This document outlines various risks and recommendations for corporate governance and data protection. It discusses identifying risks at different stages of company objectives, legal planning, technical implementation, and use of tools. Key risks include information leaks, lack of security measures, unauthorized access, and risks from third parties. It recommends assessing risks, implementing security policies, monitoring guidelines, and valuing assets to develop business while protecting confidential information throughout its lifecycle in accordance with legal and technical assessments.

1. www.tusconsultoreslegales.com [email_address] Data protection/Corporate governance START POWEPOINT Risks and recommendations

2. www.tusconsultoreslegales.com [email_address] CORPORATE GOVERNANCE 1. COMPANY OBJECTIVES AND LEGAL PLANNING 2. LEGAL PLANNING AND TECHNICAL IMPLEMENTATION 3. TECHNICAL IMPLEMENTATION AND COMPANY OBJECTIVES 5. IDENTIFYING RISKS: AVOIDING CRIMINAL LIABILITIES 6. INTERNAL RISKS 7. EXTERNAL RISKS 8. OPTIMISING TECHNICAL TOOLS 4. EVA (ECONOMIC VALUE ADDED) AND PLANNING OF TECHNICAL DESIGN STAGES 9. CONCLUSIONS

3. www.tusconsultoreslegales.com [email_address] CORPORATE GOVERNANCE

4. www.tusconsultoreslegales.com [email_address] 1. COMPANY OBJECTIVES AND LEGAL PLANNING Let us imagine that a company has the following objectives: 1- Managing, finalising and launching the development of a new product 2- Ensuring that the development information remains confidential by previously assessing the risks 3- Ensuring good governance practices, detecting which policies are necessary to guarantee the information 4- Deciding which information systems are suitable based on the specific needs of the product/business 5- Assessing the actions to be performed through the company's external means of communication

5. www.tusconsultoreslegales.com [email_address] 2. LEGAL PLANNING AND TECHNICAL IMPLEMENTATION Continuing with the example, once the business objectives are known together with the legal perspective: 1- Detecting the intangible assets which will increase the business/product value 2- Assessing the implications of subcontracting development of the project where appropriate 3- Detecting the sensitive points for information leaks (internal staff, communication formats and media, both internal and external) 4- Assessing policies such as the use of e-mail, social networks, remote access, mobile and portable devices through which the information circulates and where it is stored, assessing biometric solutions if the information is very sensitive, whether it is useful to have digital signature certificates to preserve compromising information (using encryption solutions) In other words, how the formats are managed and how information is transported

6. www.tusconsultoreslegales.com [email_address] 3. TECHNICAL IMPLEMENTATION AND COMPANY OBJECTIVES Once the best alternative for managing formats and assessing information transport has been decided: 1- Specifying the development and implementation stages based on the objectives and the budget which needs to be invested in each development stage so as to minimise risks 2- From the technical measures which it has been decided to implement to minimise risks, detecting with the EVA (Economic Value Added) whether the value of the assets is ensured (accurate valuation of tangible and intangible assets) so as to optimise risk management and create value.

7. www.tusconsultoreslegales.com [email_address] 4. EVA (ECONOMIC VALUE ADDED) AND PLANNING OF TECHNICAL DEVELOPMENT STAGES 1- Selection of economic indicators adapted to the Business Unit 2- Organisational Unit which it refers to 3- Organisation Perspectives Financial perspective Customer perspective Internal process perspective Employee or collaborator perspective 4- Generation of Balanced Scorecard considering the Organisation Perspectives 5- Global and Updated quarterly controls

8. www.tusconsultoreslegales.com [email_address] 5. IDENTIFYING RISKS: AVOIDING CRIMINAL LIABILITIES But what risks should be taken into account and in what type of situation: 1- Analysing and evaluating the physical and logical security measures which have not been implemented and/or are not current (risk of leak from databases or information not properly protected, leaked project information) 2- Formats which are not suitably protected (information leaks in formats are the most common) 3- Not detecting identity theft (another person other than the employee making negative comments about the company on social networks or carrying out criminal conduct) 4- Unencrypted communication channels (modification and listening to confidential information when transported) 5- Availability of self control measures for accessing information (where appropriate) on users by users themselves (making it possible to detect unauthorised access to confidential, personal and private information). 6- Risk of theft of media, laptops or mobile devices. Information must only be available to users or control authorities and Government law enforcement agencies.

9. www.tusconsultoreslegales.com [email_address] 6. INTERNAL RISKS With regard to internal risks: 1- Not having assessed the importance of an environment of trust 2- Not having generated non-disclosure agreements and internal company policies 3- Not having implemented technical measures allowing the detection of evidence in possible infringements or crimes 4- Not having implemented technical control measures which ensure an environment of trust 5- Not having implemented a global comprehensive security policy 6- Not monitoring the guidelines of the data protection officer or similar figure (external consultant) on personal data protection, legal guidelines, prevention policies, managing information in media etc

10. www.tusconsultoreslegales.com [email_address] 7. EXTERNAL RISKS With regard to external risks: 1- Not having carefully reviewed a services subcontracting agreement 2- Not having a control over the communicated information 3- Having provided sensitive or confidential information to persons who have not signed a non-disclosure agreement 4- Not having cancelled access to a person who has been dismissed 5- Not having planned the service level agreement of a third party and its security measures 6- Not having generated or safeguarded the back-up copies of sensitive information in case the service by third parties is not available

11. www.tusconsultoreslegales.com [email_address] 8. OPTIMISING TECHNICAL TOOLS 1- Searching for efficiency in information availability in the following areas: Geographic and environmental Safeguarding and quality of safeguarded information Transport 2- Planning the use of tools in their different levels of implementation

12. www.tusconsultoreslegales.com [email_address] 9. CONCLUSIONS As conclusions, we can highlight the following: 1- Valuing the assets (tangible and intangible) for developing the business/product 2- A business/product development project cannot be planned with confidential sensitive information without having conducted a risk analysis 3- The authenticity, confidentiality, integrity, availability, non-repudiation and auditing of the information must be guaranteed throughout the information life-cycle Planning for the implementation of technical tools cannot be carried out without previous legal assessment and the legal assessment must take into account the BUSINESS OBJECTIVES so as to create value.

13. www.tusconsultoreslegales.com [email_address] Thank you for your interest [email_address] To purchase documents: www.yourlegalconsultants.com To hire the services of an expert, please contact: