1 / 42

GDPR – why it matters and isaca impact assessment Solutions

GDPR – why it matters and isaca impact assessment Solutions. ISACA Member of New Technology Identification Working Group ISACA Member of Vision:  Learning Solutions for IT and IT Audit Professionals WG ISACA Member Vision: Learning for Organizations- WG

ichabod
Download Presentation

GDPR – why it matters and isaca impact assessment Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GDPR – why it matters and isaca impact assessment Solutions • ISACA Member of New Technology Identification Working Group • ISACA Member of Vision:  Learning Solutions for IT and IT Audit Professionals WG • ISACA Member Vision: Learning for Organizations- WG • ISACA Member Chapter Formation Working Group • ISACA Member CSXP Job Analysis Working Group • Co-Chair - JTC1 – ISO International (ANSI) • US Cyber command/Stratcom – Liaison (Cyberwarfare /Cybersecurity) • US National Cyberwatch Centre – Curriculum Standard Panel Member • GNSO - NCUC-NCSG - ICANN Member to RDP • NCUC – ICANN Member to WT5- Geonames • Working ICANN Member on GDPR • Cloud Advise – Founding Member and Advisory Councilor • Internet Governance Forum– Member • Advisory member –ENISA Cyber Europe • Advisory trustee/member – IOT Security foundation • Co-Chair –FWasS– Cloud Security Alliance • Bank of America - Advisory Board Member • Chartered Institute of IT- BCS – SFIA 7 Audit ,security & business reviewer • DZB Bank International – Blockchain Advisory • NATO – Chair of Cyber watch and Intelligence Committee • Internet of Things Institute – Member • Professor Cyberwarfare - National Defense University - D.C • Visiting Professor – MIT, Princeton, UCHICAGO & Yale Prof. Dr. Kris SeeburnISACA – INTOSAI WGITA VOLUNTEER LIASION 04/18//2018 ADDITIONAL ISACA BUSINESSES AND BRANDS:

  2. FOOD FOR THOUGHT AS AUDITORS NOT ONLY AS IFRS AUDITORS • “People don’t usually talk about auditing and innovation in the same breath. But, if we are going to continue to be an important function we need to think innovatively about how we adapt given the pace of change.”

  3. DEFINITION OF IT AUDIT • For some, it means checking the current state of security. • For others, it’s a review of a maintained log of changes over a period of time. • And still for others, it’s a review of the defined standards (that is, without actually looking at whether those standards are properly implemented).

  4. So, is there a “correct” definition of an audit? • I like to use the most everyday use of the term audit to find some common ground that we all can agree on – an IRS audit. • We all either know first hand or get what the TAX DEPT is doing – they are examining your submitted tax records and validating them. • In essence, the tax dept. is providing an external review of that which you believe to be true.  • And they don’t just take your word on it; they cross-reference all the forms from external sources –a year-end mortgage interest statement, etc. – all to corroborate your “story”.

  5. So, is there a “correct” definition of an audit? • IT audits should be looked at the same way. • You need an external review of what you believe to be the state of changes and security. • Otherwise, you’re just fooling yourself into believing that your network is, and has been, secure and without incident. • So, what constitutes an external review? • Does it mean that you absolutely must hire an independent auditor? • Or some security expert with their set of best practices? • Not necessarily. In fact, the external part is in reference to that which you believe to be true. It means, if you rely on, say, a change log of some kind (which represents the list of what you believe has happened on your network), you need to have another means to corroborate that every change was logged.

  6. Transformational decade of auditing

  7. Don’t Forget IFRS 15 & 16

  8. "if you get something for free, you are not the customer, you are the product"

  9. Is Your Enterprise/ Govt Ready for the GDPR Compliance Deadline? • WHO: Enterprises that offer goods or services (regardless if payment is required) within the EU as well as enterprises that monitor EU subjects' behavior within the EU. • WHAT: New data privacy mandates have been issued by European Union regulation. • WHEN: GDPR compliance must be achieved by 25 May 2018. • WHERE: Includes any organization in the world if it retains or processes information on any citizen in the EU. • WHY: To better protect any individual's personal information, to secure rights for the individual over that collected information, and to force enterprises to follow a uniform scheme for data protection. • HOW: Follow ISACA's privacy guidance on how best for your enterprise and its staff to assess your unique data protection needs and meet the GDPR compliance standards set by the EU.

  10. What is GDPR? • GDPR – or the General Data Protection Regulation – replaces the Data Protection Act 1998, which itself followed the 1995 EU Data Protection Directive. • When does it apply? • The regulation came into force on 24 May 2016 but the law will not apply to businesses and organisations until 25 May 2018. Because it’s a regulation rather than a directive, it will apply automatically after this date, subject to any “derogations”. It’s not anticipated that these derogations will change the impact of GDPR on businesses or accountancy practices.

  11. Why is it needed? • Internet and cloud technologies have grown rapidly since the EU Data Protection Directive of 1995, giving companies new ways of using and sharing the personal data that they collect. • As well as providing individuals with greater protection in this changed landscape, the EU also want to make data protection law identical across the single market. • What are the penalties for non-compliance? • There are fines of up to 4% of annual worldwide turnover or €20 million, whichever is greater.

  12. How will GDPR affect accountancy practices? • GDPR will apply to all organisations of any size that are resident in the EU, carry out business with EU residents or process any EU citizen’s personal information. • For an accountancy practice, here are just a few of the types of data that will be covered by the regulations: • Data you hold in order to service your clients, for example: • Data in your practice management systems • Data in your compliance systems, including personal tax, bookkeeping, payroll and accounting data • Any working papers that support your compliance work which contain personal data • Any data you hold for marketing purposes • Emails and correspondence, both internal and external, since many of these will relate to clients and to their employees and will therefore contain personal data.

  13. How will GDPR affect accountancy practices? • GDPR imposes a number of obligations on you in relation to this data. In summary, they are: • You must have precise knowledge of the data you hold and process, its geography, security usage and composition: • Is it personal, prohibited, client-related or employee-related? • How is it captured - is it permitted by law or by the client? • You must be able to provide information on how the data is used and on the rights of individuals regarding their data • You must demonstrate that you are managing personal data in a manner compliant with the regulations and be able to supply, on request, the details of the data you hold and how it has been used • You have to be able to erase every instance of an individual’s data in compliance with the right to be forgotten (including data held in backups) • You must offer storage or conversion of data in a format that allows portability to other data processors

  14. How COBIT Can Help With GDPR Compliance Defining High-risk Data and Impact Assessments Companies must conduct data protection impact assessments (DPIAs) when using new technologies for any data deemed of high risk to the rights and freedoms of EU citizens. Those assessments also must describe how the company is addressing the risk through systematic and extensive processing or monitoring activities. This is akin to a risk assessment, which assesses the risk and measures in place to address it. These are the primary COBIT processes to consider: • EDM02 Ensure Benefits Delivery • EDM04 Ensure Risk Optimization • APO11 Manage Quality • APO12 Manage Risk • APO13 Manage Security • DSS05 Manage Security Services • DSS06 Manage Business Process Controls

  15. How COBIT Can Help With GDPR Compliance Protection, Processing and Storing of Personal Data For each individual, all personal data must be processed transparently, and only for the purpose specified. Companies must provide a “reasonable” level of data protection and privacy. Data must be processed securely to protect against unauthorized access, loss or damage. This must be done using appropriate technical/organizational measures. GDPR does not define what that means, but it is safe to presume that if the data are lost or stolen, the enterprise is clearly in breach of compliance. These are the primary COBIT processes to consider: • EDM05 Ensure Stakeholder Transparency • APO01 Manage the IT Management Framework • APO02 Manage Strategy • APO03 Manage Enterprise Architecture • APO10 Manage Suppliers • BAI01 Manage Programs and Projects • BAI02 Manage Requirements Definition • BAI03 Manage Solutions Identification and Build • BAI04 Manage Availability and Capacity • BAI06 Manage Changes • BAI07 Manage Change Acceptance and Transitioning • BAI08 Manage Knowledge • BAI09 Manage Assets • BAI10 Manage Configuration

  16. How COBIT Can Help With GDPR Compliance Consent, Portability, Right to Access and Right To Be Forgotten Individuals must provide consent regarding the personal data being stored, and those individuals have the right to know, upon request, what personal data a company is using and how the data are being used. An EU citizen may transfer his/her personal data from one company to another upon request in a machine-readable format. Furthermore, companies will stop processing and/or delete personal data upon an EU citizen’s request. This requirement goes one step further: allowing the EU citizen the right to be forgotten by having personal data deleted upon request. These are the primary COBIT processes to consider: • EDM05 Ensure Stakeholder Transparency • APO01 Manage the IT Management Framework • APO08 Manage Relationships • APO09 Manage Service Agreements • APO10 Manage Suppliers • BAI08 Manage Knowledge

