their priorities, what they’re spending and their progress to date. As you can see on the left-hand side of the page, 98% of companies surveyed indicated that GDPR is either one of its top priorities or the top priority. On the chart on the right, you can get a sense of how far along companies believe they are in their compliance preparations across the various GDPR requirements. Less than 50% of respondents have completed preparation on four of the larger work streams: data processor accountability, privacy by design, cross-border data strategy, and data lifecycle management (or Article 30’s Records of Processing Requirement). 98% Priority 98% Priority 6 pt. increase in prioritization Since October 2016 (92%) 6 pt. increase in prioritization since October 2016 (92%)

10 Benchmarking – PwC pulse survey results – July 2017 (continued)
Companies are spending much more on GDPR than they were back in December, with the US spending the most. About one-fifth (up from one-tenth this past December) of US companies will spend over $10m on GDPR. Another key takeaway from the survey was the overall amount of money companies are spending on their GDPR preparation efforts. Specifically about one-fifth of US companies will spend over $10m which is up from about one-tenth of respondents when we conducted the same survey in December 2016. Source: PwC’s Pulse Survey: GDPR budgets top $10 million for 40% of surveyed companies,

11 Steps to achieving compliance

12 Questions Internal Auditors should be asking
The scope and requirements set forth in the regulation are deep and complex; many companies must begin remediation efforts now to ensure compliance. The GDPR requires that companies take a programmatic approach to Data Protection akin to ‘SOX for Privacy’, which means you should develop defensible programs for compliance and be able to prove that you are acting appropriately. What is our data footprint in the European Union (e.g. employee data, consumer data, business customer data)? Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may now request it on demand?  Do we have visibility of and control over what personal data we collect?  How it is used? With whom the data is shared?  Do we have a Privacy by Design program in place, with Privacy Impact Assessments, documentation, and escalation paths? Do we have a tested breach-response plan that meets the GDPR’s 72-hour notification requirement?  Have we defined a roadmap for GDPR compliance?  Have we identified a Data Protection Officer (DPO), as required under the law? Have we adopted a cross-border data transfer strategy? Questions to help determine where to get started: What is our data footprint in the European Union (e.g. employee data, consumer data, business customer data)? Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may now request it on demand?  Do we have visibility of and control over what personal data we collect?  How it is used? With whom the data is shared?  Do we have a Privacy by Design program in place, with Privacy Impact Assessments, documentation, and escalation paths Do we have a tested breach-response plan that meets the GDPR’s 72-hour notification requirement?  Have we defined a roadmap for GDPR compliance?  Have we identified a Data Protection Officer (DPO), as required under the law? Have we adopted a cross-border data transfer strategy?

13 Example actions Internal Auditors should be taking in 2017
There is no specific roadmap, but certain actions to consider are as follows: Updating your risk assessment for GDPR related risks Validating that the plan and timeline for GDPR compliance is in process and on time Perform a pre-assessment or other types of reviews depending on the timeline and needs of your company Assess the impact of GDPR on various business and IT areas/process. Being to update audit steps to address these changing or new risks Update your executive leadership teams and Audit Committee on Internal Audits’ plans for GDPR. This will be a multi year effort for most teams. What is our data footprint in the European Union (e.g. employee data, consumer data, business customer data)? Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may now request it on demand?  Do we have visibility of and control over what personal data we collect?  How it is used? With whom the data is shared?  Do we have a Privacy by Design program in place, with Privacy Impact Assessments, documentation, and escalation paths? Do we have a tested breach-response plan that meets the GDPR’s 72-hour notification requirement?  Have we defined a roadmap for GDPR compliance?  Have we identified a Data Protection Officer (DPO), as required under the law? Have we adopted a cross-border data transfer strategy?

14 GDPR requirements overview
The GDPR brings about the introduction of many strict new privacy requirements for companies, which are highlighted below. Although the current text of the law provides some context to these requirements, the Article 29 Working Party is scheduled to release additional clarity and guidance on many of the requirements over the next 16 months and beyond. Privacy Strategy Six Principles Legitimate Interest DPO Security Legal Basis Notice Automated Decision- making Right of Access Objection to Processing Consent Rectification Erasure Restriction Privacy and Security by Design Data Portability Records of Processing Processing by Processor Transfer Mechanism DPIA Breach

15 Example GDPR program implementation approach
Program implementation Implementation of GDPR program components to remediate known compliance gaps and establish a privacy program. Areas of implementation Strategy & governance Privacy by design Policy management Information security While this isn’t the only bucket of projects that we’re seeing companies categorize their implementation plans into, this is a fairly typical grouping of remediation plans and projects that companies are implementing to prepare for compliance. Cross-border data strategy Privacy incident management Data lifecycle management Data processor accountability Training & awareness Individual rights processing

16 A GDPR compliance journey
GDPR compliance will be a challenge for many businesses. Only the proactive will be prepared. Your compliance journey involves many considerations including harsh regulatory and litigation risks for non-compliance. Proactive businesses are assessing their current capabilities, designing their future state and operationalizing ongoing programs to allow for sustainable and demonstrable compliance. This 5 step approach can help assist in the process of transforming your privacy program. Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office This GDPR program can help companies identify, reconcile, and respond to current and future cross-territory regulations.

