STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017
|
|
- Vanessa Burns
- 5 years ago
- Views:
Transcription
1 STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017
2 Your presenters Nancy Aubrey Partner Boston, MA Rick Shriner Principal McLean, VA 2
3 Agenda Overview of current trends affecting relationships with third-parties Third-party management lifecycle assessing risk and maintaining control Emerging regulations impacting bioscience companies European Union s new data protection standard 2 3
4 ISSUES / TRENDS
5 Industry trends impacting third-party management Heavy reliance on third parties Increased out-sourced research activity Global clinical trials Single-point-of-failure risks with CMOs Global sales and supply chains Third party data breaches Changing regulations - EU GDPR s impact on bioscience companies in the US 4 5
6 Broader third-party trends Trends noted by the CEB Audit Leadership Council in their 2017 Audit Plan Hot Spots include: 1. Decreased visibility into third-party network Decentralization in decision-making leads to poor visibility Third-parties relationships lead to fourth or even fifth parties 2. Increased third-party access to sensitive company data With organizations digitizing and relying on increasing amounts of data more information will be reaching thirdparties, both accidentally and by design Increased risk of data breaches and non-compliance with data privacy regulations 2017 Audit Plan Hot Spots CEB Audit Leadership Council 5 6
7 THIRD PARTY RELATIONSHIP MANAGEMENT (TPRM) LIFECYCLE
8 Third-Party Relationship Management (TPRM) Lifecycle 8
9 TPRM Maturity Continuum WEAK SUSTAINABLE MATURE INTEGRATED ADVANCED Ad-hoc processes Problem driven Inconsistent outcomes Rework Reactive Individual effort Basic process Processes follow a regular pattern Repeatable practices Reduced rework Processes not standardized Documented processes Standard approval processes Proactive and reactive Request driven Technology utilized Improve productivity Stable processes Proactive Accountable Effective monitoring Formal change management process Service level agreements Continuous improvement Strong business relationships Predictability Quality driven Proactive Optimizing costs and quality Agile Fully automated Complete integration Enterprise-wide knowledge Planned innovations Change management fully implemented Strategic performance metrics
10 Understanding Third-Party Requirements Planning Do not let third-parties define your requirements Establish ownership for the product or service to be provided and the supporting third-party relationships Involve all relevant stakeholders Assign a weight to each requirement Begin thinking about control requirements related to information risk early in planning Present requirements to potential third-parties and include in third-party selection and management process Assess the risks of the product or service the third-party will support Identify specific risks and include how they are mitigated in your third-party evaluations 9
11 Understanding Third-Party Risk Assess the risks of the product or service the thirdparty will support Transaction/ Operational Liquidity/ Financial Credit Reputation Planning Strategic Compliance/ Legal HR Rate/Pricing Identify specific risks and consider how they are mitigated in your third-party evaluations
12 Evaluation of third-party qualifications Existence and corporate history Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate Due Diligence Other companies using similar services from the provider that may contracted for reference Financial status, including reviews of audited financial statements Strategy and reputation Service delivery capability, status and effectiveness 12
13 Evaluation of information risk during due diligence 13
14 Capturing data security requirements 14
15 Capturing data security requirements (cont.) 15
16 Critical elements of agreement Contracting Duration Dispute resolution Indemnification Limitations of liability Termination Assignment Regulatory compliance Scope Performance standards (service-level agreements [SLAs]) Security and confidentiality Controls Audit Reports Business resumption Subcontracting Ownership and licensing 15
17 Common issues with contract clauses Contracting Contain one-sided clauses Inadequately address service levels (with penalties) Silent about regulatory requirement maintenance Multi-year auto renewal term Excessive notification lead time for opt out May require payment for disputed items May ask for payments before delivery Silent about audit rights 17