  17. How COBIT Can Help With GDPR Compliance Appointment of Data Protection Officers Some companies must appoint a data protection officer (DPO), who oversees the company’s data security strategy and overall GDPR compliance. Which enterprises are required to have a DPO? The requirement applies to those that process or store large amounts of EU citizen data, process or store personal data, regularly monitor data subjects, or are public authorities. These are the primary COBIT processes to consider: • EDM01 Ensure Governance Framework Setting and Maintenance • APO07 Manage Human Resources • BAI05 Manage Organizational Change Enablement

  18. How COBIT Can Help With GDPR Compliance Reporting Data Breaches Enterprises (more specifically, data controllers) are required to notify data protection authorities within 72 hours of discovering a breach. Data processors would typically discover a breach and would be responsible for notifying the controller. Many organizations already have these procedures in place, but few actually conduct tests to ensure the standards are met. These are the primary COBIT processes to consider: • DSS01 Manage Operations • DSS02 Manage Service Requests and Incidents • DSS03 Manage Problems • DSS04 Manage Continuity • DSS05 Manage Security Services • DSS06 Manage Business Process Controls

  19. How COBIT Can Help With GDPR Compliance Ensuring Regulatory Compliance To ensure proper compliance to the legislation, organizations need to constantly monitor, evaluate and assess their controls and continually investigate improvements in terms of innovative technologies and ideas. Organizations must provide assurance that they follow the stated requirements. These are the primary COBIT processes to consider: • APO04 Manage Innovation • APO05 Manage Portfolio • APO06 Manage Budget and Costs • MEA01 Monitor, Evaluate and Assess Performance and Conformance • MEA02 Monitor, Evaluate and Assess the System of Internal Control • MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

  20. How COBIT Can Help With GDPR Compliance Ensuring Regulatory Compliance To ensure proper compliance to the legislation, organizations need to constantly monitor, evaluate and assess their controls and continually investigate improvements in terms of innovative technologies and ideas. Organizations must provide assurance that they follow the stated requirements. These are the primary COBIT processes to consider: • APO04 Manage Innovation • APO05 Manage Portfolio • APO06 Manage Budget and Costs • MEA01 Monitor, Evaluate and Assess Performance and Conformance • MEA02 Monitor, Evaluate and Assess the System of Internal Control • MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

  21. What does this mean for your Auditing and Reporting Capabilities? • Responsibilities - Data protection doesn't just lie with the IT department. There appears to be growing tension within certain organizations around where this responsibility lies. Our opinion is that it's everyone's responsibility, with the board responsible for leading and implementing a security culture from the top down. IT security teams are increasingly stretched, and often just don’t know where the Crown Jewels of the organization are because they’re simply not tasked with working in the business. Which leads us to Assets. • Assets Assets Assets - Your logical and physical assets are your crown jewels. You need to know where these are. This is a challenge, but there are some good tools on the market that will allow you to discover and classify where you critical information is held.  Once you know where it is, you need to understand why you have and how it's being accessed by both internal and external actors. • Risk Assessment - In order to monitoring effectively, and therefore know if you're winning, you’ll need to have deployed policies, processes and technologies. To derive these, you'll also need to perform a risk assessment. This will inform you of where you need to focus your limited resources on mitigating the top risks to your organisation. • Education - We can't say this enough, and this relates to the need to ensure everyone knows their responsibilities and the reasons why certain policies and processes are in place. Without everyone on-watch, your task is going to be a lot harder.

  22. The GDPR Audit will: • Cover all of the areas of GDPR and determine their applicability to your business. • Help your business navigate the GDPR  in order to answer the audit questions from an informed perspective. • Make every effort to elicit all the required information from the appropriate areas of your business in order to complete the audit in one visit. • Convey our findings at the end of audit presentation. • Explain the final report as well as show you how use it as part of your GDPR programme. • Outline what the next steps should be at the end of the audit period. • Audit Report • The audit report will be full and frank as well as providing you with a prioritised list of detailed recommendations.  It will  also show you where your business stands against the GDPR.

  23. https://www.dlapiperdataprotection.com/index.html

  24. ISACA Resources http://www.isaca.org/info/gdpr/index.html Next Steps It’s not a case of if the GDPR will be implemented, but when. As of February 2016, we had 2 years to get your cyber security capabilities up to spec. It does seem like a daunting task but my advice to you is to remember how to eat an elephant; a bit at a time. Start slow and build on your smaller achievements and successes. GDPR global effect Although it’s the EU’s legal act, the new regulation will have extraterritorial application. It will apply to any entity or data controller — inside or outside the EU — that offers goods or services to, or monitors the behavior of, EU residents, and therefore processes any of their personal data. Fines for non-compliance with the GDPR can reach 4% of the company’s annual worldwide turnover or €20 million, whichever is higher.

  25. ISACA Resources • ISACA remains committed to providing the industry with resources and tools to ensure that their organizations are ready and compliant. For additional resources on GDPR, ISACA recommends: • Implementing the General Data Protection Regulation • Maintaining Data Protection and Privacy Beyond GDPR Implementation • Adopting GDPR Using COBIT 5 • More resources are available at www.isaca.org/gdpr and will be updated as ISACA continues to expand its GDPR portfolio, including an upcoming GDPR audit program. The GDPR Assessment is available for complimentary download today and can be found at www.isaca.org/gdpr-assessment.

  26. Call to action 1. Establish the management of your GDPR program by selecting a leader who can coordinate input from stakeholders from every part of the business and related community. It matters less from where this leadership is sourced. Remember that the introduction of GDPR represents a program of work that will become normal business practice, so plan the incorporation of new data processing activities into everyday work. 2. Discover the extent and nature of your risk exposure — and the scale of effort required to achieve compliance — through a data visibility assessment. This identifies the personal data held within the company, documents the sensitivity (special categories) of data, where the data physically resides, how it flows throughout the organization, and the purpose of the data being stored and processed.

  27. Call to action  3. Assess technology's role early in the program. GDPR cannot be solved without technology, and security technology is particularly important. Remember that it is not just a matter of selecting and implementing security technology as part of the GDPR program that is important. GDPR should change organizational behavior, and technology changes should be considered at all stages of the life cycle of personal data. DPIAs will mandate a continuous awareness of technology's impact. 4. Review the impact of GDPR, and its effect of increasing business risk, on your existing data breach protection and detection mechanisms. Protection comes in three parts: the first is controlling access to the data, using identity and access management. The second part is classifying, monitoring, and controlling the data in order to limit its exposure. DLP is a core element in this protection, as it stops sensitive information from leaving the organization. The third part is protecting the organization from the consequences of a data breach. This involves defining — and testing — a breach incident response plan that incorporates mandatory breach notification requirements.

  28. Questions/Comments Direct Contact : Seeburn.k@gmail.com Linkedin: https://www.linkedin.com/in/kseeburn/detail/recent-activity/posts/

  29. Non-European businesses and the GDPR Prior to starting a big reform of your data privacy practices, one should first assess whether the GDPR will apply. The peculiarity of the GDPR is that it extends the reach of EU data protection law to non-European businesses. In particular, non-European businesses which offer goods or services to data subjects in the EU or monitor the data subjects' behaviour (provided that such behaviour takes place in the EU) will be caught and have to comply with the GDPR despite having no office or subsidiary in the EU.

  30. Implications of the accountability principle for businesses • The GDPR focuses on the concept of accountability whereby businesses will have to "demonstrate" compliance with the principles relating to the principles of personal data. • This will involve implementing more demonstrable processes and maintaining a proactive approach. Businesses should also be prepared to respond to requests from individuals who want to exercise their rights about the processing of their personal data, businesses who are using data processors to process their commercially sensitive information, or requests and investigations from Supervisory Authorities (SAs). • Failure to do so may expose businesses to high fines (up to 4% of the annual turnover or 20 million Euros, whichever is higher), damage to their reputation and/or loss of business opportunities.

  31. Steps towards demonstrating compliance with the GDPR No matter their size and industry sector, businesses may find it useful to put in place a GDPR compliance programme to implement and monitor their data processing activities, both in terms of their internal business, and for their clients and other third parties they deal with.

