The Evolution of Data Regulations and What IA Departments Need to Know

FEBRUARY 27, 2018

Jamey Loupe | Senior Manager, Risk Advisory Services Jessica Allen | Director, Technology & Business Transformation Services CPE and Support

CPE Participation Requirements | To receive CPE credit for this webcast:  You’ll need to actively participate throughout the program.  Be responsive to at least 75% of the polling questions.  Please refer the CPE & Support Handout in the Handouts section for more information about group participation and CPE certificates.

Q&A | Submit all questions using the Q&A feature on the lower right corner of the screen. Presenter(s) will review and answer questions submitted as time allows. *Please note that questions and answers submitted/provided via the Q&A feature are visible to all participants as well as the presenters.

Technical Support | If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR call: 1-888-228-4088

Audio | Audio will be streamed through your computer speakers. If you experience audio issues during today’s presentation, please dial into the teleconference: 1-855-233-5756, and use teleconference code: 226 838 6759 #

2 Polling Question 1 (Test)

3 Jamey Loupe, CISA Senior Manager | Risk Advisory Services

Jamey is a Senior Manager in BDO’s Risk Advisory Services practice. He has provided audit and advisory services to mid-size and multi-national companies in multiple industries, and has more than 15 years of progressive experience leading and organizing teams and projects.

Throughout his career, Jamey has led and supported the activities needed to complete the audit process. He has experience presenting results to Senior Management and the Audit Committee. His experience includes:  Leading, managing and conducting IT internal audits  Managing complex IT SOX compliance projects

 PROFESSIONAL AFFILIATIONS Recommending and implementing IT process improvements Institute of Internal Auditors  Conducting and leading GRP pre-implementation reviews Information Systems Audit and Control Association Marine Corps Association and Foundation  Conducting IT security assessments  Monitoring IT governance EDUCATION M.L.A., Information Management Systems, Jamey has extensive experience in Information Technology Standards and Harvard University (in progress) Governance, IT Risk Assessments, Cloud Security and Governance, Sarbanes B.A, Information Systems Decision Sciences, Oxley, IT Security assessments, Application pre and post implementation Louisiana State University reviews, as well as IT Audit and Compliance.

4 Jessica Allen Director| Technology & Business Transformation Services

Jessica Allen is a Director with more than 15 years of experience developing and executing enterprise-wide programs, including Security and Compliance, IT strategy, and IT Optimization & Innovation. Ms. Allen combines her technical expertise with significant experience managing large and complex programs and operations to assist organizations in achieving a variety of business objectives, including risk mitigation, enhancing efficiencies and reducing costs.

Having significant experience leading large transformation as well as completing complex assessments, Ms. Allen is well-versed in  Security and Compliance EDUCATION  Data privacy and Protection M.I.S., Northern Kentucky University B.S., Information Systems, Northern Kentucky  Process reengineering University  Program governance and oversight  Technology Architecture  IT service management

Ms. Allen is a frequent speaker on topics including technology advisory, security awareness and key threats, technology trends, innovation, and IT optimization. She supports key clients in BDO with complex technology and regulatory requirements.

5 Today’s Learning Objectives

At the conclusion of this course, participants will be able to:

 Identify data governance regulations by industry and location  Describe upcoming regulations and the impact on companies in various geographical areas  Discuss the impact of the new regulations and the data governance risks their organization faces

6 Defining Data Governance

7 What is Data Governance

Data governance is defining ownership and management of the availability, usability, integrity and security of data used in an enterprise.

A good Data Governance program seeks to address these objectives:  Clear information ownership  Timely, correct information  Clear enterprise architecture and efficiency  Regulatory Compliance and security

8 Data Governance is Not

The below initiatives/processes all require a well developed Data Governance Program to be successful.

However, in and of themselves, they are not Data Governance.

 Data change management  Data cleansing  Master (MDM)  Data warehousing  Database management and administration

9 Data Governance v. Data Management

Data Governance is about determining who inputs and makes decisions regarding how data is treated and accessed.

Data Management is the process of making and implementing the decisions made in Data Governance.

10 Polling Question 2

11 Data Governance Ownership

12 Who Owns Data Governance?

One of the tenets of Data Governance is that enterprise data doesn’t “belong” to individuals. It is an asset that belongs to the enterprise. There are two approaches to effective ownership of Data Governance.

