How to Stand Up a Privacy Program: Privacy in a Box
|
|
- Abner Park
- 5 years ago
- Views:
Transcription
1 How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC Sponsor) Co-sponsor: Small Law Committee
2 Three Part Series Part I: Foundations Part II: Areas to Consider Part III: Maturing your Privacy Program Audits Maintenance Data mapping Vendor Oversight Metrics 2
3 Speakers Margaret Gloeckle, Senior Privacy Officer, HSBC. Nick Holland, Partner, Technology, Outsourcing and Privacy, Fieldfisher 3
4 Data Mapping, Audits and Maintenance
5 Overall Privacy Structure Plan 5
6 Ensuring your compliance through data mapping Using the OneTrust Privacy Management platform ("OneTrust"), Fieldfisher can ensure that you remain compliant with global data protection requirements (particularly the Article 30 record keeping obligations under the General Data Protection Regulation ("GDPR")), as well as your general information governance requirements. Our methodology follows a simple three step process to ensure your ongoing compliance: 6
7 Step 1: Generate Inventory We will create bespoke automated, intuitive and interactive questionnaires (see slide 5) to map your data flows according to the processing activities you undertake (for example HR processing, CRM processing, sales and marketing processing, payment processing) and/or on a per application basis, depending on your requirements. We will work with you to identify key stakeholders within your business who need to respond to questionnaires. We understand that these people will likely be busy people so we will ensure that the process is as simple for them as possible - they will receive a simple link via which will enable them to complete the questionnaires at their leisure and with no requirement to go through time consuming processes such as setting up accounts for respondents. We will work with you to integrate any existing inventories or information about data flows that you already have so that you do not have duplicate effort. As appropriate, we can make use of intelligent identity scanning. 7
8 Example: Automated Ques1onnaire 8
9 Step 2: Report We will use the questionnaire responses to produce the following illustrative reports: Article 30 Inventory: This data inventory will act as your Article 30 GDPR data processing record (see slide 7). Under the GDPR you must keep detailed records of your processing activities. We will create a data inventory which will be the record of the data flows and assets throughout your business. A data inventory is typically organized according to the data lifecycle of collection, processing, transfers, storage, protection and retention however we can tailor the inventory to comply with any framework to suit your needs. The Inventory can be exported into common formats should you need to do so to satisfy a request from a regulator or a data controller customer. Typically, you would create a data inventory in a tabular or Excel-based format and need to maintain it manually; however with OneTrust, we can ensure that your inventory is maintained live and updated automatically when your processing activities change, when you conduct a DPIA and so on (see Step 3 for more detail). Using the information in the Inventory, we can then produce automated visual maps to represent your data flows: Asset Heat Map to represent where your key IT assets are globally (see slide 8) Data Flow Charts to represent the flows of data both within your organisation and externally (see slide 9). Cross Border Transfers to represent your compliance with international data transfer regulations (see slide 10) 9
10 Example: Data Inventory 10
11 Example: Asset Heat Map 11
12 Example: Data Flow Graph 12
13 Example: Cross Border Data Flow Map 13
14 Step 3: Keep it Up to Date Once we have completed steps 1 and 2 to ascertain your current state of compliance, we will work with you to ensure you have a plan to maintain your records as your business changes. Using OneTrust, we can ensure that your records remain current by using the platform s capabilities: Conducting automated what changed audits (see slide 12) are the most common way to keep your inventories and maps up to date. When sending the audit questionnaire, instead of asking all the same questions over again, a best practice is to just ask what changed for each question so as to not create unwieldy time-consuming processes for your business people. Conducting ongoing DPIA and Risk Assessments on new projects feeding into the data inventory. Conducted ongoing Vendor assessments feeding into the data inventory. Automation to keep the visual maps up to date dynamically based on the changes to the underlying inventory. Automated scanning tools deployed in parallel to detect any changes in your data processing. 14
15 Example: What changed audit 15
16 Overall Privacy Structure Plan 16
17 VENDOR OVERSIGHT 17
