Embed Size (px)
Citation preview
Accenture Point of View on
New European Regulation
(GDPR – General Data Protection Regulation)
2Copyright © 2017 Accenture. All rights reserved.
Agenda
Identify the main technical and organizational impacts
Propose a roadmap / action plan for the regulatory compliance
3
Contracts
Impacts and adjustmentsTechnical and organizational measures of the GDPR (1 of 2)
Impact areas Actions «To Do»
Compliance
Organization/Process
Definition and revision of the data privacy model according to the
responsibilities listed in the new regulation
Setting a register of processing operations of personal data
Definition or revision of policies and procedures to ensure accountability
Revision of privacy policies for the collection of declaration of consent and
for ensuring fair and transparent processing
Identification of controls and reports for monitoring the compliance over time
Revision of processes for managing the consent and the procedures of
requests from the natural persons concerned (right to be forgotten, access to
data and data portability)
Revision of the governance model for the designation of the DPO
Definition of a plan of training and awareness of employees
Mapping of personal data and of their transfer to third parties
Support the implementation of a methodology for the DPIA with the support
of Privacy and Security functions.
Revision of contracts with third parties to ensure the compliance with
the new GDPR
Revision and/or identification of contracting rules for the transfer of
personal data within the companies of the group
Improvement of the binding corporate rules and adoption of new ones – if
necessary – for the transfer of data.
Copyright © 2017 Accenture. All rights reserved.
4
Impacts and adjustmentsTechnical and organizational measures of the GDPR (2 of 2)
Impact areas
Definition and implementation of security measures necessary to ensure
the protection of personal data (protection at rest / in use/ in motion) and
prevent data leakage
Definition and implementation of technical measures for the
pseudonymisation or encryption of data
Identification and classification of personal data and definition of controls to
apply according to the classification criteria
Definition of a methodology and of control measures to ensure the protection
of data during the engineering process (Privacy By Design), not exceeding
limits of operations (Privacy by Default)
Support the impact assessment through the Data Protection Impact
Assessment (DPIA), in relation to high risky processes
Revision and/or implementation of security measures for the detection of
possible incidents and definition of the process of Data Breach notification
Support of the mapping of personal data on information systems and flows
towards external systems
Design and implementation of measures to erase data stored in software
that process personal data
Revision of operational models to support the encryption of data – if
possible
Development of IT procedures to monitor the declarations of consent
and the requests of the natural persons concerned
Design and implementation of IT procedures to react to the requests of the
natural persons concerned (e.g. portability request, access to data)
Information Security
Information Technology
Actions «To Do»
Copyright © 2017 Accenture. All rights reserved.
5Copyright © 2017 Accenture. All rights reserved.
Agenda
Identify the main technical and organizational impacts
Propose a roadmap / action plan for the regulatory compliance
6
Action planPhases approach
Copyright © 2017 Accenture. All rights reserved.
A
Analysis of the
regulatory
requirements
Relevant
analysis of
internal
regulations for
DPIA purposes
Support on Regulation
AnalysisGap Analysis
Gap analysis
between the
requirements
and the current
application of
the Regulation
Definition of
the
organizational
impact and on
IT systems
Implementation of
compliance actions, within
organizational and IT areas
Definition of controls for
compliance monitoring
Ac
tiv
itie
s
1 2
Identification
and sharing of
compliance
actions
Masterplan
definition
Definition of
interventions and
Roadmap
3
Deli
vera
ble
s
B C
Map of regulatory
requirements and
asset involved
Gap analysis
document
Actions to be implemented List of
interventions
Master Plan
PMO and coordinationD
Phase 2 –Implementation
Phase 1 – Readiness Assessment3-4
months
10-12
months Phase 3 –Monitor and Control
7
Action planFocus on Phase 1 – Readiness Assessment
A
Support on Regulation
AnalysisGap Analysis
1 2Definition of
interventions and
Roadmap
3
Phase 1 – Readiness Assessment
Support on Regulation Analysis
Gap AnalysisDefinition of
interventions and Roadmap
Planning for quick-wins that
includes specific short-term
interventions to reach a full
compliance with the new Regulation
Definition of a Master Plan that
includes indications of the overall
management of all the interventions
needed
De
liv
era
ble
sA
cti
vit
ies
Interviews to key corporate
functions responsible for different
areas (Security, IT, Risk
Management, Legal, Organization,
Audit, Communication)
Analysis of the corporate
situation in relation to the new
Regulation (gap analysis)
Identification of the gaps and
adjustments measures
Collection and analysis of the
available corporate documents
First assessment of about 99
requirements included in the
European Regulation to evaluate
their applicability to the corporate
setting
Copyright © 2017 Accenture. All rights reserved.