 Approach #1: Assigning Data Ownership/Stewardship

 Approach #2: Federated Responsibilities

Source: The Data Governance Institute

13 Key Stakeholders in Data Governance?

Stakeholders are those  IT Teams individuals that could have an • CIO effect on or are affected by • CISO the data within your • IT Security organization. Usually this group • Database Administrators is a mix of individuals from • Applications across the organization. Administrators  Business Teams This will be different in every  Legal organization. Some of the usual • Data Governance suspects are: Officer

14 Internal Audit’s Role in Data Governance

 Evaluate the Data Governance Program Maturity.  Evaluate against documented data governance Policies and Procedures. • Data Content Management • Data Records Management • • Data Identification and Classification • Data Access  Does Internal Audit have the necessary skillsets.  Evaluate the appropriateness of data owners/stewards  Does the IT group have an asset inventory

15 Internal Audit’s Role in Compliance with Privacy Regulations

 Understand what data privacy regulations apply to your organization.  Evaluate if documented Policies and Procedures address the identified privacy regulation.  Evaluate if the organization has identified the key data that is subject to regulatory requirements.  Audit processes to determine how they impact privacy of data subjects  Evaluate whether systems and processes have been developed with appropriate privacy considerations.  Report on systems that contain significant amounts of personal data and provide a plan for remediation and management of these systems.

16 IT’s Role in Data Governance and Related Privacy Regulations

 Chair on Steering Committee/Data Governance Board  Maintain the logical and physical security of the applications and keep them up-to-date.  Responsible for developing the backup and data recovery plan with the input of the business.  Meeting Service Level Agreements as agreed with the Data Owners/Stewards.  Ensuring that applications and databases are appropriately installed and administered.

17 COBIT 5 to Audit Data Governance COBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and improvement of:

 Management of IT-related business risk  Transparency of IT costs, benefits and risk  Security of information, processing infrastructure and applications  IT compliance with internal policies  Risk thresholds definition and communication  Managing critical IT-related enterprise risk effectively and efficiently  Ensuring that IT-related risk does not exceed the enterprise risk appetite Source ISACA, COBIT 5

18 Other Considerations: Cybersecurity Assessments UNDERSTAND YOUR ENTIRE DATA PROTECTION LANDSCAPE

 Vulnerability assessments and penetration testing (VAPT)  Incident response readiness testing  HITRUST assessment  IT security risk assessment  ISO 2700x readiness assessment  PCI DSS readiness assessment

19 Polling Question 3

20 Key Components of Data Governance

21 6 Key Pillars of Data Governance Information A well defined Data Governance framework addresses this information within an organization.

22 Benefits of a Well-Defined Data Governance Framework

 Regulatory compliance  Improved data quality  Consistent definitions of business terms  Decision-making based on information (confidence in the data)  Collaboration among business units  Appropriate use of information  Sharing information internally (data integration and reuse)  Simplified (and known) data management business processes

23 Polling Question 4

24 Regulatory Requirements

25 US Data Privacy Regulations

Our government has taken the approach to address specific data privacy concerns by type of data. As a result, there are more than 200 laws in the U.S. that involve data privacy and . These are just a few…

 Health Insurance  Payment Card Industry  Fair Credit Reporting Portability and Data Security Act(FCRA) Accountability Act Standard(PCI-DSS) (HIPAA)  Fair and Accurate Credit Transactions Act of 2003  Health Information (FACTA) Technology for Economic and Clinical Health (HITECH)

26 United States – State Specific Data Regulations

 California Online Privacy  Massachusetts Standards  New York Department of Protection Act (OPPA) of 2003 for The Protection of Financial Services  California Data Breach Personal Information of Cybersecurity Regulation Notification - Civil Code s. Residents of the (NY DFS) 1798.29(a) Commonwealth" (or 201  California Civil Code section CMR 17.00) 1798.81.5 - Security of Personal Information  Other California Data Privacy Laws – 25+ laws covering specific types of data (i.e. Insurance Information and Privacy Protection Act)

27 General Data Protection Regulation (GDPR) Requirements

28 Polling Question 5

29 What is GDPR?

 Replaces the 1995 EU Data Directive Enhances personal privacy rights

 The General Data Increased requirements to protect data Protection Regulation (GDPR) affects organizations in the European Union (EU) Mandatory breach reporting or those that offer goods and services to individuals in the EU, or that collect and Significant penalties for non-compliance analyze data related to EU residents, regardless of their location.