18 Vendor Oversight Companies are not able to confirm if third parties have had a data breach or cyber attack involving their sensitive confidential information Companies are not able to determine the number of third parties with access to their confidential information and how many of these third parties are sharing this data with one or more vendors. There is a lack of confidence in third parties data safeguards, security policies and procedures if their security posture is sufficient to respond to a data breach or cyber attack. Companies rarely conduct vendor reviews of vendor management polices and programs to ensure they address third party risk. A lack of resources makes it difficult for organizations to have a robust vendor management program. Senior leadership and boards of directors are rarely involved in third party risk management. Companies rely on contractual obligations instead of audits and assessments to evaluate the security and privacy practices of third parties. 18
19 Vendor Oversight 1. Know where your data sets are, which vendors have access to the data, and what privacy and security measures are in place. 2. Remember Target- the weakest link 3. Develop a Plan Map your vendors. Put one department in charge of vendor management. Document in your agreement who will have access to the data. Enforce vendor compliance. Audit regular systematic audits. 19
20 Vendor Oversight Gartner recommends that IT leaders and vendor managers follow these four organizing principles to start managing vendors effectively: Strategize and Plan: Define the structure, roles/responsibilities and resources to put a formal vendor management discipline in place and drive the right behaviors (product or service elements) to IT or business outcomes for all the collective third-party relationships. Develop Governance: Establish an optimal process for making decisions and assigning decision rights related to vendor management. Agree on authority and flow for decision making. Implement and set up feedback mechanisms. Execute: Ensure optimal management of the vendor contract life cycle and the commercial parts of the vendor relationship. Other responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks. Measure and Improve: Use assessment and industry data to track vendor management operations and success. Responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks. 20
21 Service Organization Control Reports (SOC) Established by the American Institute of Certified Public Accountants in 2011 The SOC reporting standards provide an appropriate framework for CPAs to examine internal controls and for a service organization to provide clarity and greater transparency to its customers (and/or customers auditors) on both its financial reporting controls and its controls relevant to its IT system attributes, such as security, availability, processing integrity, confidentiality and privacy. SOC 1 Report Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting.(SSAE No. 16) SOC 2 Report Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy SOC 3 Report Trust Services Report for Service Organizations 21
22 Vendor Due Diligence- SOC 2 Company controls to address the Five Trust Service Principles. Security: The system is protected against unauthorized access, use, or modification Availability: The system is available for operation and use as committed or agreed Processing Integrity: System processing is complete, valid, accurate, timely, and authorized Confidentiality: Information designated as confidential is protected as committed or agreed Privacy: The system s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA 22
23 Vendor Due Diligence- Checklist Governance Policies- Network Security, Disaster Recovery, BCP, Data Retention, Disposal, Change Control, Training (privacy and security awareness for employees and vendors),social Media, Acceptable Use. Security Administrative, Technical, Physical: Perform Assessment/ Pen Testing Privacy - Collection, Use, Retention, Disclosure, and Disposal. Data Transfers Asset Management Incident Response Monitoring Audits certification(s), Regulatory Oversight GLBA, HIPAA,SEC. Accountability Security CISO or equivalent Privacy - CPO or equivalent *Key Point: As the business evolves and changes- revisit, review and re-assess. 23
24 Vendor Due Diligence- Checklist Violation of privacy or security FTC Cases (consent orders, fines), State Actions, Sanctions Occurrence or potential occurrence of Cybersecurity or Data Breaches * estimated cost of a data breach is approximately $4 million 24
25 Vendor Due Diligence-SOC Report Look for: Products and services covered in the report Type (1 or 2) of the report and period covered Opinion of the service auditor User entities responses to the complimentary user entity controls stated in the report Exceptions noted by the service auditor 25
26 METRICS 26
27 Questions to Consider Target Audience Methodology SMART Specific clear and actionable Manageable objective independently verified and obtainable Actionable- identifies/ reveals problems to fix and helps to drive improvement Relevant /results orientated. Metrics determined w/ in the context of your organization Timely trending allow tracking over time for comparison 27
