The Evolution of Data Governance Regulations and What IA Departments Need to Know
FEBRUARY 27, 2018
Jamey Loupe | Senior Manager, Risk Advisory Services Jessica Allen | Director, Technology & Business Transformation Services CPE and Support
CPE Participation Requirements | To receive CPE credit for this webcast: You’ll need to actively participate throughout the program. Be responsive to at least 75% of the polling questions. Please refer the CPE & Support Handout in the Handouts section for more information about group participation and CPE certificates.
Q&A | Submit all questions using the Q&A feature on the lower right corner of the screen. Presenter(s) will review and answer questions submitted as time allows. *Please note that questions and answers submitted/provided via the Q&A feature are visible to all participants as well as the presenters.
Technical Support | If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088
Audio | Audio will be streamed through your computer speakers. If you experience audio issues during today’s presentation, please dial into the teleconference: 1-855-233-5756, and use teleconference code: 226 838 6759 #
2 Polling Question 1 (Test)
3 Jamey Loupe, CISA Senior Manager | Risk Advisory Services
Jamey is a Senior Manager in BDO’s Risk Advisory Services practice. He has provided audit and advisory services to mid-size and multi-national companies in multiple industries, and has more than 15 years of progressive experience leading and organizing teams and projects.
Throughout his career, Jamey has led and supported the activities needed to complete the audit process. He has experience presenting results to Senior Management and the Audit Committee. His experience includes: Leading, managing and conducting IT internal audits Managing complex IT SOX compliance projects
PROFESSIONAL AFFILIATIONS Recommending and implementing IT process improvements Institute of Internal Auditors Conducting and leading GRP pre-implementation reviews Information Systems Audit and Control Association Marine Corps Association and Foundation Conducting IT security assessments Monitoring IT governance EDUCATION M.L.A., Information Management Systems, Jamey has extensive experience in Information Technology Standards and Harvard University (in progress) Governance, IT Risk Assessments, Cloud Security and Governance, Sarbanes B.A, Information Systems Decision Sciences, Oxley, IT Security assessments, Application pre and post implementation Louisiana State University reviews, as well as IT Audit and Compliance.
4 Jessica Allen Director| Technology & Business Transformation Services
Jessica Allen is a Director with more than 15 years of experience developing and executing enterprise-wide programs, including Security and Compliance, IT strategy, and IT Optimization & Innovation. Ms. Allen combines her technical expertise with significant experience managing large and complex programs and operations to assist organizations in achieving a variety of business objectives, including risk mitigation, enhancing efficiencies and reducing costs.
Having significant experience leading large transformation as well as completing complex assessments, Ms. Allen is well-versed in Security and Compliance EDUCATION Data privacy and Protection M.I.S., Northern Kentucky University B.S., Information Systems, Northern Kentucky Process reengineering University Program governance and oversight Technology Architecture IT service management
Ms. Allen is a frequent speaker on topics including technology advisory, security awareness and key threats, technology trends, innovation, and IT optimization. She supports key clients in BDO with complex technology and regulatory requirements.
5 Today’s Learning Objectives
At the conclusion of this course, participants will be able to:
Identify data governance regulations by industry and location Describe upcoming regulations and the impact on companies in various geographical areas Discuss the impact of the new regulations and the data governance risks their organization faces
6 Defining Data Governance
7 What is Data Governance
Data governance is defining ownership and management of the availability, usability, integrity and security of data used in an enterprise.
A good Data Governance program seeks to address these objectives: Clear information ownership Timely, correct information Clear enterprise architecture and efficiency Regulatory Compliance and security
8 Data Governance is Not
The below initiatives/processes all require a well developed Data Governance Program to be successful.
However, in and of themselves, they are not Data Governance.
Data change management Data cleansing Master Data Management (MDM) Data warehousing Database management and administration
9 Data Governance v. Data Management
Data Governance is about determining who inputs and makes decisions regarding how data is treated and accessed.
Data Management is the process of making and implementing the decisions made in Data Governance.
10 Polling Question 2
11 Data Governance Ownership
12 Who Owns Data Governance?
One of the tenets of Data Governance is that enterprise data doesn’t “belong” to individuals. It is an asset that belongs to the enterprise. There are two approaches to effective ownership of Data Governance.