18 Third-party contract management Maintain a central repository for all agreements Assign responsibility for management and oversight Contracting Manage key dates and ongoing due diligence Periodic performance reviews Insurance Coverage Business Continuity Testing Financials Changes in Leadership Data Breaches Legal filings Notices to the third party to prevent auto renewal 18
19 Monitoring Third-Parties Ongoing Monitoring Monitor your third parties financial position Monitor the user base Stability and growth Type and size of client organizations Monitor R&D indicators Investment in development Industry trends Monitor audit reports Controls reviews Penetration testing results Business continuity test results SSAE 16 SOC 1, SOC 2 (outsourced services) Regulatory sources 19
20 Why organizations conduct Third-Party compliance audits Reactive Proactive Ongoing Monitoring Monetary obligations are nonexistent, late, or trending downward Services or products are not delivered on time Quality issues Public information and press releases are contradictory to the performance of the agreement Organization has developed a thirdparty contract compliance risk management process Fiduciary responsibility to organization stakeholders Agreement is financially material to the organization Organization is looking to restructure the agreement Agreement will be expiring soon Induce future compliance 20
21 Factors impairing ongoing monitoring Ongoing Monitoring Contracts are not centrally located and tracked Employees may not have the underlying contract and/or all corresponding amendments Intimate knowledge of third-party existence and activities are limited to comparatively few employees Nuances between similar agreements with other thirdparties are not understood Clear ownership for monitoring activities does not exist and the monitoring activities are ad-hoc and manual Lack of formal process to assess changes in the thirdparties organization Notifications of non-compliance are not identified as the issues arise 19 21
22 Managing through contract termination Eventually, contract termination is an inevitable phase in the third-party relationship lifecycle. Reasons for contract termination may include: Contract completion Breach of contract Merger or acquisition Assignment to another party Third-party goes out of business Termination Risk considerations Confidential information (e.g. trade secrets) - what happens to data Reputational risk Business continuity - disruption of operations Considerations to manage situations when termination occurs Clearly specified contract termination rights in the contract Internal transition plan (timeline, responsibilities) 23
23 Third-Party relationship compliance red flags Third parties and your agreements that exhibit at least one of the following characteristics have an increased risk of non-compliance with the terms and conditions of the contract: Complexity of agreement Multiple locations or parties involved (related and non-related parties) Changes in accounting and reporting systems Changes in third-party key personnel New products, services or expanded product lines Mergers and acquisitions Third-party reporting/financial obligations are late or cease to exist Performance provided by third-party do not correlate with market/industry trends Contract terms Monitoring efforts Third-party characteristics 23
24 BUILDING A FRAMEWORK TO ASSESS TPRM RISKS
25 Overview of Approach Step 1: 3 rd Party Prioritization Step 2: Refine the 3 rd Party Risk Assessment Framework Step 3: Deploy the 3 rd Party Risk Assessment Survey Continuous Monitoring Develop a framework for the assessment program, not just a questionnaire. Develop a workflow and process for conducting surveys, evaluating responses, weighting responses, compliance audit requirements and having the right information on which business decisions are made. These decisions include which third parties should provide additional information, those that would require an in-depth audit, or spot audit, and those where completion of the survey is satisfactory. The next step is the deployment of the surveys to the third parties in a tiered and practical approach. Risk areas to audit: Operational Performance Security (Information Privacy and Protection) Regulatory Compliance Personnel Step 4: Compliance Audit Financial Total spend analysis Tax analysis Self reporting accuracy Other financial clauses (MFN, SLAs, etc.)