28 Measuring Privacy Training Completion Rates, Test Outs, Retakes. Privacy Incidents Types of Incidents, Frequency, Root Cause Privacy Complaints Type, Frequency, Root Cause Maturity Adhoc, Repeatable, Define, Managed, Optimized. 28
29 29
30 Nick Holland Nick Holland, Partner, Fieldfisher has over 24 years experience in advising clients on international technology and privacy projects and most of his work is international. He was a senior in house counsel at a US company for a number of years. His main areas of practice are consumer and commercial transactions, global privacy compliance programs, global data security advice and IT outsourcing transactions for a range of clients across the world. Nick particularly specialises in undertaking BCR projects as well as implementing global privacy programs for multinationals, using GDPR as a catalyst for that. He is regarded by both Chambers and The Legal 500 as a leading individual in technology and privacy. He is a regular speaker at various events and is well known to most technology in-house counsel throughout EMEA. 30
31 Margaret Gloeckle Margaret is a Senior Privacy Officer at HSBC and is a key member of the Privacy Office engaged in the design, implementation and maintenance of the privacy program. Prior to her role at HSBC, Margaret served as a global privacy program manager and has held multiple leadership and executive roles responsible for network design, infrastructure and security, global operations, program management and policy development.. Margaret holds the Certified Information Privacy Professional (CIPP/US), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Technologist (CIPT) credentials from the International Association of Privacy Professionals (IAPP) and is also a Project Management Professional (PMP). Margaret holds Masters in both Business (MBA) and Technology (MSc.Telecommunications) and is admitted to the New York Bar. 31
32 Resources AICPA Privacy Maturity Model Nymity's Privacy Management Accountability Framework Data Risk in the Third Party Ecosystem NIST SP Performance Measurement Guide for InfoSec Understanding Soc Reports for Effective Vendor Management Understanding SOC Reports and Their Value for Your SOC 2 User Guide How to Ensure Safe Personal Data Protection Handling Example SOC 2 32
Will Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationREGULATORY HOT TOPIC Third Party IT Vendor Management
REGULATORY HOT TOPIC Third Party IT Vendor Management 1 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And
More informationData rich and regulation wary
Data rich and regulation wary Improving risk compliance in today s data rich environment kpmg.com Key highlights Expect regulatory and Increase data and security 1 policy focus 2 controls 3 Personal consumer
More informationInternal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)
Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017) Assessor 1: Assessor 2: Date: Date: Legend: Generally
More informationEU General Data Protection Regulation: Are you ready?
EU General Data Protection Regulation: Are you ready? Powered by Global Markets EY Knowledge Contents What do you need to know about the new EU General Data Protection Regulation? Are organisations ready
More informationEffects of GDPR and NY DFS on your Third Party Risk Management Program
Effects of GDPR and NY DFS on your Third Party Risk Management Program Please disable popup blocking software before viewing this webcast June 27, 2017 Grant Thornton LLP. All rights reserved. 1 CPE Reminders
More informationCall-Off Contract. Legal Consultancy Services Framework Call-Off Number DCCT0012 Legal consultancy on GDPR. Version: V1.0
Call-Off Contract Legal Consultancy Services Framework Call-Off Number DCCT0012 Legal consultancy on GDPR Version: V1.0 Date: 16 August 2017 Author: Classification: Redacted DCC Public CONSULTANCY LEGAL
More informationSTEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference
STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationDefining and promoting excellence in the provision of mobile money services
SAFEGUARDING OF FUNDS DATA PRIVACY AML/CFT/FRAUD PREVENTION STAFF AND PARTNER MANAGEMENT CUSTOMER SERVICE TRANSPARENCY QUALITY OF OPERATIONS SECURITY OF SYSTEMS Defining and promoting excellence in the
More informationThe table below compares to the 2009 Essential Elements and the 2018 Enhanced Data Stewardship Elements
October 8, 2018 The Essential Elements of Accountability were developed by a multi-stakeholder group that met in Dublin Ireland as the Global Accountability Dialogue. The Essential Elements provided granularity
More informationJOB DESCRIPTION: Hospitality Data Protection Officer
EU General Data Protection Regulation (GDPR) Compliance Tools for the Hospitality Industry JOB DESCRIPTION: Hospitality Data Protection Officer This document highlights the role and qualities of a hospitality
More informationEU General Data Protection Regulation in the digital age: Are you ready?
