Rausch Executive Learning Series · Ramzi Kanso, CPA, MBA, CFF, CIA, CISA, CISM, CISSP is the VP of Internal Audit for Abbott Labs Rapid Diagnostics. Ramzi is a seasoned CAE with
15
Rausch Executive Learning Series General Data Protection Regulation (GDPR)
Introduction of the Panelists & Overview on GDPR - Mr. Michael Lisenby,
Managing Partner, Rausch Advisory Services LLC.
General Data Protection Regulation (GDPR) Panel Discussion
Industry Leaders
Closing Remarks & Networking
3
Agenda
Networking – Continental Breakfast provided by Rausch Advisory Services LLC.
JILL RABONDirector, Global Payroll
& HR Operations
RAMZI KANSOVice President Internal Audit
JUSTIN WARDManager of
Information Security
BRAD GORKASr. Director Information
Security & IT Governance
4
The Panelists
COREY CUTTERCorporate Attorney
JILL RABONDirector, Global Payroll & HR Operations
Jill Rabon is the Director, Global Payroll and HR Operations for Starr Companies. She is responsible for the strategic direction and delivery of global payroll, HR and benefit operations for 2,000 employees in 25+ countries in North, Central, South America, Europe and Asia. Her responsibilities include HR, recruiting, onboarding, policy, employee relations, payroll, benefits and tax. She is also responsible for the global Human Capital Management system and service delivery model Workday. She manages third party providers to ensure successful delivery of services worldwide for payroll, benefits, tax and labor compliance. Jill manages a multi-national diverse team of HR, payroll and benefits professionals located in Atlanta, London, Hong Kong and Buenos Aires.
Prior to joining Starr Companies, Jill was the Director, Global Payroll for British Telecom where she was responsible for global HR/payroll platform and operations for 16,000 employees and 200+ international assignees in 45 countries across three regions.
BRAD GORKA
Sr. Director Information Security & IT Governance
Brad Gorka is Senior Director of Information Security and IT Governance at ARRIS International plc.
He is responsible for the global Information Security program, including risk management functions, security audit, compliance, and cybersecurity operations. Brad has an extensive background in technology and uses a risk management approach to running Information Security that is compatible with the enterprise strategy and company culture.
He has earned a Master of Science in IT Management and Bachelor’s degree in psychology – both from Georgia State University – as well as CISM and ISO27002LM certifications.
RAMZI KANSO
Vice President of Internal Audit
Ramzi Kanso, CPA, MBA, CFF, CIA, CISA, CISM, CISSP is the VP of Internal Audit for Abbott Labs Rapid Diagnostics. Ramzi is a seasoned CAE with over 25 years of experience in related fields of audit, operations, and accounting. For the past 10 years, Ramzi has served as Vice President of Enterprise Risk Management (ERM) and Chief Audit Executive at two separate multi-billion dollar international public companies. He has a proven record of accomplishment in manufacturing, loss prevention and investigations, successful Sarbanes-Oxley deployment, due diligence auditing, FCPA, financial & operational accounting, and information security. He also possesses extensive international experience. He is an effective multi-lingual communicator with strong project management skills, business acumen, and expertise in Financial Statements analysis.Ramzi served as Head of ERM & CAE at SWM, Inc., Spectrum Brands Inc., and CAE at Sanmina-SCI, Inc. (all publicly held Fortune 500 & 1000 Companies). Prior to that, Ramzi served in various capacities including Managing Director, Global Accounting Manager and Ex-Pat Finance Director over the Middle East, Africa, and Central Asian Republics (CAR) at an F-200 Company.
Ramzi earned his Master of Business Administration with an emphasis in Technology Management. He also earned his Bachelor of Science in Accounting from the University of Alabama - Tuscaloosa.
JUSTIN WARDManager of Information Security The Coca-Cola Company
Justin Ward serves as a manager on the Information Risk Management team for The Coca-Cola Company. He has lead multiple workstreams in the global GDPR project being managed by the Privacy Team, focusing on Privacy Incident Response, Data Subject Rights requests, and Security Control Requirements. Justin manages the onboarding of new direct reports (IRM Regional Managers) in Sofia, Singapore, Mexico City, and Atlanta. Provide security leadership and facilitates collaboration of global franchise bottlers. He developed and executes the security roadmap for enterprise governance, risk, and compliance. He leads a cross functional and global team to standardize the risk management process, based on ISO 31000.
He manages a team of global risk analysts to perform risk assessments of internal projects, 3rd party vendors/SaaS providers, and new technologies. Responsible for the review and approval of the appropriate documentation to confirm compliance with information security policies and requirements. Documentation includes Business Requirements Reports, Solution Designs, SSAE16 or ISAE3402 Reports, CSA or SIG questionnaires, 3rd Party Penetration Test Results, PCI AOCs, etc.