8
Action planFocus on Phase 1 – Working tools
Based in the requirements listed in
the new Regulation, the impact
assessment would focus on the
following aspects:
Tasks of corporate functions
(e.g. code of conduct, internal
regulations)
Governance model (e.g.
designation of the DPO, revision of
the data privacy model)
Procedures / Processes (e.g.
revision of documents, revision of
privacy policies for the collection of
declaration of consent)
IT / Technical measures (e.g. IT
measures to delete data upon
requests of the natural persons
concerned, implementation of
security measures for the
protection of personal data)
Contracts (e.g. revisions of
contracts with third parties)
Controls (e.g. revisions of
compliance interventions and
reports delivered)
Non-Exhaustive
Copyright © 2017 Accenture. All rights reserved.
9
Action planFocus on Phase 2 – Implementation
Definitions and revisions of methodologies, models and processes
Governance activities and Project Management Office
Planning and implementation of security and IT measures
Accenture will help the client in defining the interventions needed to implement each operative actions required, in
supporting the overall governance of the new measures and in implementing each intervention or actions (end to end
management)
Copyright © 2017 Accenture. All rights reserved.
10
Action planFocus on security measures and IT impacts
Area
Application
s and IT
impacts
Data
Protection
Data
Subject
Rights
Solutions
Description
Implement data discovery tool in order to identify
personal data and classify them in terms of privacy
sensitivity
Assess and review consent and information
processes in order to respond to data subjects rights
Enable applications to permit the data encryption
and data masking techniques
Re-inforce data protection in terms of securing
access to data, securing enterprise architecture and
data loss prevention/ IRM solutions
Assess applications in order to evaluate current
security posture and compliance to data privacy
requirements
Develop data Deletion and data portability
procedures in order to satisfy the data subjects
requests (e.g. rights to be forgotten)
Improve applications resiliencies securing the
codes from design (privacy by design)
Develop data Deletion procedures in order to satisfy
the data retention needs
Develop custom / enable tracking of data accesses
and requests in order to guarantee the monitoring
1
2
3
4
6
7
8
9
Review / Implement a data breach process and
notification
5
Conceptual Architecture
12
4
3
2
5
6
8
7
5
9
Copyright © 2017 Accenture. All rights reserved.
11
Action planFocus on Privacy by Design Process
The checklist for data Privacy by
Design includes:
Information Gathering –
collection of information in relation
to the type of data and levels of
criticality of the IT solution
Req Matrix – matrix of controls to
implement according to the level of
criticality of the data and IT solution
Summary: summary of the
information, controls and their
status
Privacy By Design might include the planning of a Secure Software Development Lifecycle – during the development of the
application with the business owner - to identify the most appropriate protection measures according to the type of data to
process and the privacy measures required.
Accenture has developed an asset to collect information that leads to the identification of the type of data to process
and to the selection of control measures to implement.
Copyright © 2017 Accenture. All rights reserved.
