Presentation is loading. Please wait.

Presentation is loading. Please wait.

Are measures in place to ensure compliance after May 2018?

Published byBranden Osborne Modified over 6 years ago

Similar presentations

Presentation on theme: "Are measures in place to ensure compliance after May 2018?"— Presentation transcript:

1 Are measures in place to ensure compliance after May 2018?
IIA Scotland - Good Governance 30 January 2018 Are measures in place to ensure compliance after May 2018? Liz Sandwith CFIIA Chief Professional Practice Advisor Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

2

3 Agenda – remember there is still time
Background Territorial Scope Impact on Non-Compliance, including costs Obligations on organisations Getting ready for 25th May 2018 How do we know if we are ready? Where are we now? 7 questions to ask ourselves Common gaps Have we are internal audit done enough Post May?

4

5 Background First, personal data is so pervasive in today’s world that virtually every organisation of scale processes or holds such information in substantial quantities in terms of both customers and employees, making the scope of GDPR unmatched. Secondly, the deadline for compliance is fast-approaching (implementation is required by 25 May 2018). Finally, and perhaps most importantly, penalties for failing to comply are potentially huge: for the most damaging breaches fines of up to 4% of annual turnover, or €20m, whichever is higher.

6 Territorial Scope

7 Impact of Non-compliance with GDPR
A recent study by Alfresco and AIIM revealed that 21% of senior executives in the UK have little or no awareness about the effect the EU GDPR will have on their organisation. 31% of the organisations questioned had experienced data loss or exposure in the past 12 months due to what they felt was staff negligence or bad practice. Boards should have already prioritised GDPR, has yours? It is estimated that the £400,000 fine issued by the UK’s Information Commissioner’s Office to broadband group TalkTalk for the security failings that allowed hackers to access customer data two years ago would have potentially risen to a massive £59m under GDPR

8 Cost of GDPR Non Compliance
GDPR is non-negotiable and the consequences for non-compliance would be too much for most businesses. Regulatory fines come in two tiers and depend on whether the data controller or processor has committed any previous violations, and the nature of the violations. The lower fine threshold is 2% of a company’s worldwide annual revenue, or €10m, whichever is higher. The higher threshold is 4% or €20 million, whichever is higher.

9 Obligations on organisations
The business benefits of the GDPR Build customer trust Improve brand image and reputation Improve data governance Improve information security Improve competitive advantage

10 Example of what an organisation is doing now…………
Challenges Briefing Board and Senior Management Team Consent: ICO final guidance not available until December 2017 Right to be forgotten Policies and Procedures: review and update Privacy Policy to articulate why we hold customer data and what we do with it. Subject Access Requests: links to individuals rights and the importance of customer information being accurate – revised timelines – one month not 40 days Opportunities Explore the opportunity around ‘Legitimate Interest’ as well as consent Framework to build a process for the customer to confirm their ongoing relationship with the business Build an ongoing sustainable relationship with all customers Customer centricity, building trust with customers in relation to their data – potential competitive advantage Grow and enhance customer trust

11 Getting Ready for GDPR Develop company wide awareness
Help the Board understand the legislation and the resources required to be compliant, including people and financial cost Appoint a Data Protection Officer to drive compliance within the business, it maybe a full time role or assigned responsibility dependent upon the size and demands of the business Audit and review existing systems, processes, procedures and contracts with suppliers and conduct an information audit Ensure procedures are in place to detect, investigate and report a data security breach within 72 hours Is your business ready to transform?

12 Internal Audit

13 How do we know if we are ready?
ICO on-line self-assessment tool, which includes Step 1 Accountability and Governance Step 2 Key areas for consideration e.g. consent, children, lawful basis for processing Step 3 Individuals rights e.g. communicating privacy information, subject access request Step 4 Breach notification Step 5 Transfer of data i.e. international Questions asked in relation to status – not yet implemented or planned, partially implemented or planned, successfully implemented, not applicable

14 Key thoughts – mountain or molehill?
IIA Scotland - Good Governance 30 January 2018 Key thoughts – mountain or molehill? Key privacy risk focus – highly sensitive data in bulk; consumer data; and processes Start top down business operations vs. bottom up controls / policies GDPR is not an information security programme Clarify responsibilities as a controller and processor Privacy may be disruptive to digital transformation Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

