Cyber Resilience - Demystifying GDPR and its impact on India Inc by Mayuran Palanisamy

Demystifying GDPR and its impact on India Inc.

August 9, 2017

KPMG.com/in

Mayuran PalanisamyDirector

Risk Consulting IT AdvisoryPh: +91 9600057046E-mail: [email protected]

2017, an Indian partnership and member firm of KPMG network of independent member firms affiliated with KPMG International, Cooperative a Swiss entity. All Rights Reserved. Printed in India

The Journey

DenialIt wont happen to me

WorryGet as much security as possible

False confidenceWere ready bring it on

Hard lessonsThere is no absolute security

True leadershipWere in this together

Start

Have you heard of Vishing?

DenialIt wont happen to me


Wow! Thats Vishing? DenialIt wont happen to me

So what's the Big Deal?



Infamous Data Breaches

The Home Depot

Verizons 2015 Data Breach Investigations Report (DBIR) has found that four out of five security incidents in the manufacturing sector involved denial of service (DoS) attacks, cyber-espionage and crime ware.

The Panama Papers are a set of 11.5 million leaked confidential documents detailing information about more than 214,000 offshore companies

950,000 members had potentially been impacted by a data breach.

2 million customers data stolen, Share Price fell 0.8% ; 70,000+ customer accounts leaked

0.5 million clients personal information lost

About 56 Million debit and credit cards were exposed.

Verizon Centene Corp

Panama Papers

VodafoneJP

MorganChase

..and many more data privacy incidents across the globe in various sectors.

Manufacturing Retail Health Care Law Firm Telecom Financial

Zomato

Zomato reported that data from 17 million users had been stolen, including email addresses and hashed passwords.

Technology



Cyber Event Preparedness - Survey Results

Source: KPMG 2017 Global CEO Outlook Survey

Technology

Telecom

Manufacturing

Investment Management

Banking

Insurance

Energy

Life Sciences

Consumer and Retail

Automotive

Infrastructure

34

36

37

39

42

43

45

45

46

47

49

Industries That Say They Are Prepared For A Cyber Event


We have heard these Myths time and again!



We are a company established in India hence GDPR does not apply to us My data is stored with a third party service provider so its only their

responsibility to remain compliant with GDPR Our CISO / CIO / CRO can also play the role of a DPO Controllers and processors will have to answer to only a single data

protection authority

Popular Myths

GDPR is the Information Security teams problem My associates have only view access to the personal information of EU

citizens We are too small an organization so GDPR will not affect us. We are only data processors so we dont have to worry about GDPR


Lets first deal with the Problems



Demonstrating Compliance to Regulatory requirements

Collaboration among internal functions

Developing Effective Technical & Organizational controls

Recruitment and Upskilling of resources

Driving Enterprise Wide Change Management

Business process specific data inventory and flow maps

. Adhering to client

contractual obligations

Problems

Interpreting the regulatory clauses and developing a Framework


Solutions!



Demonstrating Compliance to Regulatory requirements

Collaboration among internal functions

Developing Effective Technical & Organizational controls

Recruitment and Upskilling of resources

Driving Enterprise Wide Change Management

Business process specific data inventory and flow maps

Socializing through workshops,Privacy Campaigns and Roadshows, and

Creating Awareness programs across the organization. Capturing the attention of the

enthusiasts, laggards and incumbents in the organization

Performing periodic external and internal Audits to demonstrate compliance and adherence towards regulatory requirements. Conducting self assessments such as PIA, PRA etc. to evaluate the Privacy Impact and Risk within the organization functions. Benchmarking of controls against the best practices of industry

.

Identifying PII data by using e-Discovery tools. Inventorize the data using the information Life Cycle management

methodology. Performing Data Minimization, Data Mapping and Data

Flow maps.

Adhering to client contractual obligations

and Solutions

Interpreting the regulatory clauses and developing a Framework

Identifying the applicable Regulatory requirements of the Customer

and protecting the Personal data. Establishment of Data Protection

certification mechanisms and Data protection seals and marks. Developing a communication strategy and establishing

strong communication channels to ensure active, frequent and ongoing collaboration Investing on Technology and

implementing solutions when processing Personal Data with adequate controls.

Hiring trained and experienced resources with background in Technology, Data Privacy, Data Protection Laws, Legal, Regulatory and, Risk and Compliance.

Undertaking responsibility and accountability for driving the privacy initiatives in the organization

Understanding the regulatory requirements. Developing cross functional team that gives a Legal and Technological perspective of the regulation. Translating the regulations into a control based framework for easy implementation and compliance to the privacy regulations .


Fine.. so what does GDPR mean to IT/ITeS companies?



Data Subject Rights Articles 12,13 & 14- Right to be

Informed Article 15- Right of Access by the Data

Subject Article 16- Right to Rectification Article 17- Right to Erasure Article 18- Right to Restriction of

Processing Article 20- Right to Data Portability Article 21- Right to Object Article 22- Automated Individual

Decision Making including Profiling

Privacy Impact Assessments Article 35- Data Protection

Impact Assessments

Records of Data Processing Article 30- Records of

Processing Activities Articles 6 Lawfulness of

processing

Strengthened Contractual Obligations Article 28- Processor Article 47 : Binding

Corporate Rules

Security Measures and Breach Notifications Article 32- Security of Processing Article 33- Notification of Personal Data

Breach to Supervisory Authority Article 34- Communication of Personal Data

Breach to the Data Subject

Data Protection Officer Article 37- Designation of the Data

Protection Officer Article 38- Position of Data

Protection Officer Article 39- Tasks of the Data

Protection Officer

GDPR Applicability - Data Controllers & ProcessorsArticles Specific to Data controller Article 24 -

Responsibilities of Data Controller

Article 40 Code of Conduct

Article 25 : Data Protection by Design and Default

Data Transfer Article 44 : General Principle

for Transfers Article 45 : Transfers on the

Basis of Adequacy Decision Article 46 : Transfers Subject

to Appropriate Safeguards

Note: The aforementioned list of articles are not exhaustive in nature and only represents a subset of the regulation


Is Privacy the New Normal?



Roadmap after May 2018

Compliance Audits and Regulatory Filings

Role of Legal teams

Privacy By Design

Strong Control Environment and Enhanced Technology

Security in Privacy

Frequent external and internal audits to be conducted. Establishing Data Protection

certification mechanisms and Data protection seals and marks. Regulatory filings with the

Regulatory Authorities demonstrating compliance.

Collaborating with the Technology team in driving the privacy initiative. Keep up to date

with the latest changing Privacy regulatory landscape.

Shifting from a Security compliance focused strategy to Privacy compliance strategy. Establishing a privacy support function reporting to the CPO.

Implementing privacy at a design stage across all the projects undertaken in the organization

Establishing a Matured technology setup by revamping the current technology setup and developing a matured control environment across business processes in the organization.


The Privacy JourneyBegins

Slide Number 1Slide Number 2Have you heard of Vishing?Slide Number 4So what's the Big Deal?Slide Number 6Slide Number 7We have heard these Myths time and again!Slide Number 9Lets first deal with the ProblemsSlide Number 11Solutions!Slide Number 13Fine.. so what does GDPR mean to IT/ITeS companies?Slide Number 15Is Privacy the New Normal?Slide Number 17The Privacy JourneyBegins