26 Factors for Prioritization Third-party risk areas and third parties themselves can be prioritized based on factors such as: Third-party impact on enterprise-level risks Contract language (specificity, operational versus financial, etc) Evidence of potential errors or manipulation Operational performance including software quality, incident management, etc. Complexity of contracts (number of agreements, calculation of costs, complexity of pricing models) Strength of contract audit clause Third-party access to critical business information State of the relationship (new, ending, shortterm, long-term) Financial strength of vendor Impact to the nature of the relationship (strategic, significant, considerable, insignificant) Geographic considerations (location of Vendor, multiregional agreements) Third-party reliance on sub-contractors or other third parties Regulations
27 Building a Third-Party Risk Assessment Framework Perform the following key tasks in developing the framework for a Third-Party risk assessment: Define roles and responsibilities for project team. Define the project plan, project charter, and communication plan. Determine and agree on the questionnaire format, quantity of questions, target audience, and delivery format. DESIGN 3 RD PARTY RISK FRAMEWORK BEST PRACTICES & STANDARDS INDUSTRY FOCUS REGULATORY REQUIREMENTS BUSINESS NEEDS GEOGRAPHY Develop workflow for risk assessment Develop weighting criteria Develop decision making criteria Develop compliance audit program DESIRED RISK MITIGATION OPTIMIZED FRAMEWORK CURRENT STATE UNDERSTANDING GOVERNANCE & RISK POLICIES & PROCEDURES BUSINESS PROCESSES CRITICAL ASSETS CONTROLS CURRENT STATE
28 Contract Compliance Assessment Scorecard Example Scorecard Responses to survey questions from each selected third-party are assessed and ranked using a scoring model customized for the organization. The example scorecard shows mapping customized by agreement type. Contract Compliance Scores Risk Factors Agreement complexity 2.2 Significance of agreement to the organization 3.3 Number of third-parties involved 1.0 Changes in key third-party 1.5 personnel Changes in third-party accounting systems 4.7 Performance compared to industry/market conditions 3.0 Score Changes in agreement terms Timeliness of compliance by third-party Lack of compliance by third-party Mergers and acquisitions related to the third-party New products or activities related to the third-party agreement
29 Risk Ranking is Key The goal of the third-party risk assessment workflow is to assess the level of risk the third-party relationships present to your organization. The third-party criticality is determined from the Prioritization Data evaluation. The control state is determined from the questionnaire scorecards. These two data points contribute to the combined third-party risk rating, which drives the level of focus and attention the third-party needs to be given.
30 TPRM: Key Recommendations Be very clear about the different types of third party risk you are tracking, and who has responsibility for each Document organizational risk profile, risk tolerance and risk acceptance Involve business stakeholders in the risk acceptance process Conduct due diligence to minimize risks (including regulatory fines and reputation damage) 30
31 TPRM: Key Recommendations (cont.) Create triggers to make sure risk and compliance efforts occur throughout the third party relationship lifecycle Consider ways to open up communication with and among vendors about trends, patterns and best practices Be innovative and flexible; program and processes should allow for incorporation of changes due to business, industry and regulatory drivers 31
32 EMERGING ISSUE: OVERVIEW OF GDPR
33 What is GDPR? European Union General Data Protection Regulation EU GDPR New data protection law adopted by the EU in April 2016, intended to bolster data privacy protections for EU residents. Companies, government agencies, and non-profits interacting with EU residents have until May 2018 to comply. 33
34 Who does GDPR protect? The European Union. Consisting of 28 member states: Spain, UK, Ireland, France, Germany, Italy, and Sweden, among others Some island nations such as the Canary Islands, Azores, and others Organizations storing, transmitting or processing data for individuals residing in any of these countries 34
35 Who does GDPR apply to? To determine if GDPR affects your organization, you need to ask questions such as: Do you offer goods and services to EU residents? Do you rely on third parties that store or transmit data to/from the EU? Do you collect, transmit, or process data pertaining to EU residents? It does not matter whether the services are free It does not matter whether your company operates in the EU 35
36 Five big concepts to understand 1) Accountability 2) Consent 3) Right to be Forgotten 4) Portability 5) Breach Notification 36
37 Accountability Organizations must demonstrate privacy protection by design and by default. Must appoint Data Protection Officer (DPO) if the: Organization processes data of more than 5,000 individuals a year OR Is active in regular and systematic monitoring of individuals OR Processes data which is sensitive Sanctions (more on that later) 37
38 Consent Burden of consent now states that: Organizations must now prove genuine, explicit consent for data gathered Consent must be purpose-limited Must allow withdrawal of consent at any time In some instances, consent must be down to business process level In some instances (or countries), must gather consent for individuals as young as age 13 (through their parents) 38
39 Right to be forgotten Mandatory right to erasure organizations must give individuals the right to request erasure of their data if: Individual withdraws consent Data is no longer needed to achieve the purpose it was collected for Data in question was obtained through unlawful processing 39
40 Data portability Individuals have the right to transport all of their personal data to another organization (even a competitor): Organizations must provide individuals with their data in a machine-readable format Where feasible, the organization must facilitate electronic transfer of personal data 40
41 Breach notification Organizations are now under legal obligation to notify local authorities within 72 hours if EU resident data is lost Only exception is if the data was encrypted Organizations have to inform individuals if adverse impact is determined from the breach Service providers (data processors) now have obligations to data controllers 41
42 Penalties for non-compliance If organizations do not comply, they face a maximum fine of: 4% of their global revenue OR 20million whichever is higher 42
