Effective Data Governance & GDPR Compliance for the Nonprofit CFP March 22, 2018 BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international for the Nonprofit BDO network CFP of independent member firms. Page 0 /
CPE and Support CPE Participation Requirements To receive CPE credit for this webcast: You ll need to actively participate throughout the program. Be responsive to at least 75% of the participation pop-ups. Please refer to the CPE & Support Handout in the Handouts section for more information about group participation and CPE certificates. Q&A: Submit all questions using the Q&A feature on the lower right corner of the screen. At the end of the presentation, the presenter(s) will review and answer all questions submitted. Technical Support: If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088 Audio Audio will be streamed through your computer speakers. If you experience audio issues during today s presentation please dial into the teleconference: 1.855.233.5756, teleconference code: Page 1
WITH YOU TODAY Karen Schuler Data & Information Governance, National Leader BDO USA, LLP 8401 Greensboro Drive, Suite 800 McLean, VA 22102 Direct: 703-336-1533 kschuler@bdo.com Mark Antalik Managing Director BDO USA, LLP One International Place Boston, MA 02110 Direct: 617-378-3653 mantalik@bdo.com Page 2
Agenda Challenges & Threats Data Governance Primer GDPR Introduction Page 3
Challenges & Threats Page 4
Top challenges Needs driving data governance 1. Uncertainty about the future 2. Financial management 3. Performance monitoring and management 4. Increased regulations and compliance 5. Recruiting the right people 6. Technology and data explosion 7. Maintaining your reputation 8. Funding 9. Data breaches 10.Sustainability Page 5
Top NFP Threats Attacks driving data governance TYPES OF ATTACKS WHAT DATA ARE THEY TAKING? 4% 4% 10% 13% 14% 15% 20% 20% Browser Brute force Denial of service Worm Malware Web Scan Others Page 6 Policies and procedures are outdated
Top NFP Threats #1 threat the explosion of data Lack of control over data retention Business intelligence Holistic Data Governance New data privacy regulations CHALLENGES Vendors storing sensitive data Thinking about governance Litigation Systems & information in multiple locations Compliance investigations Policies and procedures are outdated No governance program Page 7
Data Governance Primer Page 8
Business Objectives Reasons to develop a data governance program Consistency & Quality Utilize consistent data for business needs. Identify real and perceived data quality issues. Identify data that is valuable and needed to drive decisions. Standardize approach to address existing and new data needs. Accessibility Integrate data uses across business lines. Prevent redundant data collection. Access needed data. Keep current with IT changes and storage standards. Privacy & Protection Implement data reduction, data protection, and compliance strategies. Align business practices with policies, and procedures. Implement corporate wide updates to meet compliance requirements Maintain security and accessibility so that data elements are not lost, corrupted or made unavailable. Protect vital (e.g., donor, patient, employee and volunteer) data sets. Page 9
Where to Start Checklist TASK RESPONSIBLE PARTY(IES) Champion the Data Governance Program Executive Director, Board, C-Suite Identify applications and data sets CIO/IT and business functions Identify sensitive data (PII, PHI, PCI) CIO/IT, Legal, Privacy, CFO Identify data accessed by third parties CIO/IT, CISO/Security Classify data Legal, CIO/IT, CISO/Security, Privacy, CFO Document and update policies Legal, CIO/IT Review IT and security controls CIO/IT, CISO/Security Review data management controls and policies CIO/IT Review vendor contracts Legal Determine data management needs CIO/IT Page 10
Longer Term Planning Required teams Business & Operations IT & Security Human Resources Legal & Compliance Sales & Marketing Page 11
Longer term planning Implementation Business processes Information inventory Vendors Vital data Business intelligence Driving value from data Policies Procedures Litigation readiness Data breach response Assets Readiness Data Management Data breach notification Technology Inventory Privacy Security Data management Risk identification Accessibility & Quality Management 3 rd party transfers International transfers BYOD Retention Technical & Organizational Measures Disposition Page 12
Holistic approach to cybersecurity risk management Implementation Cybersecurity risk management is not just about technology. A holistic approach: Addresses how the cybersecurity strategy needs to align with the business strategy. Recognizes that people and culture are important elements of the process. Recognizes that the target industry is a driver of cyber threats. Understands that managing risk has a cost and ROI. Page 13
Framework Putting it all together Page 14
GDPR Introduction Page 15
GDPR Background, Impact & Context Effective May 25, 2018 The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located. Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for noncompliance Fines are up to 4% of global revenues or 20 million, whichever is greater. Page 16
GDPR Background, Impact & Context Personal data Applies to personal data meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Sensitive personal data Sensitive personal data are special categories of personal data that are subject to additional protections (e.g., genetic data, biometric data, criminal information). Data subject rights The Right to: access, erasure, to be forgotten, or data portability. Page 17