EU General Data Protection Regulation in the digital age: Are you ready? What do you need to know about the new EU General Data Protection Regulation? Data protection has entered a period of unprecedented
More informationRobert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities
EU Data Protection Officer: Roles and responsibilities Robert Bond, CCEP Head of Data Protection and Cyber Security Law and DPO charlesrussellspeechlys.com Robert Bond Partner Robert Bond has over 36 years'
More informationCENTRE (Common Enterprise Resource)
CENTRE (Common Enterprise Resource) IT Service Management Software designed for ISO 20000 ITSM ISO/IEC 20000 is the international IT Service Management (ITSM) standard that enables IT organizations (whether
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features:
Presenting a live 90-minute webinar with interactive Q&A Compliance With New EU GDPR: Steps Investment Funds, Banks, Advisers and Financial Intermediaries Should Take Now Revising Service Agreements and
More informationGDPR: What Every MSP Needs to Know
Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights
More informationImproving the RFP and Contracts Process With COBIT 5
DISCUSS THIS ARTICLE Improving the RFP and Contracts Process With COBIT 5 By Przemek Tomczak, CISA, CA, CPA COBIT Focus 22 September 2014 English Spanish Russian Changing IT service providers is never
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationThe past, present and future of service organization control reporting
The past, present and future of service organization control reporting Key takeaways from EY s Annual SOCR Client Conference March 2016 Study the past if you would define the future. Confucius b 1 Conference
More informationInternal Audit s Role in Third Party Risk Management (TPRM)
www.pwc.com Internal Audit s Role in Third (TPRM) Jon Pastore, Nick Fullmer Third (TPRM) Framework What is Third? Third Party risk management is focused on understanding and managing risks associated with
More informationReady for GDPR? Five steps to turn compliance into your advantage
Ready for GDPR? Five steps to turn compliance into your advantage 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG
More informationPreparing Your Vendor Agreements for the General Data Protection Regulation
Preparing Your Vendor Agreements for the General Data Protection Regulation Oliver Yaros Partner - London +44 (0)203 130 3698 oyaros@mayerbrown.com Lei Shen Senior Associate - Chicago +1 312 701 8852 lshen@mayerbrown.com
More informationPaul Jordan Thursday 12 October,
GDPR Readiness: Role of the DPO OXS 17 Brussels Paul Jordan Thursday 12 October, 2017 Overview General DPO requirements under the GDPR: legitimacy of the DPO role International Research findings in Data
More informationGDPR Compliance Checklist
GDPR Compliance Checklist GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that the General Data Protection Regulation will introduce into EU Privacy law on 25 May
More informationSalesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data
Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers
More informationTrusted KYC Data Sharing Framework Implementation
July 2017 Trusted KYC Data Sharing Framework Implementation Supporting Document Contents Preface... 3 1 Objective of this Document... 4 2 Evolving Benefits Provided by the Data Sharing Environment... 5
More informationfalanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?
falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance? Contents What is PCI-DSS? 3 What type of organisation needs to be PCI-DSS compliant? 3 What do you need to achieve PCI-DSS
More informationEU General Data Protection Regulation: are you ready?
EU General Data Protection Regulation: are you ready? Contents What you need to know about the new EU General Data Protection Regulation Is your organization ready for the EU General Data Protection Regulation?
More informationANTI-MONEY LAUNDERING SERVICES EXPERTS WITH IMPACT
ANTI-MONEY LAUNDERING SERVICES EXPERTS WITH IMPACT FTI Consulting Anti-Money Laundering Services F TI Consulting provides end-to-end Anti-Money Laundering consulting services to financial institutions.