43 QUESTIONS AND ANSWERS
44 THANK YOU FOR YOUR TIME AND ATTENTION
45 This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP.
GDPR Compliance Checklist
GDPR Compliance Checklist GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationPreparing for the General Data Protection Regulation (GDPR)
Preparing for the General Data Protection Regulation (GDPR) ServiceNow Governance, Risk, and Compliance Table of Contents What is the GDPR?...3 Key Requirements for the GDPR...4 Accountability, Policies,
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationEffective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:
This Training is Brought to you by ComplianceOnline. Effective Vendor Risk Management Presenter: Mario A. Mosse April 21, 2017 This training session is sponsored by 2014 ComplianceOnline www.complianceonlie.com
More informationDealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016
Dealing with the EU Data Protection Regulation in Practice William Long, Partner Sidley Austin LLP February 11, 2016 Do you need to comply? The Regulation will apply to a business processing personal data:
More informationEU General Data Protection Regulation: are you ready?
EU General Data Protection Regulation: are you ready? Contents What you need to know about the new EU General Data Protection Regulation Is your organization ready for the EU General Data Protection Regulation?
More informationGDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges
GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation
More informationEU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018
. EU-GDPR and the cloud Heike Fiedler-Phelps January 13, 2018 Disclaimer SAP does not provide legal advice The following presentation is only about a high level discussion about GDPR. 2 EU-GDPR Summary
More informationReady for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements
SAP Database and Data Management Portfolio/SAP GRC Solutions Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements
More informationGDPR is coming in 108 days: Are you ready?
Charles-Albert Helleputte Partner, Brussels GDPR is coming in 108 days: Are you ready? Diletta De Cicco Legal Consultant, Brussels 6 February 2018 +32 2 551 5982 chelleputte@mayerbrown.com +32 2 551 5974
More informationEHR AND ERP INTEGRATION. January 25, 2018
EHR AND ERP INTEGRATION January 25, 2018 Your Instructor Agenda Introduction to EHR and ERP EHR and ERP integration opportunities Evaluating the potential impact of EHR and ERP integration to your organization
More informationPURCHASE ORDER SPEND CONTROL MICROSOFT DYNAMICS AX 2012 R3/ AND DYNAMICS 365
PURCHASE ORDER SPEND CONTROL MICROSOFT DYNAMICS AX 2012 R3/ AND DYNAMICS 365 2016 2016 RSM US RSM LLP. All US Rights LLP. Reserved. All Rights Reserved. Introduction Rachel Profitt, MCT, MVP Director,
More informationEU General Data Protection Regulation in the digital age: Are you ready?