  32. Non-European businesses and the GDPR Assessment of current data privacy practices Businesses should review their existing data privacy practices against the GDPR requirements to identify the actions they need to implement to meet the GDPR requirements by 2018. They may then want to identify the key compliance issues they need to focus on to implement their future projects involving the handling of personal data in line with their commercial objectives and market trends. This assessment should be carefully carried out as it will determine what they need to do to comply with their GDPR obligations. This may include assessing the current technologies used to deliver the services to their clients so they also help meet the GDPR requirements.

  33. Non-European businesses and the GDPR • Creation of a data privacy governance structure • The creation of a data privacy governance structure is helpful to implement and drive the GDPR data privacy compliance programme. • It needs to involve senior management at the outset of its inception to ensure it is incorporated into the board management's agenda and is fully supported throughout its lifecycle. It should set out the tasks, responsibilities and reporting lines of the individuals involved and should remain in place on a permanent basis to ensure continuous compliance with the GDPR. • Businesses that already have a data protection officer (DPO) in place may ask the DPO to create such governance structure and be accountable for the overall data privacy programme. • Those who do not have a DPO yet should carefully consider designating one internally or externally, whether or not they are required to do so - read more about DPOs here

  34. Non-European businesses and the GDPR Personal data inventory • Both data controllers and data processors have the obligation to maintain records of their processing activities including the personal data flows. • This is a major shift from the current European data protection regime where some Member States require prior authorisation of certain personal data processing activities (e.g. for the transfer of personal data). This also means that businesses will need to have a clear understanding of their data processing activities and security systems to be able to record them all. • A data mapping exercise may prove useful to achieve this. This involves creating specific tools (manual or electronic) that capture the obligations and constantly monitor and report on data processing activities. • That inventory must be up-to-date and as accurate as possible as it may be subject to audit by SAs.

  35. Non-European businesses and the GDPR • Creating information notices • The GDPR requires data controllers to inform the data subjects about the processing activities carried out including detailing the type of data collected, the purpose for which it is collected, how it is being used and protected, the name of the organisation processing the personal data and the data subject's rights including the right of access, to object, and to erasure (the right to be forgotten). • This transparency obligation means that businesses will have to comply with their notice obligations (a list of mandatory notices is provided by the GDPR) and amend their internal policies accordingly.

  36. Non-European businesses and the GDPR • Consent mechanisms • The conditions for consent are harder to meet under the GDPR and businesses will have to review their current data processing activities which rely on consent, as well as their privacy policies. In addition, businesses will have to document the collection of consent. • For employment purposes, specific conditions may apply as Member States are entitled to take specific measures in that area so businesses should be aware of any additional requirements in their own jurisdiction. • As far as marketing activities are concerned, it remains to be seen whether the e-Privacy Directive (currently under review) will align its conditions for consent with the GDPR.

  37. Non-European businesses and the GDPR • Implementation of technical and organisational measures • Both data controllers and processors have to implement appropriate technical and organisational measures to ensure that personal data processed is securely and adequately protected. • Businesses should explore implementing security techniques such as pseudonymisation and privacy by design and default in their data processing activities. • They should also work alongside their cybersecurity teams and other business functions to ensure that the appropriate security measures are applied and comply with their clients' requirements where appropriate. • Again, there should be clear documentation of these techniques as well as regular testing and updating.

  38. Non-European businesses and the GDPR • Data Protection Impact Assessments • Data Protection Impact Assessments (DPIAs) are an essential compliance tool under the GDPR. • They are intended to help identify and manage risks to personal data. • They are also crucial in showing the SAs that a business has done everything it can to ensure data is processed in accordance with the law.

  39. Non-European businesses and the GDPR • Reporting personal data breaches • The GDPR specifically mentions that reporting personal data breaches forms part of the accountability principle. • Businesses will need to create formal procedures to ensure that personal data breaches are addressed appropriately and in a timely manner to mitigate the risks to the individuals affected by the breach (e.g misuse, loss of data, damage, rights and freedoms of the individuals). • Such procedures will need to be tested to ensure they work properly. • The introduction of the accountability principle means that businesses will have to do more and be seen to be doing more to comply with European data protection law. The creation of a GDPR data privacy compliance programme is the first step. • Demonstrating compliance is not just about showing that a business can achieve compliance with the GDPR requirements. It has to reflect and record actual compliance.

More Related