Approach #1: Assigning Data Ownership/Stewardship
Approach #2: Federated Responsibilities
Source: The Data Governance Institute
13 Key Stakeholders in Data Governance?
Stakeholders are those IT Teams individuals that could have an • CIO effect on or are affected by • CISO the data within your • IT Security organization. Usually this group • Database Administrators is a mix of individuals from • Applications across the organization. Administrators Business Teams This will be different in every Legal organization. Some of the usual • Data Governance suspects are: Officer
14 Internal Audit’s Role in Data Governance
Evaluate the Data Governance Program Maturity. Evaluate against documented data governance Policies and Procedures. • Data Content Management • Data Records Management • Data Quality • Data Identification and Classification • Data Access Does Internal Audit have the necessary skillsets. Evaluate the appropriateness of data owners/stewards Does the IT group have an asset inventory
15 Internal Audit’s Role in Compliance with Privacy Regulations
Understand what data privacy regulations apply to your organization. Evaluate if documented Policies and Procedures address the identified privacy regulation. Evaluate if the organization has identified the key data that is subject to regulatory requirements. Audit processes to determine how they impact privacy of data subjects Evaluate whether systems and processes have been developed with appropriate privacy considerations. Report on systems that contain significant amounts of personal data and provide a plan for remediation and management of these systems.
16 IT’s Role in Data Governance and Related Privacy Regulations
Chair on Steering Committee/Data Governance Board Maintain the logical and physical security of the applications and keep them up-to-date. Responsible for developing the backup and data recovery plan with the input of the business. Meeting Service Level Agreements as agreed with the Data Owners/Stewards. Ensuring that applications and databases are appropriately installed and administered.
17 COBIT 5 to Audit Data Governance COBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and improvement of:
Management of IT-related business risk Transparency of IT costs, benefits and risk Security of information, processing infrastructure and applications IT compliance with internal policies Risk thresholds definition and communication Managing critical IT-related enterprise risk effectively and efficiently Ensuring that IT-related risk does not exceed the enterprise risk appetite Source ISACA, COBIT 5
18 Other Considerations: Cybersecurity Assessments UNDERSTAND YOUR ENTIRE DATA PROTECTION LANDSCAPE
Vulnerability assessments and penetration testing (VAPT) Incident response readiness testing HITRUST assessment IT security risk assessment ISO 2700x readiness assessment PCI DSS readiness assessment
19 Polling Question 3
20 Key Components of Data Governance
21 6 Key Pillars of Data Governance Information A well defined Data Governance framework addresses this information within an organization.
22 Benefits of a Well-Defined Data Governance Framework
Regulatory compliance Improved data quality Consistent definitions of business terms Decision-making based on information (confidence in the data) Collaboration among business units Appropriate use of information Sharing information internally (data integration and reuse) Simplified (and known) data management business processes
23 Polling Question 4
24 Regulatory Requirements
25 US Data Privacy Regulations
Our government has taken the approach to address specific data privacy concerns by type of data. As a result, there are more than 200 laws in the U.S. that involve data privacy and data security. These are just a few…
Health Insurance Payment Card Industry Fair Credit Reporting Portability and Data Security Act(FCRA) Accountability Act Standard(PCI-DSS) (HIPAA) Fair and Accurate Credit Transactions Act of 2003 Health Information (FACTA) Technology for Economic and Clinical Health (HITECH)
26 United States – State Specific Data Regulations
California Online Privacy Massachusetts Standards New York Department of Protection Act (OPPA) of 2003 for The Protection of Financial Services California Data Breach Personal Information of Cybersecurity Regulation Notification - Civil Code s. Residents of the (NY DFS) 1798.29(a) Commonwealth" (or 201 California Civil Code section CMR 17.00) 1798.81.5 - Security of Personal Information Other California Data Privacy Laws – 25+ laws covering specific types of data (i.e. Insurance Information and Privacy Protection Act)
27 General Data Protection Regulation (GDPR) Requirements
28 Polling Question 5
29 What is GDPR?
Replaces the 1995 EU Data Directive Enhances personal privacy rights
The General Data Increased requirements to protect data Protection Regulation (GDPR) affects organizations in the European Union (EU) Mandatory breach reporting or those that offer goods and services to individuals in the EU, or that collect and Significant penalties for non-compliance analyze data related to EU residents, regardless of their location.
