Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Create a Laser Focus on Data Subject Rights to Comply with the GDPR

119 views

Published on

Learn how ServiceNow and EY can help with Governance, Risk, and Compliance.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Create a Laser Focus on Data Subject Rights to Comply with the GDPR

  1. 1. 1 © 2018 ServiceNow All Rights Reserved© 2018 ServiceNow All Rights Reserved Create a Laser Focus on Data Subject Rights to Comply with the GDPR ServiceNow Governance, Risk and Compliance and EY Eric Le Martret Senior Advisory Solution Consultant ServiceNow Jatin Rajpal ServiceNow GRC and SecOps GTM Lead EY
  2. 2. 2 © 2018 ServiceNow All Rights Reserved What is the GDPR? • The General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU) • Major goals of the GDPR (2016/679/EU) are: – Protection of EU citizens’ personal data – Define the rules for a free movement of personal data in the EU Enforcement date: 25 May 2018 - at which time those organizations in non-compliance will face heavy fines
  3. 3. 3 © 2018 ServiceNow All Rights Reserved GDPR – Relevant to Many Stakeholders IT Enterprise Understanding the applicability of key requirement of GDPR to the organization and business partners. Relevant impact to revenue and possibility of fines Ability to respond & report in 72 hours to a data breach will require significant planning and practice EXECUTIVE CARE ABOUT BOARD LEVEL & CEO CFO – AUDIT CIO - DPO CISO Security Operations GRC Identifying data assets in relation to business operations with consideration of policies, procedures, and technology across business units and partners. Create attestations for stakeholders & third parties to provide group wide visibility on security/protection, privacy, locality & risk posture OPERATIONAL EXCELLENCE DATA HANDLING PRACTICES SECURITY & COMPLIANCE SAFEGUARD PERSONAL DATA STRATEGIC DRIVERS
  4. 4. 4 © 2018 ServiceNow All Rights Reserved Protect Personal Information? Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Must have consent to use an EU citizen’s personal data Must protect their privacy Must be able to send the data to other organizations if user requests it Must be able to delete the personal data in all locations if the user requests it
  5. 5. 5 © 2018 ServiceNow All Rights Reserved The GDPR Gives Consumers More Control Over Their Data Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data. A pre-ticked box will not be valid consent. - Elizabeth Denham (UK Information Commissioner) from a speech delivered to the Institute of Chartered Accountants in England and Wales in London on 17 January, 2017
  6. 6. 6 © 2018 ServiceNow All Rights Reserved Right to be Forgotten is the #1 Challenge for Businesses Ranking of top three concerns for respondents Source: Varonis Countdown to GDPR – Challenges and Concerns Oct 2017
  7. 7. 7 © 2018 ServiceNow All Rights Reserved Challenges Vary Slightly by Country Ranking of top three concerns for respondents Source: Varonis Countdown to GDPR – Challenges and Concerns Oct 2017
  8. 8. 8 © 2018 ServiceNow All Rights Reserved Nine Ways We Help You Prepare for the GDPR GDPR Requirements & Description Privacy Policy Management PII Data Mapping Data Protection Impact Assessments (DPIA) Data Subject Access Requests (SAR) Privacy Audit ManagementPrivacy Risk Requirements 72-Hour Breach Notification & Privacy Breach to Risk Relationship 3rd Party GDPR Compliance Data Protection Officer Dashboard
  9. 9. 9 © 2018 ServiceNow All Rights Reserved Proving You Are Protecting Data Subjects’ Rights is Not Trivial PII Data Mapping Data Subject Access Requests (SAR) Privacy Audit ManagementPrivacy Risk Requirements
  10. 10. 10 © 2018 ServiceNow All Rights Reserved PII Data Mapping Data Subject Portal How EY Helps Address GDPR
  11. 11. 11 © 2018 ServiceNow All Rights Reserved How EY Helps Address GDPR Use ServiceNow Customer Service Management and the Service Portal to share data (ex. policies, procedures) and collect decisions. Identify personal data using the ServiceNow CMDB to manage information assets, associate them to other Configuration Items, and generate risks and controls.
  12. 12. 12 © 2018 ServiceNow All Rights Reserved • Regulation goes into effect May 25, 2018 • Potential fines for noncompliance: 4% of global annual turnover (~$20m–$250m for a Fortune 100 company) Data protection impact assessments Data protection officer Data subject rights Mandatory breach notification Data flow maps1 2 3 54• Mandatory DPO assignment to oversee compliance of data privacy policies and controls • Responsible for conducting regular audits, assessments and ensuring data privacy “by design” across the company • Seven individual rights given to data subjects (customers and employees) • “Explicit consent” needs to be gathered • DPIAs are to be conducted regularly to assess the risks to the rights and freedoms of data subjects • Risk remediation actions need to be driven to demonstrate compliance • Systematic description of the envisaged processing operations • Requires you to know where each individuals data is stored and its purpose • Data subjects impacted by a data breach need to be informed within 72 hours of identifying it • Definition of a breach is broad, e.g., a DDOS attack can be classified as an “availability” breach GDPR: Key Requirements