15 IIA Scotland - Good Governance
30 January 2018 Where are we now? 25 May 2018 is fast approaching A recent poll of 900 business decision-makers around the world indicates that only 31% believe their organisations are compliant with GDPR, while analysis showed that only 2% of respondents actually appeared to be fully compliant (Source: Veritas) Geographic reach of GDPR, which not only applies to organisations located within the EU, but also to organisations located outside of the EU that offer goods or services to, or monitor the behaviour of, EU data subjects US based companies can use the EU-US Privacy Shield, a framework for personal data exchanges, which has been assessed as adequate. Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

16 7 key questions to ask ourselves
IIA Scotland - Good Governance 30 January 2018 7 key questions to ask ourselves What is my readiness status? Where is the information and sensitive personal identifiable information that will fall under GDPR? How will I respond to legal matters e.g. policies and procedures, breach reporting? Is sensitive data protected, stored and backed up securely? How do we identify information for disposition, in accordance with the right to be forgotten? Can we report a breach within the timeline required? How do we reduce our overall risk profile? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

17

18 Common Gaps identified
IIA Scotland - Good Governance 30 January 2018 Common Gaps identified Data Protection by default – privacy not yet a priority Rights of data subjects / customers Third party management – data processor Conditions to consent Security of processing Data Breach Reporting and Communication – who needs to be notified Accountability (HR, Compliance, IT and Customer Services, the business, the CEO, Board) Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

19 IIA Scotland - Good Governance
30 January 2018 As Internal Auditors have we done enough? Liz Sandwith CFIIA

20 As internal audit are we focussing on the wider definition of personal data

21 IIA Scotland - Good Governance
30 January 2018 Have we as internal auditors sufficiently briefed the Board and the Audit Committee about GDPR? Have we undertaken a top-down risk assessment. What will that do to the delivery of our 2018/19 internal audit plan? The time spent building relationships with Board and Audit Committee will now be incredibly valuable As internal audit, do we have the ability to support the DPO to drive change and to empower them to act? It doesn’t end at May Moving forward the Board and Audit Committee will require an increased level of assurance around internal control, compliance and reporting processes. Remember, the sword of Damocles is potentially hanging over us all in terms of fines if we get it wrong, make a mistake or take our eye of the ball. Have we done enough? What do we need to do today? What is the organisation looking for from internal audit in terms of today, May 2018, and going forwards? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

22 IIA Scotland - Good Governance
30 January 2018 Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

23 We know it doesn’t end at May so……………….
IIA Scotland - Good Governance 30 January 2018 We know it doesn’t end at May so………………. Moving forward the Board and Audit Committee will require an increased level of assurance around internal control, compliance and reporting processes for GDPR Remember, the sword of Damocles is potentially hanging over us all in terms of fines if we get it wrong, make a mistake or take our eye of the ball. So what will the continuous auditing process involve? Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

24 IIA Scotland - Good Governance
30 January 2018 Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

25 We’d love to hear from you…
IIA Scotland - Good Governance 30 January 2018 We’d love to hear from you… Chartered Institute of Internal Auditors, UK and Ireland, official group @CharteredIIA Liz Sandwith CFIIA - Chief Professional Practices Advisor - Chartered IIA

Download ppt "Are measures in place to ensure compliance after May 2018?"

Similar presentations

Key Points for a Privacy Programme for Multinationals Steve Coope.

Key Points for a Privacy Programme for Multinationals Steve Coope.
Legal and Compliance Workshop July 28, 2016 Presented by: Lucy Du-Jones, Founder and Managing Director, du-tian.

Legal and Compliance Workshop July 28, 2016 Presented by: Lucy Du-Jones, Founder and Managing Director, du-tian.
How Prepared are Nordic CIOs for GDPR Compliance?

How Prepared are Nordic CIOs for GDPR Compliance?
Information Governance Support Information Governance Services

Information Governance Support Information Governance Services
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Getting to Know Internal Auditing

Getting to Know Internal Auditing
Ian De Freitas, Partner, Farrer & Co 6 September 2017

Ian De Freitas, Partner, Farrer & Co 6 September 2017
Data protection headaches: GDPR, brexit AND perimeter risk

Data protection headaches: GDPR, brexit AND perimeter risk
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Information Destruction; 2017 and beyond!

Information Destruction; 2017 and beyond!
GDPR Awareness and Training Workshop

GDPR Awareness and Training Workshop
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation (GDPR

General Data Protection Regulation (GDPR
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

Similar presentations

Ads by Google