EU General Data Protection Regulation in the digital age: Are you ready? What do you need to know about the new EU General Data Protection Regulation? Data protection has entered a period of unprecedented
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationEffects of GDPR and NY DFS on your Third Party Risk Management Program
Effects of GDPR and NY DFS on your Third Party Risk Management Program Please disable popup blocking software before viewing this webcast June 27, 2017 Grant Thornton LLP. All rights reserved. 1 CPE Reminders
More informationEffective Data Governance & GDPR Compliance for the Nonprofit CFP
Effective Data Governance & GDPR Compliance for the Nonprofit CFP March 22, 2018 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited
More informationCHART OF ACCOUNTS SETUP
RSM TECHNOLOGY ACADEMY elearning Syllabus and Agenda CHART OF ACCOUNTS SETUP FOR MICROSOFT DYNAMICS 365 FOR OPERATIONS Course Details 3 Audience 3 At Course Completion 3 Registration and Payment 3 Refund
More informationSAFECAP PRIVACY POLICY STATEMENT
SAFECAP Safecap Investments Limited PRIVACY POLICY STATEMENT This Document on Privacy Policy Statement and Regulatory Protections is effective from 29 January, 2017 and shall remain effective until a more
More informationThe General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,
The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, Deloitte, Cyber Advisory Table of Contents Introduction
More informationRSM TECHNOLOGY ACADEMY elearning Syllabus and Agenda RETAIL POS SETUP FOR MICROSOFT DYNAMICS AX
RSM TECHNOLOGY ACADEMY elearning Syllabus and Agenda RETAIL POS SETUP FOR MICROSOFT DYNAMICS AX Course Details 3 Audience 3 Registration and Payment 3 Refund Policy 3 Prerequisites 3 Participant Requirements
More informationGeneral Data Protection Regulation. Jim Sneddon GDPR-P, CISSP
General Data Protection Regulation Jim Sneddon GDPR-P, CISSP "The GDPR is actually already in force, it is just that Member States are not obligated to apply it until 25 May 2018. It s your job, it s your
More informationPreparing Your Vendor Agreements for the General Data Protection Regulation
Preparing Your Vendor Agreements for the General Data Protection Regulation Oliver Yaros Partner - London +44 (0)203 130 3698 oyaros@mayerbrown.com Lei Shen Senior Associate - Chicago +1 312 701 8852 lshen@mayerbrown.com
More informationInternal Audit Report - Contract Compliance Cycle Audit Department of Technology Services: SHI International Corporation Contract Number
Internal Audit Report - Contract Compliance Cycle Audit Department of Technology Services: SHI International Corporation Contract Number- 582-14 TABLE OF CONTENTS Transmittal Letter... 1 Executive Summary
More informationPERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract
PERSPECTIVE GDPR - An industry and geography agnostic regulation Abstract As the deadline to comply with the General Data Protection Regulation (GDPR) draws near, many organizations are unaware of what
More informationSOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE
HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE PREPARATION FOR GDPR IS ESSENTIAL The EU GDPR imposes interrelated
More informationExtended Enterprise Risk Management
Extended Enterprise Risk Management Driving performance through the extended enterprise October 2015 A network within a network The Extended Enterprise is the concept that an organization does not operate
More informationGDPR: What Every MSP Needs to Know
Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights
More informationReady for GDPR? Five steps to turn compliance into your advantage
Ready for GDPR? Five steps to turn compliance into your advantage 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
More informationLOYALTY MANAGEMENT FOR RETAIL
RSM TECHNOLOGY ACADEMY elearning Syllabus and Agenda LOYALTY MANAGEMENT FOR RETAIL FOR MICROSOFT DYNAMICS AX Course Details 3 Audience 3 Continuing Professional Education 3 Registration and Payment 3 Refund
More informationEU General Data Protection Regulation (GDPR) Tieto s approach and implementation
EU General Data Protection Regulation (GDPR) Tieto s approach and implementation GDPR roles and positions Data subjects Information on processing Consent or other basis for processing Right requests High
More informationGDPR factsheet Key provisions and steps for compliance
GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance
More informationSAP and SAP Ariba Solution Support for GDPR Compliance
Frequently Asked Questions EXTERNAL The General Data Protection Regulation (GDPR) SAP Ariba Source-to-Settle Solutions SAP and SAP Ariba Solution Support for GDPR Compliance The European Union s General
More informationPREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER
PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,
More informationVENDOR MANAGEMENT 101
VENDOR MANAGEMENT 101 Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Introduction to Vendor Management About Your Presenter Andrea
More informationEU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018
EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018 This document is a broad overview of the GDPR and does not provide legal advice. We urge you to consult with your own
More informationIntroduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance
The Role of the Data Protection Officer Key points of the recent ODPC guidance and the Article 29 Working Group Guidance September 2017 00 Introduction Key points of the recent ODPC guidance, and the Article
More informationGDPR: what you need to know
GDPR: what you need to know Getting to grips with the EU General Data Protection Regulation (GDPR) Introduction In May 2018, the European Union s (EU) GDPR ushers in unprecedented data protection for EU
More informationGetting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations
Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy
More informationA PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018
A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 1 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies,
More informationThe EU raises the bar on data privacy:
The EU raises the bar on data privacy: AIM for an integrated response Organizations can view the EU s General Data Protection Regulation (GDPR) as either a problem or an opportunity. Grant Thornton sees
More informationThe Sage quick start guide for businesses
General Data Protection Regulation (GDPR): The Sage quick start guide for businesses Contents Introduction 3 Infographic: GDPR at a Glance 4 The basics 5 The GDPR in summary 5 Individual rights and informing
More informationDecember 28, 2018, New Delhi, INDIA
LexArticle December 28, 2018, New Delhi, INDIA GDPR COMPLIANCES BY INDIAN COMPANIES A BRIEF OVERVIEW GDPR COMPLIANCES BY INDIAN COMPANIES A BRIEF OVERVIEW If you have questions or would like additional
More informationThe importance of a solid data foundation
The importance of a solid data foundation Prepared by: Michael Faloney, Director, RSM US LLP michael.faloney@rsmus.com, +1 804 281 6805 February 2015 This is the first of a three-part series focused on
More informationAn Introduction to GDPR and How To Prepare
An Introduction to GDPR and How To Prepare Vincenzo Ardilio IRIS Data Protection Officer What We Will Highlight What you need to know first about GDPR Privacy notices Data subject rights The data controller/processor
More informationEU General Data Protection Regulation: Are you ready?