Prior to The Coca-Cola Company Justin serve as the technology and security architect on the Enterprise Architecture team at USG Corporation. He was a cyber security expert on the NEI 04-04 nuclear plant project for Florida Power & Light and worked for KPMG providing consultative services within the Information Risk Management (IRM) practice in various technology environments, throughout various industries. Justin has a bachelor of science in telecommunications engineering from Texas A&M University.
COREY CUTTER
Corporate Attorney
Corey Cutter assists the American Cancer Society, Inc. in the management of its enterprise-wide privacy program. She serves as the central knowledge base and authority regarding the Society’s collection and protection of data regarding donors, volunteers,staff, cancer patients, caregivers, research participants and other constituents to ensure consistency and compliance. She is also responsible for continual oversight and enhancement of the American Cancer Society’s privacy program and the management of all the essential program elements including privacy risk assessments, response plans, policies and procedures, training, communications, auditing, monitoring and metrics. Corey also provides legal counsel to the Society on issues related to federal,state, and international privacy-related laws and industry best practices as applicable to the Society.
Prior to working with the American Cancer Society, Corey worked in private practice, counseling clients in various areas of privacy law and defending clients in commercial litigation.
Corey received her Bachelor of Arts degree from Indiana University in 1994 and earned her Juris Doctor degree from the University of Colorado School of Law in 1997. She has obtained several privacy certifications from the International Association of PrivacyProfessionals, including CIPP-US, CIPP-G, and CIPM.
10
Getting your head around it
The General Data Protection Regulation (GDPR)
GDPR (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
Unlike a directive, it does not require national governments to pass any enabling legislation and so it is directly binding and applicable
5 5 1 2 2 3DAYS HOURS MIN
Presenter
Presentation Notes
GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR will replace the 1995 Data Protection Directive (Directive 95/46/EC). What is the geographical coverage of the GDPR? When does the GDPR apply to private enterprises? We are not currently doing business in the EU, how does GDPR impact business outside of the EU? Which department or departments should head up GDPR compliance? What do you see as their roles in this initative.
Key Components
Retention & The Right to be Forgotten
Controllers and Processors
Fines and Enforcement
Data Protection Officers
Privacy Management
Consent
Information Provided at Data Collection
Profiling
Legitimate Interests & Direct Marketing
Breach & Notification
Data Subject Access Requests
The Right to Data Portability
Presenter
Presentation Notes
Key Components Controllers and Processors Organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacenters or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers. I'm not a bank and we only do B2B business, does it even apply if my company doesn’t have customers that are individuals? (Arris & Starr) Most of us now are pushing significant portions of our data to cloud service provider and how can they contribute to maintaining records of the personal data that it processes? (Coke) Who is liable in case of violations of the GDPR? How is your company addressing the selection and validation process ensuring processors can provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR? How often should an organization test the effectiveness of technical measures and processes for ensuring security of data processing? Fines and Enforcement Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations. However violations of obligations related to legal justification for processing (including consent…), data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity's global gross revenue. If I don’t do business in the EU but have EU citizens data is my company subject to those fines? (ACS) Data Protection Officers Data Protection Officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data” (such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like). Although an early draft of the GDPR limited mandatory data protection officer appointment to organizations with more than 250 employees, the final version has no such restriction. The regulation requires that they have “expert knowledge of data protection law and practices.” The level of which “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.” Data Protection Officers may insist upon company resources to fulfill their job functions and for their own ongoing training. Data Protection Officers are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest. The regulation expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure. Has your company named a data protection officer (DPO) and does every company need to name one? (Abbott & Coke) Am I allowed to appoint an external DPO instead of an internal DPO? Privacy Management The regulation mandates a “Risk Based Approach:” where appropriate organization’s controls must be developed according to the degree of risk associated with the processing activities. Where appropriate, privacy impact assessments must be made – with the focus on protecting data subject rights. Have you performed a data protection impact assessment as part of your compliance efforts and when does it need to be performed in the process? Did you follow a specific methodology such as ISO 27001:2013? Privacy by Design states -Data protection safeguards must be designed into products and services from the earliest stage of development. There is an increased emphasis on record keeping for controllers – all designed to help demonstrate and meet compliance with the regulation and improve the capabilities of organizations to manage privacy and data effectively. Is there a agency that I will need to certify with or is your organization seeking to comply with some sort of certification process? (Arris & ACS) Consent According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;” The purposes for which the consent is gained does need to be “collected for specified, explicit and legitimate purposes” In other words it needs to be obvious to the data subject what their data is going to be used for at the point of data collection. Is it necessary to obtain consent anew under the GDPR (i.e. to “renew” consent) how should an organization be handling this? Does the GDPR require consent by the data subject for any and all data processing? (Starr & Abbott) From and HR perspective does the new regulation extend to my employees or just customer? (Starr) Information Provided at Data Collection The information that must be made available to a Data Subject when data is collected has been strongly defined and includes; the identity and the contact details of the controller and DPO the purposes of the processing for which the personal data are intended the legal basis of