More informationTHE ARCG CHARTER. Issued in March 2008
THE ARCG CHARTER Issued in March 2008 Index Part A Internal Audit Purpose Charter Mission Independence Scope & Responsibilities Authority Accountability Standards Part B Compliance Introduction Guiding
More informationThe General Data Protection Regulation (GDPR)
Risk Regulation The General Data Protection Regulation (GDPR) Cyber security Preparing your business for the GDPR September 2017 Contents Section Page What is the GDPR and what does it change? 01 Understanding
More informationBoards and internal audit: Working together to strengthen risk management
Boards and internal audit: Working together to strengthen risk management Growing demands on boards The role of the board has always been an important and demanding one, but today s board members face
More informationEU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018
. EU-GDPR and the cloud Heike Fiedler-Phelps January 13, 2018 Disclaimer SAP does not provide legal advice The following presentation is only about a high level discussion about GDPR. 2 EU-GDPR Summary
More informationInternational Standards for the Professional Practice of Internal Auditing (Standards)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Attribute Standards 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the
More informationThe General Data Protection Regulation (GDPR)
Risk Regulation The General Data Protection Regulation (GDPR) Cyber security Preparing your business for the GDPR September 2017 Contents What is the GDPR and what does it change? Section Page What is
More informationTransparency in the digital age: companies should talk about their cyber security
Transparency in the digital age: companies should talk about their The cyber security of companies is an increasingly important issue for society. Nations depend on the of both public and private institutions
More informationIndustry insight and global experience: the intelligent connection
Life sciences sector Industry insight and global experience: the intelligent connection Fraud Investigation & Dispute Services Reactive response and proactive risk management Life sciences companies are
More informationThe General Data Protection Regulation (GDPR)
Risk Regulation The General Data Protection Regulation (GDPR) Cyber security Preparing your business for the GDPR Contents Section Page What is the GDPR and what does it change? 01 Understanding the core
More informationData protection in light of the GDPR
Data protection in light of the GDPR How to protect your organization s most sensitive data Why is data protection important? Your data is one of your most prized assets. Your clients entrust you with
More informationIntegrating COSO s Fraud Risk Management Guide on an Enterprise Scale
Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale September 15, 2017 Vincent Walden Partner EY Atlanta Delores White Director, Internal Audit Southern Company Scott Hulsey Chief Compliance
More informationAWS MSP Partner Program Validation Checklist v3.2 Mapping
DATASHEET AWS MSP Partner Program Validation Checklist v3.2 Mapping OVERVIEW The AWS MSP Validation Checklist Mapping is designed to provide CloudCheckr partners with a practical means to validate the
More informationInternational Standards for the Professional Practice of Internal Auditing (Standards)
Attribute Standards 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent
More informationEU General Data Protection Regulation, a new era in data protection
EU General Data Protection Regulation, a new era in data protection The European Union data privacy landscape is about to undergo dramatic change, with lasting enterprise wide implications for the way
More informationPresent and functioning: Fine-tuning your ICFR using the COSO update
Present and functioning: Fine-tuning your ICFR using the COSO update November 2014 With the COSO s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time
More informationInformation governance strategy
Information governance strategy January 2018 Version 1.0 NHS fraud. Spot it. Report it. Together we stop it. Version control Version Name Date Comment V 1.0 Trevor Duplessis 22/01/18 Due for review Dec
More informationThe General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,
The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, Deloitte, Cyber Advisory Table of Contents Introduction
More informationGDPR Compliance Benchmarking: Measuring Accountability
GDPR Compliance Benchmarking: Measuring Accountability Copyright 2017 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual
More informationA PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018
A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 1 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies,
More informationEU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1
EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1 The EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC
More informationHorizontal audit of the Public Services and Procurement Canada investigation management accountability framework
Final Report Horizontal audit of the Public Services and Procurement Canada investigation October 11, 2017 Office of Audit and Evaluation Table of contents Background... 1 About the audit... 2 Audit observations...
More informationGeneral Data Protection Regulation (GDPR) Readiness
For External Distribution Canada Life UK General Data Protection Regulation (GDPR) Readiness Customers, Clients and Business Partners FAQ GDPR TP FAQ January 2018 Frequently Asked Questions (FAQ) Document
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationRick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES
Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services 1 OBJECTIVES What should be done before you sign a contract with a vendor Your responsibilities throughout the
More informationWHITE PAPER EU General Data Protection Regulation Compliance
WHITE PAPER EU General Data Protection Regulation Compliance Table of Contents 1. SAP is ready for GDPR 04 1.1. Data Protection Processes 04 1.2. Data Protection Thresholds 05 1.3. Technical & Organizational
More informationBROOKS PERSONAL TRAINING
BROOKS PERSONAL TRAINING Data Protection Policy Data Protection Policy Lent 2017 0 DATA PROTECTION POLICY Table of Contents: 1. Document Control... 2 2. Introduction... 3 3. General Statement of Scope...