30 Does GDPR Apply to You?
“Personal Data” is defined broadly
Any information relating to an identified or identifiable natural person (e.g. IP address)
Applies to all Types of Organizations
Applies to organizations wherever they are located that: Offer goods and services (including free services) to people in the EU; or That monitor the behavior of people in the EU (e.g. website analytics)
Applies to both “Controllers” and “Processors”
31 Key High-Level GDPR Facts
Effective Date Fines and Penalties May 25, 2018 €20 million or 4% of annual global, whichever is higher
Interpretation Guidance Guided by the European Experienced guidance Data Protection Board is important for (“EDPB”) Article 29 companies navigating Working Party opinions this unfamiliar and under the Data unsettled terrain. Protection Directive, case law and Article 40 Codes of Conduct
32 What Does This Mean for My Data?
Protecting customer privacy with GDPR
33 Polling Question 6
34 Key Changes to Address with GDPR
The most common requirements for all companies subject to the GDPR include:
Personal privacy Controls, Policies & Procedures Rights of the data subject Appropriate safeguarding must be include right of access, implemented, along with the rectification and erasure. ability to notify authorities of data breaches.
Transparency & Training & Awareness Accountability Companies must provide clear Companies must provide clear notice of data collection, notice of data collection, purposes of processing and purposes of processing and retention/deletion practices. retention/deletion practices.
35 Primary Considerations 1 2 Relevance and Responsibilities Readiness
Identify all areas where personal Review your policies against all relevant data may be stored Authority Documents – not just GDPR – and identify synergies and gaps Determine if personal data belongs to any EU “data subjects” Conduct data mapping exercise
Identify your responsibility as a Review third party contracts and ensure data “controller” or “processor” relevant GDPR language is included
Identify all third parties who have Review privacy notices to ensure access to personal data you store transparency, fairness and accessibility
Provide GDPR training to staff
Test your incident response capabilities to ensure compliance with 72-hour breach notification requirement
36 Primary Considerations 3 4 Remediate Prep for Audit
Develop a detailed remediation Develop and maintain a data register roadmap to prioritize and ensure to record all processing activities timely compliance Designate and register a DPO to serve Update policies & procedures or as liaison to the relevant supervisory create new ones to address gaps authorities
Implement privacy by design and Document all ongoing policies, privacy by default principles and procedures and control for GDPR security controls in all systems compliance requirements and processes Ask vendors to provide evidence of Review and update cross-border compliance with GDPR and ongoing data transfer processes to due diligence conform with company-specific conditions
37 Working Toward Compliance IDENTIFY. ANALYZE. GOVERN.
Define Evaluate Develop a Risk Vendors Compliance Criteria & Rank Risks Roadmap
Develop Data Review Remediate, Register Policies Govern & Data Flow & Contracts & Manage Diagrams for Gaps
38 Data Mapping BUSINESS PROCESS MAPPING, DATA REGISTERS, AND DATA FLOW DIAGRAMS
Patient Identify existing data and application La b Tech inventories
Nurse
Patient Care Understand Privacy by Design activities Application
Gather policies & procedures Pharma cist
Develop project plan and charter Doctor Develop data register Process Overview with Data Risks
Project setup forms Onsite Findings are Services are Client contacts are completed information performed finalized Team vendor gathering
Client provides Client financial statements, Report is delivered provides Team is engaged supporting to client and copy is Client conflict check documents archived information
Data entry – client info G Drive Client File Portal Exchange APT Vault Office365 Data Platforms Data BDO Laptop Email
Data that is Information Files sent to is retained Project close SharePoint deleted after for one- 30-45 days year Data Retention
39 Polling Question 7
40 Policies and Procedures ALIGN WITH GDPR
41 GDPR Resources
For more information on GDPR please visit: www.bdo.com/gdpr
Other Webinars: GDPR is coming: Don’t be left in the dark GDPR through different lenses
42 Questions
Jamey Loupe Jessica Allen [email protected] [email protected] 713-960-1706 513-592-2375
43 Coming Events
March 12-14, 2018 IIA-GAM Conference Las Vegas (The Aria) Booth 116
April 24, 2018 2018 Internal Audit Webinar Series – Course 2 The Integrated Auditor: Becoming the Go-To Resource Your Company Needs 3 PM ET / 2 PM CST
44 Conclusion Thank you for participating!
Certificate Availability | If you participated the entire time and responded to at least 75% of the polling questions, you may click the Participation tab to access the print certificate button.
Exit | Please exit the interface by clicking the red “X” in the upper-right- hand corner of your screen.
45