the processing. where applicable the legitimate interests pursued by the controller or by a third party; where applicable, the recipients or categories of recipients of the personal data; where applicable, that the controller intends to transfer personal data internationally the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period; the existence of the right to access, rectify or erase the personal data; the right to data portability; the right to withdraw consent at any time; and the right to lodge a complaint to a supervisory authority; the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. The information must be provided upon collection of the personal data. Please note that information regarding the right to object to the processing for direct marketing purposes must be presented clearly and separately from all other information. Are you analyzing your processing activities (especially the legal basis for the processing, the retention period and profiling techniques) to address data collection? What can Internal Audit do to assist in this area? (Abbott) Who should own the policy creation for the relevant policies, notices, etc. in this space is this an IT or legal issue or both? How are you addressing it in your company? (ACS, Arris) Include the Do employers need to amend employees’ contracts to comply with GDPR? Is this something any of you have begun to address? (Starr) Profiling The regulation defines profiling as any automated processing of personal data to determine certain criteria about a person. “In particular to analyze or predict aspects concerning that natural person' s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”. Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. So, individuals can opt out of profiling. Automated decision making will be legal where individuals have explicitly consented to it, or if profiling is necessary under a contract between an organization and an individual, or if profiling is authorized by EU or Member State Law. What information must employers supply to employees about the processing of their personal data under GDPR? What are an employer’s obligations under GDPR if it contracts with a third-party provider to process its employee data? Legitimate Interests & Direct Marketing The regulation specifically recognizes that the processing of data for “direct marketing purposes” can be considered as a legitimate interest. Legitimate interest is one of the grounds, like consent, that an organization can use in order to process data and satisfy the principle that data has been fairly and lawfully processed. The act says that processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” How is GDPR changing the way your organization will direct market to your customers and Donors? (ACS & Coke) Breach & Notification According to the regulation a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” It’s important to note that the willful destruction or alteration of data is as much a breach as theft. In the event of a personal data breach data controllers must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,” Have you either begun to set up new teams to handle breach response or readdressed the way you will handle this? What departments should be part of the breach response program? Have you audited the breach response process and what do you recommend are some of the critical point that we should be looking for in an effective Breach response process? (Abbott) Data Subject Access Requests Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. DSAR’s must be executed “without undue delay and at the latest within one month of receipt of the request.” This obviously puts a lot of power back in the hands of the Data Subjects and can cost the organizations a considerable amount. Are you putting in automation or adding additional personnel to address DSAR? The Right to Data Portability The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Some organizations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits. How do you see this affecting organizations do you feel companies will start looking to leverage more shared data based through use of subscription services rather than trying to maintain user data? The first question to consider is what data will be portable. The GDPR states that portability only applies to personal data concerning an individual that he or she has “provided to” a data controller (ie, to the organization using the data). So how do you segment the data and ensure the data subject is only receiving the appropriate data? Retention & The Right to be Forgotten Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors under a number of circumstances, such as by removing their consent for its processing. It’s like requesting your neighbor return the lawnmower you lent them. It’s yours, and you want it back. Once an organization understands where all a subject’s personal data resides, an assessment must be made of what can be, should be, can’t be, and is infeasible to be erased. This is the most talked about area as it may pose the most challenges for organizations. What are some of the technical measures organizations can take to be ready to address this? Are your organizations addressing this with policies prior to signing up data subjects, informing them that some data may need to reside? When could the “right to be forgotten” arise in connection with employment background screening? Can a background screening supplier and its client comply with a “right to be forgotten”? What does the “right to be forgotten” mean for background screening? What does this mean for Audit work papers? Will the data have to be stored separately so data can be segmented by geographic location?
Rausch recognizes not every client is the same, each has unique needs. We are committed to meeting those needs.
Rausch accomplishes this through providing experienced dedicated professionals that engage with our clients to achieve their objectives.
At Rausch, we believe the most important thing is our employees, we treat them how we expect they will treat our clients.
SERVICE – COMMITMENT – PROFESSIONALISM – RESPECTRausch Advisory Services
Rausch Assessment Solution
13
RAS assessments are based on several industry standard frameworks including; COSO, COBIT, ISO 27001, The Cloud Security Alliance, NIST, HITECH and HIPAA and several other regulatory Standards.
Our assessments are customized for each client’s environment taking on your look and feel. As a dynamic platform, RAS is mobile friendly, the assessment can be started on a computer and can be completed on your mobile device. The assessments are designed to interact with management using intelligent logic and allowing our clients to upload necessary control evidence simply by dragging it to the screen.
Rausch has worked with numerous companies to ensure operational excellence, reduce costs, and streamline processes without compromising effective controls. Whether you are looking to perform:
• Enterprise Risk Assessments,• Third-Party Vendor Risk assessments,• Information Security Risk assessments,• Financial Audits,• Or Regulatory & Compliance audits including GDPR