30 Does GDPR Apply to You?

 “Personal Data” is defined broadly

 Any information relating to an identified or identifiable natural person (e.g. IP address)

 Applies to all Types of Organizations

 Applies to organizations wherever they are located that:  Offer goods and services (including free services) to people in the EU; or  That monitor the behavior of people in the EU (e.g. website analytics)

 Applies to both “Controllers” and “Processors”

31 Key High-Level GDPR Facts

Effective Date Fines and Penalties May 25, 2018 €20 million or 4% of annual global, whichever is higher

Interpretation Guidance Guided by the European Experienced guidance Data Protection Board is important for (“EDPB”) Article 29 companies navigating Working Party opinions this unfamiliar and under the Data unsettled terrain. Protection Directive, case law and Article 40 Codes of Conduct

32 What Does This Mean for My Data?

Protecting customer privacy with GDPR

33 Polling Question 6

34 Key Changes to Address with GDPR

The most common requirements for all companies subject to the GDPR include:

Personal privacy Controls, Policies & Procedures Rights of the data subject Appropriate safeguarding must be include right of access, implemented, along with the rectification and erasure. ability to notify authorities of data breaches.

Transparency & Training & Awareness Accountability Companies must provide clear Companies must provide clear notice of data collection, notice of data collection, purposes of processing and purposes of processing and retention/deletion practices. retention/deletion practices.

35 Primary Considerations 1 2 Relevance and Responsibilities Readiness

 Identify all areas where personal  Review your policies against all relevant data may be stored Authority Documents – not just GDPR – and identify synergies and gaps  Determine if personal data belongs to any EU “data subjects”  Conduct data mapping exercise

 Identify your responsibility as a  Review third party contracts and ensure data “controller” or “processor” relevant GDPR language is included

 Identify all third parties who have  Review privacy notices to ensure access to personal data you store transparency, fairness and accessibility

 Provide GDPR training to staff

 Test your incident response capabilities to ensure compliance with 72-hour breach notification requirement

36 Primary Considerations 3 4 Remediate Prep for Audit

 Develop a detailed remediation  Develop and maintain a data register roadmap to prioritize and ensure to record all processing activities timely compliance  Designate and register a DPO to serve  Update policies & procedures or as liaison to the relevant supervisory create new ones to address gaps authorities

 Implement privacy by design and  Document all ongoing policies, privacy by default principles and procedures and control for GDPR security controls in all systems compliance requirements and processes  Ask vendors to provide evidence of  Review and update cross-border compliance with GDPR and ongoing data transfer processes to due diligence conform with company-specific conditions

37 Working Toward Compliance IDENTIFY. ANALYZE. GOVERN.

Define Evaluate Develop a Risk Vendors Compliance Criteria & Rank Risks Roadmap

Develop Data Review Remediate, Register Policies Govern & Data Flow & Contracts & Manage Diagrams for Gaps

38 Data Mapping BUSINESS PROCESS MAPPING, DATA REGISTERS, AND DATA FLOW DIAGRAMS

Patient  Identify existing data and application La b Tech inventories

Nurse

Patient Care  Understand Privacy by Design activities Application

 Gather policies & procedures Pharma cist

 Develop project plan and charter Doctor  Develop data register Process Overview with Data Risks

Project setup forms Onsite Findings are Services are Client contacts are completed information performed finalized Team vendor gathering

Client provides Client financial statements, Report is delivered provides Team is engaged supporting to client and copy is Client conflict check documents archived information

Data entry – client info G Drive Client File Portal Exchange APT Vault Office365 Data Platforms Data BDO Laptop Email

Data that is Information Files sent to is retained Project close SharePoint deleted after for one- 30-45 days year Data Retention

39 Polling Question 7

40 Policies and Procedures ALIGN WITH GDPR

41 GDPR Resources

For more information on GDPR please visit: www.bdo.com/gdpr

Other Webinars: GDPR is coming: Don’t be left in the dark GDPR through different lenses

42 Questions

Jamey Loupe Jessica Allen [email protected] [email protected] 713-960-1706 513-592-2375

43 Coming Events

March 12-14, 2018 IIA-GAM Conference Las Vegas (The Aria) Booth 116

April 24, 2018 2018 Internal Audit Webinar Series – Course 2 The Integrated Auditor: Becoming the Go-To Resource Your Company Needs 3 PM ET / 2 PM CST

44 Conclusion Thank you for participating!

Certificate Availability | If you participated the entire time and responded to at least 75% of the polling questions, you may click the Participation tab to access the print certificate button.

Exit | Please exit the interface by clicking the red “X” in the upper-right- hand corner of your screen.

45