  13. 13. 13 © 2018 ServiceNow All Rights Reserved 1. Customer submits request for data rights. 2. Vendor participates in third- party risk assessments and provides responses. 3. Auditors request info for conducting data privacy audits and access evidence. 4. GDPR agent manages request intake and fulfillment of data right requests. 5. Internal auditors conduct data privacy audits and readiness assessments, compliance against internal polices and controls. 6. DPO members manage data flow maps, monitor data privacy compliance and enforce “data privacy by design” through reviews, impact assessments, etc. Auditors Vendor Enterprise risk management and information security GDPR agent Data Privacy Office (DPO) 3 1 4 5 6 Requests Process/ exception handling Audits Risk/ compliance Data privacy by design Compliance Data rights request Request updates Vendor response Third- party risk assessment DP audit requests Evidence Customer Data scanning, tagging and visualization In-scope PI systems UnstructuredStructured ServiceNow 2 PI data key store Operationalizing GDPR: EY Solution Architecture
  14. 14. 14 © 2018 ServiceNow All Rights Reserved Record of processing Data protection impact assessment Data subject rights Data privacy governance Breach response Data flow maps Manage data collection reviews, approvals, record- keeping and certification of “record of processing activities” for both business processes and application Conduct risk assessments and mange impact, risk acceptance, track remediation items and monitor risks Enable data subjects (employees, customers, former employees etc.) to exercise their data rights and respond in a timely manner Enforce “data privacy by design” by conducting regular audits, assessments for processors including vendors to protect the rights and freedoms of data subjects Manage major breaches that pose a high risk to the rights and freedoms of data subjects and notify privacy authority and subjects Manage a record of data flows for sensitive PI data of data subjects EY GDPR Solution Set Built on ServiceNow
  15. 15. 15 © 2018 ServiceNow All Rights Reserved • Workflow-driven case management solution to manage all activities from intake to fulfillment of seven data subject rights • Intuitive, portal interface for data subjects (employees and customers) to exercise their data subject rights and gather more info about the firm’s data privacy policy • Portal to drive proactive breach alert, data and consent management, therefore reducing volume of incoming queries / requests • Solution links with any existing data scanning / tagging technology Data Subject Rights
  16. 16. 16 © 2018 ServiceNow All Rights Reserved 16© 2018 ServiceNow All Rights Reserved DEMO How EY Helps Address the GDPR
  17. 17. 17 © 2018 ServiceNow All Rights Reserved Privacy Audit ManagementPrivacy Risk Requirements How ServiceNow Helps Address GDPR
  18. 18. 18 © 2018 ServiceNow All Rights Reserved How ServiceNow Helps Address GDPR Schedule regular GDPR audits targeting the organization and its personal data sensitive systems, then generate remediation plans and track them to conclusion. Dashboards provide the ability to monitor the global level of compliance. Get visibility into risk identification and compliance statistics, with notifications (including the associated risks) sent automatically to an SA at the time of breach. Controls and capabilities also address confidentiality, integrity, and availability of systems and applications.
  19. 19. 19 © 2018 ServiceNow All Rights Reserved Monitor status of risks from Risk Dashboard Privacy Risk Management Risk Scores are automatically calculated Populate risk register based on GDPR requirements Scope risks (associating them to a specific profile) CMDB
  20. 20. 20 © 2018 ServiceNow All Rights Reserved Monitor status of the audit from the Audit Dashboard Privacy Audit Management Manage audit through it’s lifecycle including collecting evidence Create audit engagement Scope audit (systems, departments, controls, risks, and test plans, etc.) CMDB
  21. 21. 21 © 2018 ServiceNow All Rights Reserved Privacy Audit Management CMDB Monitor status of the audit from the Audit Dashboard Manage audit through it’s lifecycle including collecting evidence Create audit engagement Scope audit (systems, departments, controls, risks, and test plans, etc.)
  22. 22. 22 © 2018 ServiceNow All Rights Reserved Identify PII and implement DPIAs1 2 3 4 Deliver a portal for data subjects to control their personal data Continuously monitor your risk exposure Ensure you can prove compliance with regular internal audits ServiceNow and EY Empower You to Address GDPR
  23. 23. 23 © 2018 ServiceNow All Rights Reserved Staying Connected ServiceNow UserGroups NowForums Knowledge Events Design Partner Program Lighthouse Program Product Advisory Council Programs GRC Community Thousands of active members hailing from all geographies, industries, and size companies Community
  24. 24. 24 © 2018 ServiceNow All Rights Reserved Q & A Thank you for joining us. Eric Le Martret Senior Advisory Solution Consultant ServiceNow Jatin Rajpal ServiceNow GRC and SecOps GTM Lead EY For ServiceNow GDPR videos and whitepapers visit: www.servicenow.com/grc Visit EY at: http://www.ey.com/gl/en/home
  25. 25. 25 © 2018 ServiceNow All Rights Reserved Join Us at the Intersection of Now and Next 25© 2018 ServiceNow. All Rights Reserved ConfidentialConfidential Explore the Content Catalog! Check out the sessions, workshops, and labs awaiting you at Knowledge. For more information and to register, visit knowledge.servicenow.com.

×