EU General Data Protection Regulation: Are you ready? Powered by Global Markets EY Knowledge Contents What do you need to know about the new EU General Data Protection Regulation? Are organisations ready
More informationEnsuring Organizational & Enterprise Resiliency with Third Parties
Ensuring Organizational & Enterprise Resiliency with Third Parties Geno Pandolfi Tuesday, May 17, 2016 Room 7&8 (1:30-2:15 PM) Session Review Objectives Approaches to Third Party Risk Management Core Concepts
More informationGeneral Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) The EU General Data Protection Regulation (GDPR) What is the GDPR? The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) was adopted on 27 April,
More informationEuropean Union s General Data Protection Regulation. A guide for APAC companies
European Union s General Data Protection Regulation A guide for APAC companies Introduction When the European Union s General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it will
More informationGeneral Data Protection Regulation
General Data Protection Regulation Caroline Budde Vice President, Compliance, Global Privacy Officer Walgreens Boots Alliance Agenda Overview of global data protection The General Data Protection Regulation
More informationGDPR Factsheet - Key Provisions and steps for Compliance
GDPR Factsheet - Key Provisions and steps for Compliance Organisations in the Leisure & Hospitality industry hold vast amounts of personal data relating to customers, employees, and suppliers as well as
More informationMoving ERP Systems to the Cloud
Moving ERP Systems to the Cloud Trends, Risks and Strategies for Successful Deals Rebecca Eisner Marina Aronchik Partner Senior Associate 312-701-8577 312-701-8168 reisner@mayerbrown.com maronchik@mayerbrown.com
More informationGDPR in SAP. June, Igor Gregurec
GDPR in SAP June, 2017 Igor Gregurec Agenda GDPR rules GDPR compliance approach Example SAP solutions for GDPR compliance Lifecycle of personal data Fines and trends 2 The New EU Data Protection Rules
More informationHow employers should comply with GDPR
02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact
More informationExternal Quality Assessment Review of University of Florida s Office of Internal Audit
External Quality Assessment Review of University of Florida s Office of Internal Audit May 30, 2017 TABLE OF CONTENTS Executive Summary... 1 Objectives, Scope and Methodology... 2 Summary of Results...
More informationGDPR journey: from ready to compliant GDPR survey results
GDPR journey: from ready to compliant GDPR survey results Readiness at a glance The General Data Protection Regulation (or GDPR ) took full effect on 25 May 2018. As a key data protection regulation,
More informationGDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018
GDPR: Are You Ready? Mapping the Road to GDPR Compliance March 2018 Agenda GDPR Overview Should you appoint a DPO? Accountability checklist/documentation required When is consent appropriate and how do
More informationERP IMPLEMENTATION RISK
ERP IMPLEMENTATION RISK Kari Sklenka-Gordon, Director at RSM National ERP Risk Advisory Leader March 2017 2015 2016 RSM US LLP. All Rights Reserved. Speaker Kari Sklenka-Gordon National RSM ERP Risk Advisory
More informationCustomer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)
Customer Data Protection Temenos module for the General Data Protection Regulation (GDPR) Contents Glossary 03 GDPR Geographical Scope 03 GDPR implementation status 03 Overview of GDPR 03 Financial Institutions
More informationEnterprise Compliance Management for Credit Unions
Enterprise Compliance for Credit Unions Streamline Regulatory Compliance with a Unified Platform to Manage Requirements and Demonstrate Compliance to Regulators Industry Challenge Credit unions are subject
More informationGDPR: Is it just another strict regulation or a great opportunity for operational excellence?
