a road to compliance - amcham bulgaria · prepare in the optimal for gdpr compliance audit en...
TRANSCRIPT
Deloitte Bulgaria, March 2018
A Road To Compliance
Conceptual approach
• Privacy is a combination of knowledge of the law, acknowledging the enormous technical aspects that putting it into practice entails and the efforts that are required to embed this in an organization in a manner that it fits the structure and culture.
• We strongly believe that only organizations where privacy responsible staff come from each of these backgrounds and are willing to learn about those two that is not their own, will succeed in running efficient and effective privacy operations.
• We have therefore also modelled our own team accordingly: our team includes expertise in each of these three areas.
A multidisciplinary effort
Deloitte’s vision on privacy
Personal data needs to be processed efficiently and protected adequately. Furthermore, smart systems support organizations in keeping track of its personal data, and managing its privacy risk.
Technical Legal
Organizational
Organizations must understand the multitude of applicable laws, regulations and standards for privacy and data protection, as well as ensure compliance with those rules.
Almost every organization has to deal with privacy and data protection. Roles and responsibilities need to be assigned,
processes need to be aligned. We ensure that our solution allows for the most efficient integration of privacy within the
organization.
Deloitte’s privacy program defines six layers that can add value in the development of privacy within an organization
Road to maturity
A tailored transformation program helps organizations prepare in the optimal for GDPR compliance
Audit encompliance
Processing Inventory
Data Management
Data Transfers
Strategy
Policies & procedures
Auditand Certification
Privacy by Design
Organization and
Accountability
Communication, Training, Awareness
Privacy Impact Assessment
StrategyLayer 1• A strong starting point determining high level direction and risk appetite, upon which the
organization builds its privacy organization.
Organization and accountabilityLayer 2• Enabling effective implementation of the privacy strategy requires a strong and
multidisciplinary privacy organizational structure. This covers the structure of the privacy organization as well as the role and position of key players, such as the Data Protection officer. This layer also covers accountability; how to prove compliance?
Policy, process & dataLayer 3• Partnering with the Business to ensure data is protected, governed, managed and utilized
effectively in line with the organization’s strategy. Also covers technological challenges such as data access requests, data retention, right to be forgotten, breach notification and international and third party data transfers.
Culture, training & awarenessLayer 4 • Creating a high level of organizational awareness on privacy ensures that the organization’s
employees know and follow the rules.
Privacy operations Layer 5• Embedding privacy into the organizations project methodology. This is done by efficient and
practical guidance during conception of a new or changed product or service (Privacy by Design) as well as assessing new and existing systems following the established PIA method. Also covers audit guidance and research into privacy seal certification (new option in the GDPR).
Processing inventoryLayer 6• A processing inventory is a fundamental element of any privacy program, and will be a
mandatory requirement from the GDPR.
The gap assessment results in a roadmap that implements the six layers of a privacy programme in a phased approach
An approach for implementing the GDPR
Layer 2 | Organisation
Layer 3 | Policy, process & data
Layer 4 | Culture & awareness
Layer 1 | Strategy
Layer 5 | Privacy operations
Layer 6 | Processing inventory
2. Design1. Define 3. Implement 4. Operate
• Mobilise stakeholders
• Create buy-in• Collect baseline
information• Define (key)
stakeholders• Define scope,
objectives, stakeholders, timeline and involvement for design phase
• Collect and assess existing documentation
• Create commitment within organisation
• Gather necessary approvals
•Define business requirements
• (Re)design, optimise or harmonise draft deliverables
• (Re)design roles & responsibilities
•Develop implementation plan
• Complete relevant review cycles
•Gather necessary approvals
• Execute implementation plan
• Piloting new solutions
• Optimise and harmonise solutions
• Implement organisational changes
• Roll out new processes, roles & responsibilities
• Train in the use of new processes and solutions
• Starting daily operations in newly designed way
• Support of managers and staff to ensure that the new situation is operationalised
• Ensure continuous improvement by using the Plan-Do- Check-Act cycle
• Ensuring hand over to business
All possible actions necessary for implementing privacy and the GDPR are given in the layers of Deloitte’s privacy programme. Gap assessment can indicate in which of these layers what gaps exist
…gaps which can subsequently be addressed in a structured manner by using a phased approach of 4 phases. This provides for a clear way of working and make sure you remain in control of the phases and their progress
An approach for implementing the GDPR
Building a change program
Example of readiness asssessment
A gap assessment is:
• A powerful tool to create a baseline for privacy
• Based on our Privacy, Security and Governance framework, covering all elements of the described privacy program
• Instrumental in finding the areas with the biggest risk
• Used to focus on those areas which most urgently need action
• A good starting point for a tailored privacy program
• A method to see how mature the organization currently is
Knowing where your organization stands
Objective of GDPR gap / readiness assessment
Understand the business and current status-quo by conducting workshopsfor each relevant business process within the organization
Documented understanding of the processes dealing with PI and existing technical and organizational measures for protection
PI data inventory and data-flow mapping
Establish compliance framework (based on EU and local regulations) and conduct GAP assessment
Documented all identified gaps with prioritization and recommendations
Insight of the current level of maturity against the framework
Define action plan – design and implementation of relevant changes
Roadmap, including implementation packages (processes, legal, technology)
The gap assessment provides clarity on the following privacy domains
Key focus areas of the GDPR Gap Assessment
• What are the roles and responsibilities with regards to personal data protection?