More informationData Protection Impact Assessment Policy
Data Protection Impact Assessment Policy Version 0.1 1 VERSION CONTROL Version Date Author Reason for Change 0.1 16.07.18 Debby Jones New policy 2 EQUALITY IMPACT ASSESSMENT Section 4 of the Equality Act
More informationINTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) ATTRIBUTE STANDARDS 1000 Purpose, Authority and Responsibility The purpose, authority, and responsibility of the internal
More informationGDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018
GDPR: Are You Ready? Mapping the Road to GDPR Compliance March 2018 Agenda GDPR Overview Should you appoint a DPO? Accountability checklist/documentation required When is consent appropriate and how do
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 17/EN WP264 rev.01 Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data Adopted on 11
More informationIPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief
IPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief Date: March 2017 Copyright & Confidentiality This document is copyright IPSec Pty Ltd (IPSec).
More informationSTRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017
STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017 Your presenters Nancy Aubrey Partner Boston, MA Nancy.aubrey@rsmus.com Rick Shriner Principal McLean, VA Rick.shriner@rsmus.com 2 Agenda
More informationINTERNAL AUDIT PLAN AND CHARTER 2018/19
INTERNAL AUDIT PLAN AND CHARTER 208/9 PURPOSE OF REPORT. To present the proposed 208/9 audit plan and charter to the Audit Committee for consideration and approval..2 The Internal Audit Plan for 208/9
More informationGeneral Data Protection Regulation
General Data Protection Regulation Caroline Budde Vice President, Compliance, Global Privacy Officer Walgreens Boots Alliance Agenda Overview of global data protection The General Data Protection Regulation
More informationTrusted KYC Data Sharing Framework Implementation
November 2017 Trusted KYC Data Sharing Framework Implementation Handover Document Contents Preface... 3 1 Objective of this Document... 4 2 Evolving Benefits Provided by the Data Sharing Environment...
More informationEY Center for Board Matters. Leading practices for audit committees
EY Center for Board Matters for audit committees As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency
More informationCloud Computing Opportunities & Challenges
Cloud Computing Opportunities & Challenges AICPA & CPA/SEA Interchange State Regulatory & Legislative Affairs Emerging Technologies July 11, 2017 Presented by Donny C. Shimamoto, CPA.CITP, CGMA 1 Unless
More informationGDPR The role of the Internal Audit Function
www.pwc.com/mt GDPR The role of the Internal Audit Function What should the Internal Auditor do? 24 MAY 2017 it s not your problem yet 2 How does GDPR feature in your 2017 audit plan? much of 2017 will
More informationEY Center for Board Matters Boards and internal audit
EY Center for Board Matters Boards and internal audit Working together to strengthen risk management Growing demands on boards The role of the board has always been an important and demanding one, but
More informationVendor Agreements and the New EU GDPR Steps to Take Now
Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,
More information9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in
9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable
More informationGeneral Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR
General Data Protection Regulation Philippe Roggeband Business Development, Manager, GSSO EMEAR Why should you care? Data Protection, and compliance with the General Data Protection regulation, is NOT
More informationHow to Maximize Your Internal Controls Program. June 15, 2017 Atlanta, GA
How to Maximize Your Internal Controls Program June 15, 2017 Atlanta, GA Sarbanes-Oxley Update June 15, 2017 Rick Warren Principal patrick.warren@pwc.com Andres Leal Director andres.m.leal@pwc.com 3 Agenda
More informationNOT PROTECTIVELY MARKED
Meeting Audit Committee Public Session Date and Time Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) SPA Preparedness Item Number 9.4 Presented By Catherine Topley
More informationSOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT
RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT INTRODUCTION Your organization s regulatory compliance landscape changes every day. In today s complex regulatory environment, governmental and industry
More informationA PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS
SESSION ID: SEM-MO1 A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS Mahmood Sher-Jan CEO and President RADAR, Inc. @msherjan Julia Jacobson Partner K&L Gates, LLP Overview Key definitions
More informationThe General Data Protection Regulation (GDPR) FAQ
The General Data Protection Regulation (GDPR) FAQ Introduction The General Data Protection Regulation ( GDPR ) is the new legal framework that will come into effect on the May 25, 2018 in the European
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION
More informationWe reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.