17 A GDPR compliance journey
Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office Risk analysis and data discovery Information gathering activities to obtain an understanding of your data risk and data footprint, including: data types, scale, and jurisdictions. Sample Outputs Personal data inventory Data flow maps showing the movement of personal data through major business processes from collection, storage, use, sharing through to retention and disposal Initial legal basis documentation

18 A GDPR compliance journey
Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office Gap assessment and remediation roadmap Identification of existing privacy capabilities and prioritization of needed program enhancements. Sample Outputs Privacy program capabilities assessment Risk assessment based on current and planed future uses of personal data and existing program capabilities to manage privacy and GDPR risk Remediation strategy, roadmap and timeline

19 A GDPR compliance journey
Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office Cross-functional oversight and planning Defining and establishing the ongoing governance structure to coordinate, operate and implement remediation activities. Sample Outputs Cross-functional steering committee for overarching GDPR governance Determine the organizational impact of planned remediation activities Cross-functional project team/working group and associated project leads/teams needed to execute on GDPR remediation efforts Detailed project plans to support remediation efforts Budget and resource request, including future technology implementation planning

20 A GDPR compliance journey
Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office Program implementation Implementation of GDPR program components to remediate known compliance gaps and establish a privacy program. Areas of implementation Strategy & governance Policy management Cross-border data strategy Data lifecycle management Individual rights processing Privacy by design Information security Privacy incident management Data processor accountability Training & awareness

21 A GDPR compliance journey
Assess current capabilities Design the future state Operate and sustain 2017 2018 2019 & beyond Risk analysis and data discovery Gap assessment and remediation roadmap Cross-functional oversight and planning Program implementation Ongoing program operation and monitoring Program management office Ongoing program operation and monitoring Establishing ongoing compliance mechanisms to promote continued accountability. Sample Outputs Defined ongoing monitoring program including consideration of existing monitoring functions (e.g., internal audit) Third party vendor monitoring program Tracking and retesting of non-compliance Escalation protocols for changes needed to existing policies/procedures/controls

22 GDPR practical pointers and tips
Build a sustainable and defensible privacy program Maintain internal privacy policies and external notices Develop standards & procedures (with BUs) to operationalize privacy policies Evaluate and document use cases for privacy risk Enhance privacy training and awareness Privacy Office Legal Develop and maintain data transfer mechanisms Define data controllers and processors for products/services Manage contract process and third party agreements Identify and support regional/local DPO requirements Assess current data subject access request readiness Security Maintain data protection throughout the data lifecycle Assist with data breach notification Partner with privacy incident response to identify, evaluate, and respond to breaches of personal data confidentiality IT Maintain a data inventory and cross-border flow mapping Support the execution of data subject requests for access, erasure, access, restriction, and data portability Support the capture, tracking, flagging, and dissemination of consent choice indicators across the enterprise and to third parties Business & HR Assist with the evaluation of privacy impact risk for consumer and employee use cases and third party relationships Assist privacy office in developing standards & procedures to operationalize privacy policies Develop new initiatives following Privacy by Design leading practices Respect data minimization, data quality, limited data access, and consent

23 Thank you. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed, in whole or in part, by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure, in whole or in part, of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.

Download ppt "General Data Protection Regulation"

Similar presentations

Security Controls – What Works

Security Controls – What Works
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
ASPEC Internal Auditor Training Version 1.0 2013.

ASPEC Internal Auditor Training Version
Quality Representative Training Version 1.0 2014.

Quality Representative Training Version
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Compliance Presented by: Marty McNulty, ARMA Board Member.

Compliance Presented by: Marty McNulty, ARMA Board Member.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.

Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Anti-Money Laundering legislation and the effect on leasing companies Should leasing companies be exempt? www.pwclegal.cz.

Anti-Money Laundering legislation and the effect on leasing companies Should leasing companies be exempt?
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Your Code of Conduct: Data Protection & Compliance Your Code of Conduct: Data Protection & Compliance for Charities.

Your Code of Conduct: Data Protection & Compliance Your Code of Conduct: Data Protection & Compliance for Charities.
PricewaterhouseCoopers LLP  South Tyneside Council Use of Resources - Value for Money 30 th July 2007.

PricewaterhouseCoopers LLP  South Tyneside Council Use of Resources - Value for Money 30 th July 2007.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
IT Vendor Management March, 2015 Peter Baskette Pratike Patel.

IT Vendor Management March, 2015 Peter Baskette Pratike Patel.
How Prepared are Nordic CIOs for GDPR Compliance?

How Prepared are Nordic CIOs for GDPR Compliance?
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Officer’s Overview of the GDPR

Data Protection Officer’s Overview of the GDPR
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Data Minimization Framework

Data Minimization Framework

Similar presentations

Ads by Google