• What organization model (e.g., centralized / decentralized) is used?
• Who is accountable?
Governance
• Are processing detection processes in place?
• Are risk management processes implemented?
• Is incident management in place?
• Are there written policies and procedures with regards to the data protection?
Processes
• What personal data (entity) types can be distinguished?
• How sensitive is the personal data?
• Is data transferred to other parties and across borders?
• Where is data physically stored?
• Are external parties/processors involved?
Data
• Which systems are used for processing personal data?
• What support systems are in place (registration, detection)?
• How are systems secured?
Technology
Gap assessment provides insight in:• State of affairs of key
personal data management processes
• Privacy risks • Key focus areas for
privacy• Priorities • Timing
• How does the (online) commercial use of personal data relate to privacy requirements (i.e. Privacy, Cookie and Spam legislation)?
Legalrequirements
Commercial use
Example results:
• Effective data protection looks across the data lifecycle to allow an enterprise to tailor policy in a way that keeps information safe, yet available to those authorized to access it.
• Creating a personal data inventory and/or personal data flow maps will allow to understand and analyze the scope of privacy in your organization.
Inconsistent
methodsDistributed storage
Accidental
loss
Inappropriate third-
party controls
Partial deletion
Accidental
deletionSpecific
ris
ks
Inappropriate
classification
Inappropriate
security controls
Data distributed
across network
Unnecessary
retention
Improper
duplication
Theft or breach
Improper
access/sharing
Unnecessary
retentionMisuse
Collection Storage Use SharingRetention &
Destruction
Data
lifecycle
Process PurposeData
subjectsData types
Repository
LocationRecipient
sRetention period
RiskSecurityMeasure
s
Personal Data Inventory and Data Flows mapping
Example results:
Personal Data Inventory and Data Flows mapping (continued)
Detailed report on all identified gaps with prioritization and recommendations
Example results:
Privacy compliance Requirements based on current legislation. 1
Requirements are focused on future legal requirements from the GDPR.2
Privacy requirements are based on standards, relevant jurisdictions, industry standards and best practices3
Each requirement can be used to measure the current state of privacy within your organization 4
Identified Gaps
№ Privacy domain (area)
Requirement Description of non-compliance
Risk classification
Next steps
1 "Lorem ipsum dolor sit amet, consecteturadipiscing elit, sed do eiusmod temporincididunt ut labore et dolore magna aliqua. Utenim ad minim veniam, quis nostrudexercitation ullamcolaboris nisi ut aliquip ex ea commodo consequat.
Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
"Sed ut perspiciatis undeomnis iste natus error sit voluptatem accusantiumdoloremque laudantium, totamrem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quiavoluptas sit aspernatur autodit aut fugit, sed quiaconsequuntur magni
Висок риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit, sed quia non numquameius modi temporaincidunt ut labore et dolore magnam aliquamquaerat voluptatem.
2 sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo
Среден риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit, sed quia non
3 sed do eiusmod tempor qui dolorem ipsum Sed ut perspiciatis unde omnis iste natus error sit voluptatem
Нисък риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit,
The Roadmap shows the timing and priority of the various actions that have emerged from the gap assessment
Example results for next steps: Roadmap
MonthDomain
1 2 3 4 5 6 7 8 9 10 11 12
Strategy WP 1
Roles & responsibilities WP 2
Policies, procedures & guidelines
WP 3
Training & awareness QW 1 WP 4
Transparency WP 5
Privacy rights WP 6
Records of processing activities
WP 7
Third party data transfers WP 8 WP 9 & WP 10 WP 11
Data retention WP 12
Security measures WP 13
Incident management WP 14
Privacy impact assessment WP 15
Audit WP 16
Supervising authorities WP 17
Example results for next steps: Roadmap – working package
Work Package 1 Estimated Duration
Privacy Training 3 – 4 months
Objective Nature of requirement
Provide function- or department-specific privacy training to employees who process personal data in order to explain how they can help to avoid privacy incidents.
• Legal requirement.
Recommended activities Control Domain Stakeholders Dependencies
• Build a company-specific privacy training that allows employees to understand all privacy-risks related to the personal data they process.
• Link with existing IT Policy. • Ensure that training & examples
are function- or department-specific.
• Training & Awareness • Legal & Compliance• HR• Heads business
departments
• WP 1
Risks Mitigated Estimated Effort Comments
• There are no training or guidelines for employees related to privacy compliance (e.g. no instructions about storing personal data in tools like ABC CRM). A lack of privacy awareness is the cause of a considerable percentage of privacy breaches.
• External training: 5 days to adapt to company environment, 1 day to provide face-to-face training.
• Building own training: 3 – 4 weeks.
Useful resources
• Bulgarian Data Protection Authority site – bulletins, practice, Q&As
• ISACA Data Privacy Impact Assessment – guidelines and toolkit
• ISO 29134:2017 Information technology — Security techniques — Guidelines for privacy impact assessment
• ISO 29151:2017 Information technology — Security techniques — Code of practice for personally identifiable information protection; note goes together with ISO 27001
• EU Data protection working party 29 guidelines on DPIA, right to data portability, data protection officer, guidance on automated individual decision making and profiling, guidance on data processing at work and other
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.
Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2017 Deloitte Bulgaria