Upload
nasscom-hyderabad
View
115
Download
2
Embed Size (px)
Citation preview
Demystifying GDPR and its impact on India Inc.
August 9, 2017
KPMG.com/in
Mayuran PalanisamyDirector
Risk Consulting IT AdvisoryPh: +91 9600057046E-mail: [email protected]
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
The Journey
DenialIt wont happen to me
WorryGet as much security as possible
False confidenceWere ready bring it on
Hard lessonsThere is no absolute security
True leadershipWere in this together
Start
Have you heard of Vishing?
DenialIt wont happen to me
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Wow! Thats Vishing? DenialIt wont happen to me
So what's the Big Deal?
WorryGet as much security as possible
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Infamous Data Breaches
The Home Depot
Verizons 2015 Data Breach Investigations Report (DBIR) has found that four out of five security incidents in the manufacturing sector involved denial of service (DoS) attacks, cyber-espionage and crime ware.
The Panama Papers are a set of 11.5 million leaked confidential documents detailing information about more than 214,000 offshore companies
950,000 members had potentially been impacted by a data breach.
2 million customers data stolen, Share Price fell 0.8% ; 70,000+ customer accounts leaked
0.5 million clients personal information lost
About 56 Million debit and credit cards were exposed.
Verizon Centene Corp
Panama Papers
VodafoneJP
MorganChase
..and many more data privacy incidents across the globe in various sectors.
Manufacturing Retail Health Care Law Firm Telecom Financial
Zomato
Zomato reported that data from 17 million users had been stolen, including email addresses and hashed passwords.
Technology
WorryGet as much security as possible
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Cyber Event Preparedness - Survey Results
Source: KPMG 2017 Global CEO Outlook Survey
Technology
Telecom
Manufacturing
Investment Management
Banking
Insurance
Energy
Life Sciences
Consumer and Retail
Automotive
Infrastructure
34
36
37
39
42
43
45
45
46
47
49
Industries That Say They Are Prepared For A Cyber Event
WorryGet as much security as possible
We have heard these Myths time and again!
False confidenceWere ready bring it on
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
We are a company established in India hence GDPR does not apply to us My data is stored with a third party service provider so its only their
responsibility to remain compliant with GDPR Our CISO / CIO / CRO can also play the role of a DPO Controllers and processors will have to answer to only a single data
protection authority
Popular Myths
GDPR is the Information Security teams problem My associates have only view access to the personal information of EU
citizens We are too small an organization so GDPR will not affect us. We are only data processors so we dont have to worry about GDPR
False confidenceWere ready bring it on
Lets first deal with the Problems
Hard lessonsThere is no absolute security
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Demonstrating Compliance to Regulatory requirements
Collaboration among internal functions
Developing Effective Technical & Organizational controls
Recruitment and Upskilling of resources
Driving Enterprise Wide Change Management
Business process specific data inventory and flow maps
. Adhering to client
contractual obligations
Problems
Interpreting the regulatory clauses and developing a Framework
Hard lessonsThere is no absolute security
Solutions!
Hard lessonsThere is no absolute security
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Demonstrating Compliance to Regulatory requirements
Collaboration among internal functions
Developing Effective Technical & Organizational controls
Recruitment and Upskilling of resources
Driving Enterprise Wide Change Management
Business process specific data inventory and flow maps
Socializing through workshops,Privacy Campaigns and Roadshows, and
Creating Awareness programs across the organization. Capturing the attention of the
enthusiasts, laggards and incumbents in the organization
Performing periodic external and internal Audits to demonstrate compliance and adherence towards regulatory requirements. Conducting self assessments such as PIA, PRA etc. to evaluate the Privacy Impact and Risk within the organization functions. Benchmarking of controls against the best practices of industry
.
Identifying PII data by using e-Discovery tools. Inventorize the data using the information Life Cycle management
methodology. Performing Data Minimization, Data Mapping and Data
Flow maps.
Adhering to client contractual obligations
and Solutions
Interpreting the regulatory clauses and developing a Framework
Identifying the applicable Regulatory requirements of the Customer
and protecting the Personal data. Establishment of Data Protection
certification mechanisms and Data protection seals and marks. Developing a communication strategy and establishing
strong communication channels to ensure active, frequent and ongoing collaboration Investing on Technology and
implementing solutions when processing Personal Data with adequate controls.
Hiring trained and experienced resources with background in Technology, Data Privacy, Data Protection Laws, Legal, Regulatory and, Risk and Compliance.
Undertaking responsibility and accountability for driving the privacy initiatives in the organization
Understanding the regulatory requirements. Developing cross functional team that gives a Legal and Technological perspective of the regulation. Translating the regulations into a control based framework for easy implementation and compliance to the privacy regulations .
Hard lessonsThere is no absolute security
Fine.. so what does GDPR mean to IT/ITeS companies?
True leadershipWere in this together
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Data Subject Rights Articles 12,13 & 14- Right to be
Informed Article 15- Right of Access by the Data
Subject Article 16- Right to Rectification Article 17- Right to Erasure Article 18- Right to Restriction of
Processing Article 20- Right to Data Portability Article 21- Right to Object Article 22- Automated Individual
Decision Making including Profiling
Privacy Impact Assessments Article 35- Data Protection
Impact Assessments
Records of Data Processing Article 30- Records of
Processing Activities Articles 6 Lawfulness of
processing
Strengthened Contractual Obligations Article 28- Processor Article 47 : Binding
Corporate Rules
Security Measures and Breach Notifications Article 32- Security of Processing Article 33- Notification of Personal Data
Breach to Supervisory Authority Article 34- Communication of Personal Data
Breach to the Data Subject
Data Protection Officer Article 37- Designation of the Data
Protection Officer Article 38- Position of Data
Protection Officer Article 39- Tasks of the Data
Protection Officer
GDPR Applicability - Data Controllers & ProcessorsArticles Specific to Data controller Article 24 -
Responsibilities of Data Controller
Article 40 Code of Conduct
Article 25 : Data Protection by Design and Default
Data Transfer Article 44 : General Principle
for Transfers Article 45 : Transfers on the
Basis of Adequacy Decision Article 46 : Transfers Subject
to Appropriate Safeguards
Note: The aforementioned list of articles are not exhaustive in nature and only represents a subset of the regulation
True leadershipWere in this together
Is Privacy the New Normal?
True leadershipWere in this together
2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India
Roadmap after May 2018
Compliance Audits and Regulatory Filings
Role of Legal teams
Privacy By Design
Strong Control Environment and Enhanced Technology
Security in Privacy
Frequent external and internal audits to be conducted. Establishing Data Protection
certification mechanisms and Data protection seals and marks. Regulatory filings with the
Regulatory Authorities demonstrating compliance.
Collaborating with the Technology team in driving the privacy initiative. Keep up to date
with the latest changing Privacy regulatory landscape.
Shifting from a Security compliance focused strategy to Privacy compliance strategy. Establishing a privacy support function reporting to the CPO.
Implementing privacy at a design stage across all the projects undertaken in the organization
Establishing a Matured technology setup by revamping the current technology setup and developing a matured control environment across business processes in the organization.
True leadershipWere in this together
The Privacy JourneyBegins
Slide Number 1Slide Number 2Have you heard of Vishing?Slide Number 4So what's the Big Deal?Slide Number 6Slide Number 7We have heard these Myths time and again!Slide Number 9Lets first deal with the ProblemsSlide Number 11Solutions!Slide Number 13Fine.. so what does GDPR mean to IT/ITeS companies?Slide Number 15Is Privacy the New Normal?Slide Number 17The Privacy JourneyBegins