GDPR: Is it just another strict regulation or a great opportunity for operational excellence? Xenofon Liapakis General manager CIO & Services of Interamerican group Chairman of Hellenic CIO forum November
More informationWHITE PAPER EU General Data Protection Regulation Compliance
WHITE PAPER EU General Data Protection Regulation Compliance Table of Contents 1. SAP is ready for GDPR 04 1.1. Data Protection Processes 04 1.2. Data Protection Thresholds 05 1.3. Technical & Organizational
More informationINTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT
WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers
More informationTWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION
TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA
More informationOPTIMIZE YOUR BUSINESS WITH NETSUITE CRM. August 29, 2017
OPTIMIZE YOUR BUSINESS WITH NETSUITE CRM August 29, 2017 With you today Eric Myers Director Eric has 15+ years industry experience and currently works with many RSM/NetSuite clients in Distribution, Manufacturing,
More informationSERVICES AND CAPABILITIES. Technology and Management Consulting
SERVICES AND CAPABILITIES Technology and Management Consulting RSM overview Fifth largest audit, tax and consulting firm in the U.S. Over $1.6 billion in revenue 80 cities and more than 8,000 employees
More informationMODERNIZING THE FINANCE FUNCTION
MODERNIZING THE FINANCE FUNCTION Transforming the finance function into a strategic business partner November 15, 2016 Presenters Mary Beth Jameson RSM US LLP Director, Technology and Management Consulting
More informationGet ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie
Get ready A Guide to the General Data Protection Regulation (GDPR) elavon.ie The General Data Protection Regulation (GDPR) will regulate the privacy and handling of the personal data of individuals in
More informationMICROSOFT DYNAMICS 365 FOR TALENT. Rachel Profitt, MVP, MCT Director, RSM Technology Academy November 30, 2017
MICROSOFT DYNAMICS 365 FOR TALENT Rachel Profitt, MVP, MCT Director, RSM Technology Academy November 30, 2017 2016 2016 RSM US RSM LLP. US All Rights LLP. Reserved. All Rights Reserved. Introductions Rachel
More informationREGULATORY HOT TOPIC Third Party IT Vendor Management
REGULATORY HOT TOPIC Third Party IT Vendor Management 1 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And
More informationVendor Management Challenges and Expectations An Open Discussion April 13, 2017
1 Practical solutions driving tangible results Vendor Management Challenges and Expectations An Open Discussion April 13, 2017 Agenda Common Themes Discussion Expectations Overcoming Obstacles Common Comments
More informationEU General Data Protection Regulation
Steve Norledge, UKI GDPR Leader Sol Barron, Information Governance Specialist February 2017 EU General Data Protection Regulation Getting Started with GDPR GDPR significantly extends EU member-state data
More informationImproving the Patient Experience Across the Revenue Cycle
Improving the Patient Experience Across the Revenue Cycle A closer look at patient centered approach to scheduling, pre-arrival, point-ofservice functions, and move towards a single billing office November
More informationThe importance of the right reporting, analytics and information delivery
The importance of the right reporting, and information delivery Prepared by: Michael Faloney, Director, RSM US LLP michael.faloney@rsmus.com, +1 804 281 6805 Introduction This is the second of a three-part
More informationData rich and regulation wary
Data rich and regulation wary Improving risk compliance in today s data rich environment kpmg.com Key highlights Expect regulatory and Increase data and security 1 policy focus 2 controls 3 Personal consumer
More information1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction
Introduction On April 2016 the European Parliament approved the General Data Protection Regulation (GDPR). This new regulation, with mandatory implementation by Member States (MS) and businesses that have
More informationRSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM
RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM Anti-money laundering (AML) regulations are at times challenging for banks. Emerging risks and increased scrutiny
More informationHCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.