What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationIT Strategic Plan Portland Community College 2017 Office of the CIO
IT Strategic Plan Portland Community College 2017 Office of the CIO 1 Our Vision Information Technology To be a nationally recognized standard for Higher Education Information Technology organizations
More informationIT Strategic Plan Portland Community College 2017 Office of the CIO
IT Strategic Plan Portland Community College 2017 Office of the CIO 1 Our Vision Information Technology To be a nationally recognized standard for Higher Education Information Technology organizations
More informationGDPR Triggers Exploring Jurisdictional Scope
GDPR Triggers Exploring Jurisdictional Scope September 14, 2017 Time: 11:00 a.m. 12:30 p.m. ET, 3:00 4:30 p.m. UTC Program Outline I. Welcome and Introductions II. Context: Where We Currently Stand with
More informationGUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector
GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector TABLE OF CONTENTS INTRODUCTION... 2 Accountable privacy management 2 Getting started 3 A.
More informationIn 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a
Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest Internal Control Communications Chapter 1 INTRODUCTION AND OVERVIEW 100 Background 100 Background
More informationPreparing for the General Data Protection Regulation (GDPR)
Preparing for the General Data Protection Regulation (GDPR) ServiceNow Governance, Risk, and Compliance Table of Contents What is the GDPR?...3 Key Requirements for the GDPR...4 Accountability, Policies,
More informationPREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER
PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER 1 What will the GDPR mean for your business/organisation? On the 25 th May 2018,
More informationIT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery And Support Week Seven: SLA IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Outsourcing Drivers Outsourced IT Works Outsourced IT Activity Samples Top Three Outsourcing
More informationInternal Audit Charter
Internal Audit Charter Authority Source: Endorsed by the Audit and Risk Management Committee and approved by the Vice- Chancellor Approval Date: 20/10/2017 Publication Date: 24/10/2017 Review Date: 20/10/2018
More informationISO & ISO TRAINING DAY 4 : Certifying ISO 37001
ISO 19600 & ISO 37001 TRAINING DAY 4 : Certifying ISO 37001 2017 SLIDE 1 DAY 4 Program Part 1 : Audit rules 1. Audit principles 2. Types of findings Part 2 : Audit process 3. The steps of an audit 4. Audit
More informationGDPR in SAP. June, Igor Gregurec
GDPR in SAP June, 2017 Igor Gregurec Agenda GDPR rules GDPR compliance approach Example SAP solutions for GDPR compliance Lifecycle of personal data Fines and trends 2 The New EU Data Protection Rules
More informationStandards for Internal Control in New York State Government 2016 Update
Standards for Internal Control in New York State Government 2016 Update Presented to the New York State Internal Control Association John F. Buyce Audit Director April 28, 2016 1 Last Revised in 2007 A
More informationFinancial Institutions Consulting. Quality service. Personal attention.
Financial Institutions Consulting Quality service. Personal attention. Why Weaver? With more than 65 years of experience and a commitment to our financial institution clients, Weaver is established as
More informationEU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.
EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations For private circulation only Risk Advisory Preface Does the EU GDPR impact organisations in India? Yes!
More informationwww.ulehssustainability.com YOUR PARTNER IN EHS, SUSTAINABILITY AND SUCCESS UL EHS Sustainability is the leading environmental, health, safety and sustainability software provider for enterprise clients
More informationGeneral Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationBest Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES
Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES Today s Presenters Tom Garrubba Senior Director Shared Assessments Bryan Burnhart Head of Strategic Alliances ProcessUnity Ed Thomas
More informationThe GDPR and its requirements for implementing data protection impact assessments (DPIAs)
The GDPR and its requirements for implementing data protection impact assessments (DPIAs) Presented by: Alan Calder, founder and executive chairman, IT Governance 7 September 2017 Introduction Alan Calder
More informationEssential Guide to the GDPR. Practical Steps to Address EU General Data Protection Regulation Compliance
Essential Guide to the GDPR Practical Steps to Address EU General Data Protection Regulation Compliance Over 200 Pages of Legal Text Translated into Practical Implementation Steps 2 Essential Guide to
More information