Why should your organization care about Data Privacy & Protection (DPP)
Changing legislative requirements, most recently demonstrated by the European Union’s General Data Protection Regulation (GDPR), Personal Information Protection and Electronics Document Act (PIPEDA) and California Law, coupled with increasing customer expectations, pose a rising number of challenges for companies.
Privacy can not only give you a competitive advantage, but in the age of increasing consumer awareness and digital interconnectivity, transparency is key to achieving and maintaining the trust of your clients. And building a leading-class, sustainable data privacy strategy that incorporates customer rights and the ethical use of data that adheres to legal and compliance obligations can achieve just that.
What are the risks and implications for your organization when DPP are not properly managed?
Shortcomings when data privacy and protection are not properly managed
If not handled properly, mismanaged data could result in…
Fortunately these issues can be resolved before they reach catastrophic levels by building a sustaining DPP program to help implement the proper protection measures and comply with the latest regulations.
EY: Privacy program transformation
DPP is not a compliance issue — it’s strategic! By using a four-stage approach — understand, assess, define and implement — we can help you build a sustaining DPP program by integrating privacy-related components into your company’s daily processes that are catered to your organization’s DPP goals.
A sustaining DPP program is built around three main pillars: Governance, Use of Data and Validation.
In the workshop our DPP advisors share leading practices, lessons learned, and approach DPP from multiple angles to help you truly understand its impact on your organization and better navigate this complex landscape.
Assessment and roadmap
Our readily available DPP assessments will help you determine gaps between your organization’s current and desired state.
By checking important themes, such as current data processing roles, responsibilities, data leakage procedures, data flows and data usage, we compare the results to common market practices as well as legal obligations.
Privacy by design implementation
By developing a privacy by design methodology, you can effectively incorporate privacy and data protection from the design phase and embed privacy considerations throughout the lifecycle of a project.
We can also help you assess current processes and systems to determine which are at risk from a privacy perspective and determine what considerations should be implemented.
Data flow mapping
Current data mapping activities are often executed with an IT mindset, with focus often placed on specific technical fields, rather than the types of data used by business processes. The identified data streams can be used to respond to the compliance requirements and to set up data protection.
By enforcing the appropriate focus which, combined with the application of data discovery tooling and a strong data governance structure, can significantly raise the effectiveness of the exercise.
Privacy impact assessments (PIA)
PIAs are required in Canada and are of critical importance for the GDPR as Data Protection Impact Assessments. A PIA is a useful tool to embed DPP into the design of all processes and applications that process personal data. Our tool set supports the design and execution of PIAs.
Data Breach Notification & Incident Management
Recent changes to regulations are putting stricter requirements on organizations to ensure they have effective data breach notification and incident management procedures.
We can assist you with the creation of a data breach notification and incident management program that includes processes around how incidents and breaches are reported and assessed, required actions, roles and responsibilities, escalation paths, etc.
Click here for more information.
Privacy Management and Accountability Program
A successful DPP program needs to respond to corporate needs and to be adopted by the entire organization through accountability. An organization’s executives need to be aware of their responsibilities in supporting the privacy program and be held accountable on the compliance supporting actions.
Use of data
By analyzing each step in the data analytics process, it can be determined if it’s necessary to make data anonymous, or if you should apply pseudonyms to data tags. Given the flexibility of current data tools, existing data is easily combined with new sources, which could result in unforeseen identification possibilities.Our service can help you prevent any misplaced data enrichment without downsizing the power of data analytics.
Implementing DPP starts with giving access to an organization’s private data only to authorized people.
Our experience on DPP and cybersecurity allows us to be able to have a holistic view on defining an IAM program and focus on business enablement thus helping organizations to continuously and efficiently manage system access and mitigate risks to confidentiality, integrity and availability of critical data.
Transferring personal data across jurisdictions requires understanding of the different regulations.
We can help you establish mechanisms, such as binding corporate rules, Intra Group Agreements, and monitoring the internal and external transfers of data. In addition, we can align these mechanisms with the supervising authority, formalize a procedure, appoint an accountable person for managing the transfer of data and establish a process/procedure or tools to help move data appropriately across borders.
Data should be retained for at least a minimum duration that’s governed by applicable laws, regulations, subject area, and local policies and guidelines.
We develop an overall structure — processes, routines, time frames and system support — for deletion, anonymization or pseudonymization of personal data based on statutory retention periods and internal policies.
Understanding data flows will help an organization comprehend where data is allocated, when in rest, and when in motion. In any stage of the flow, data can face risk situations.
We can help you identify those risks and define efficient controls to respond to them. These controls can be supported by processes or tools that will prevent, detect or correct events where data leakages happen.
Our portfolio of DPP managed services has been specifically designed to meet the unique requirements of any organization in a flexible and customized way. Whatever your concerns and priorities are around GDPR compliance, we can help you meet them.
Our vendor management services include due diligence processes to cover third-party activities related to information security, procurement, contracts, DPP and independence.
We use industry-standard security assessments to evaluate inherent and residual risk across DPP and cyber security, compliance and other third-party risk categories such as data classification, data location, and access and data transmission.
SOC 2 examinations are designed to deal with an organization’s controls relevant to the systems it uses to process users’ data. The resulting report helps users of the data understand the effectiveness of the organization’s controls and how they integrate with controls at the user entity.
Our team examines and reports on system controls set forth in the AICPA’s trust services criteria.
With DPP incidents on the rise and the impact they can have on financial systems, business continuity and crisis management planning with specific cyber incident simulations have never been more important.
EY’s table top exercises include planning, designing and developing a DPP incident simulation for your crisis response team which mimics the impact of a significant attack.
The global privacy landscape is undergoing major change. Already, regulations like the European Union’s General Data Protection Regulation (GDPR) are disrupting how companies conduct business, with some regulators even comparing their scope and impact to Sarbanes-Oxley.
Taking privacy beyond compliance can be a data strategy enabler.
EU General Data Protection Regulation managed services program strategy
Can advanced analytics help organizations make the transition to a new era of data privacy and protection?
GDPR gives EU residents new, expanded rights over their personal data and there is an opportunity for organizations to take a strategic approach to GDPR.
Is it truly possible to create a globally flexible privacy program, ready to take on challenges and create trust around the world? It’s time to find out.