Enterprise Risk Management in Healthcare Deloitte & Touche LLP Heather Hagan, Senior Manager Nancy Perilstein, Senior Manager February 29, 2016 Discussion Items Drivers of Enterprise Risk Management (ERM)
More informationFoundation trust membership and GDPR
05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection
More informationMinimizing fraud exposure with effective ERP segregation of duties controls
Minimizing fraud exposure with effective ERP segregation of duties controls Prepared by: Luke Leaon, Manager, RSM US LLP luke.leaon@rsmus.com, +1 612 629 9072 Adam Harpool, Manager, RSM US LLP adam.harpool@rsmus.com,
More informationKey TSA provisions your M&A team needs to know now
Key TSA provisions your M&A team needs to know now March 2018 kpmg.com 1 1 Companies are increasingly focusing on a rigorous Transition Service Agreement (TSA) as a key component in creating deal value.
More informationSAMPLING AND ERROR EVALUATION RSM US LLP. All Rights Reserved.
SAMPLING AND ERROR EVALUATION SAMPLING Sampling Factors to consider when sampling Population size and aggregate balance Tolerable misstatement Expected error Assurance factors Significant risk Reliance
More informationIBM Emptoris Services Procurement on Cloud
Service Description IBM Emptoris Services Procurement on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means the company and its authorized users and recipients
More informationThe importance of the right reporting, analytics and information delivery
The importance of the right reporting, and Introduction This is the second of a three-part series focused on designing a business intelligence (BI) solution. In order to design a complete solution, there
More informationISACA San Francisco Chapter
ISACA San Francisco Chapter The 2007 Privacy Panel Rena Mears, CISSP, CIPP, CPA, CISA Partner, Deloitte & Touche LLP March 23, 2007 San Francisco 0 What is Privacy and Why Now? Definition of PII The definition
More informationDATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017
DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017 TOPICS GDPR overview Concept of the DPO Recruitment process Job description Liability Your to do s: GDPR Responsibility and
More informationPreparing for the GDPR
Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection
More informationData Protection (internal) Audit prior to May (In preparation for that date)
Data Protection (internal) Audit prior to May 2018. (In preparation for that date) For employers without a dedicated data protection or compliance function, a Data Protection Audit can seem like an overwhelming
More informationWhat you need to know. about GDPR. as a Financial Broker. Sponsored by
What you need to know about GDPR as a Financial Broker Dear Partner The regulatory and compliance environment is ever changing and the burden and requirements on financial services professionals continues
More informationEU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1
EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1 The EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC
More informationGeneral Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationVendor Agreements and the New EU GDPR Steps to Take Now
Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,
More informationWhat is GDPR including those with no physical presence in the EU May 25th, 2018
GDPR at LSU What is GDPR The General Data Protection Regulation (GDPR) is a European regulation that aims to strengthen personal data protection for all individuals residing within the European Union (EU),
More informationTHIRD-PARTY RISK MANAGEMENT
THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com AGENDA Let s Break It Down What Is Third-Party Risk Management?
More informationSOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE
HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE PREPARATION FOR GDPR IS ESSENTIAL ACROSS THE GLOBE The EU GDPR imposes interrelated obligations for organizations
More informationIMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS
IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS This Insight provides an overview of the changes, and impact the GDPR Directive presents to outsourcing arrangements. Furthermore, it provides
More informationStrengthening Vendor Risk Management Program
Strengthening Vendor Risk Management Program ACUIA Region 5 Fall Meeting Portsmouth, N.H. October 2017 PKF O Connor Davies Risk Advisory Services Governance & Regulations Cyber-Security Risk Management
More informationWith financial penalties of up to 4 percent of global annual turnover, are you up-to-date on the General Data Protection Regulation?
With financial penalties of up to 4 percent of global annual turnover, are you up-to-date on the General Data Protection Regulation? The General Data Protection Regulation The GDPR applies to all organizations
More informationSTEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference
STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan
More information