GDPR Background, Impact & Context Does GDPR apply to your organization? Applies to organizations wherever they are located that: Offer goods and services (including free services) to people in the EU; or, Monitors the behavior of people in the EU (e.g., website analytics) Personal data is broadly defined as any information relating to an identified or identifiable natural person (e.g., IP address, country identifier). Applies whether you are a controller or a processor. Page 18
GDPR Alignment after May 25, 2018 Identify. Analyze. Govern. Evaluate Obligations & Assess Risk Evaluate & Rank Vendor Risks Develop a Compliance Roadmap Data Mapping Review Policies & Contracts for Gaps Remediate, Govern & Manage Page 19
1. Assess Risks and Gaps Conduct a GDPR Readiness Assessment Evaluate the current state of GDPR compliance Utilize BDO or other online platforms to evaluate risks and gaps Map GDPR requirements against other privacy regulations Prepare a GDPR implementation plan 46.9 Figure 1. Risk Meter Page 20
2. Data Mapping Article 5, 6(1), 9(1), 13-14, 17 and 30 Document information assets and understand in-scope and out-of-scope activities Document business processes and align with data flow and data types Nurse Patient Patient Care Application Lab Tech Pharmacist Understand where data flows inside and outside the organization Doctor Understand data retention policies and records keeping practices Page 21
3. Evaluate & Rank Vendor Risks Articles 28, 30, 44-50 Audit processes to determine how those processes impact privacy of data subjects Initiate and Distribute Online Assessments Evaluate whether products have been developed with appropriate privacy considerations Report on systems that contain significant amounts of personal data and provide a plan for remediation and management iga.bdo.com/privacy Report and Provide Recommendations Analyze Gather Information Page 22
4. Review Policies & Contracts for Gaps Articles 12-14, 18, 21-22, 33-34, 37-39 Privacy notices Data subjects rights Process agreements Data breach response and notification Data protection policies and procedures Page 23
5. Develop a Compliance Roadmap Articles 15, 20, 24(1), 24, 32, 37-39 ACTION PLAN REF RISK RAG SOLUTION/MITIGATING ACTIONS RESULT OUTCOME RAG # Risk to be mitigated Current rating PR1 PR2 E.g. Employee forgets to turn off call recording during payment processing E.g. Customer data incorrectly imported onto system using automated process 8 6 Detail corrective actions, solutions and mitigating controls that address the risk 1. Use automated recording system to turn off recording at set trigger 2. Audit all calls at end of each day to ensure no credit card details have been recorded Utilise manual audits of files after import Edit system to match fields with correct data Reduced, Eliminated or Accepted Risk Reduced Accepted Has the solution(s) reduced the risk enough to proceed with processing? Human error removed from risk, although system could still fail to turn off at trigger. Manual call audit means any recording will still be identified and remove at end of each day. Mitigating actions will only slightly reduce risk, but automatically importing data is an essential business function that cannot be replaced with manual entry New risk rating 2 5 Page 24
6. Remediate, Govern and Manage Registers Business processing Information inventory Personal data / special categories Records retention and erasure Awareness and training Accountability / Consent / Privacy Notices Website policies Employee forms Direct marketing Privacy notices Access requests and forms Response mechanisms Subject Access Rights Rectification & erasure Accuracy Objections to processing Data Transfers and Portability Transfers to data subjects Transfers to DPA s or SA s 3 rd party transfers International transfers Information security and data protection policies Technical & Organization Measures Data breach response Data breach notification Page 25
Summary and Questions For more information, please contact Mark Antalik or Karen Schuler. Page 26
Conclusion Thank you for your participation! Certificate Availability If you participated the entire time and responded to at least 75% of the polling questions, click the Participation tab to access the print certificate button. Please exit the interface by clicking the red X in the upper right hand corner of your screen. Page 27
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, and advisory services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 550 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 73,800 people working out of 1,500 offices across 162 countries. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. www.bdo.com This document contains information that is proprietary and confidential to BDO USA, LLP, the disclosure of which could provide substantial benefit to competitors offering similar services. Thus, this document may not be disclosed, used, or duplicated for any purposes other than to permit you to evaluate BDO to determine whether to engage BDO. If no contract is awarded to BDO, this document and any copies must be returned to BDO or destroyed. Material discussed in this publication is meant to provide general information and should not be acted on without professional advice tailored to your organization s individual needs. 2018 BDO USA, LLP. All rights reserved. www.bdo.com