12
Action planFocus on data breach
Monitoring / Detection
Design of the process
and risk assessment of
data breach
Notification
Impact areas Actions «To Do»
The obligation to inform in case of Data Breach foresees the notification to the Control Authority – when the personal
data breach is likely to result in a high risk to the rights and freedoms of the natural persons concerned – and the
revision and/or implementation of a Data Breach process – that ensures to promptly identify and respond to future
data breaches
Identification and/or revision of the scope of the systems involved in the processing of
personal data to monitor
Revision and implementation of monitoring systems able to detect incidents
Revision of the incident management process
Revision and design of the process of data breach to identify rules, responsibilities
and procedures to respond to data breaches
Design and implementation of a methodology for the risk assessment, according
to the Risk Management and Security plans, to identify the impact on the natural
persons concerned in case of future data breaches
Identification of thresholds and degrees of risks to identify the impact of data
breaches categories
Definition of notification procedures and templates to use in case of data breach
Design of notification procedures to the Control Authority in case of data breach
Design of the notification procedures to the natural persons concerned in case of
data breach
Copyright © 2017 Accenture. All rights reserved.
13
Why Accenture
Accenture Security Practice
Copyright © 2017 Accenture. All rights reserved.
20+ yearsof experience helping clients
secure their organizations
People
5,000+
1 million+endpoints managed
15,000+security
devices
managed
Centers of ExcellenceIndia, Philippines, Czech Republic,
USA & Argentina
5,000+ security risks
mitigated per
year
Streamline cloud migration
activities by 20%
Cloud security, management and
control for
20,000+ cloud computing instances
Achieved
>30x
faster detection
rates of incidents
for multiple
clients
Security
analytics
that handle
billions
of events
Running
some of
the largest
SIEM
deployments
in the world
350+ pending
and issued
Patents related to security
330+
Clientsspanning
67 countries5 billion+raw security events
processed daily
30 million+
digital identities managed
14
Why Accenture
Skill, Partnership and Accelerator
Participation on
roundtables
Active participation on different tables belonging to Financial Services sector
(e.g. Assinform, Confindustria) in order to examine in depth the GDPR, in
relation to local requirements
Multidisciplinary
Team
Capacity to involve a multidisciplinary team, according to skills required by
various impacted areas (e.g. Compliance, Insurance Expert, Security) and to
adopt an approach “end-to-end“
National and
International NetworkAbility to take advantage of an extensive network, both nationally and
internationally, for benchmarking activities and confrontation interviews
Partnership &
AlliancesPartnership with main vendors of Data Protection e Data Governance
solutions, as Informatica, Symantec, IBM, Oracle
Asset and AcceleratorAvailability of asset and accelerator both for assessment phase and process
design, in order to execute the activity in an efficient manner
Copyright © 2017 Accenture. All rights reserved.
15Copyright © 2017 Accenture. All rights reserved.
Data Governance Data Inventory and
ClassificationData Security
Identification of the personal data in
scope, through the mapping of:
˗ processes managing personal
data
˗ tools for the processing of
personal data (including IT
assets)
˗ information flows among IT tools
Data classification based on the
impact assessment, in terms of
confidentiality, integrity and
availability
Data retention
Data Inventory
Data classification
1 2 3
Data security technical
guidelines
Data Governance model
Data strategy framework
Evaluation and implementation of
data security measures for
avoiding unauthorized/accidental
accesses and / or changes
Protection of data “at rest” (e.g.
databases) with security solutions,
NAS (e.g. data masking,
obfuscation, db encryption, auditing,
database monitoring)
Protection of data “in transit” (e.g.
e-mail security, encryption)
Data loss prevention solutions to
avoid data 'leakage'
Data governance model
aiming at identifying data
governance policies
Fine-tuning of corporate
strategy in terms of data
quality, protection and
privacy in order to identify the
roles and responsibilities of
the stakeholders involved
The implementation of security measures in order to avoid accidental and unauthorized personal data accesses
must be planned according to three main steps
Why AccentureData Governance Methodology
Delivera
ble
sD
escri
pti
on
Ph
as
e
