Data Privacy: building trust in a

post - GDPR world

Frédéric Vonner, PwC
Gabriela Gheorghe, PwC
Agenda
1. Data Privacy and GDPR
2. IA of GDPR is a key for building trust
3. Highlights when auditing GDPR

2
 Data Privacy and GDPR
Cambridge Dictionary
Someone's right to keep their
personal matters and
relationships secret
The right that someone has to
keep their personal life or
personal information secret or
known only to a small group of
people
3
Duhaime's Law Dictionary
A person's right to control
access to his or her personal
information
International Association of Privacy
Professionals
Privacy is the right to be let alone,
or freedom from interference or
intrusion
Information privacy is the right to
have some control over how your
personal information is collected
and used
 Data Privacy and GDPR
67% 375,000+ 281,088
of EU citizens polled indicated that Organisations in the EEA having National cases, incl.
they have heard of the GDPR registered a DPO • 144,736 complaints
36% indicated that they are well • 182,000+ in Germany • 89,271 data breach notifications
aware of what the GDPR entails • 51,000+ in France • 47,441 other cases
57% indicated that they are aware • 48,000+ in Italy
of the existence of a public authority • 32,000+ in UK
in their country responsible for Main concerns are around right to
protecting their data protection • 30,000+ in Spain access data, prevention of
rights (Source IAPP) processing, disclosures and
unauthorized processing
(Source European Commission)
(Source EDPB)

4
Data Privacy and GDPR
• Regulations becoming more numerous
• The GDPR, EUDPR and national complements
• California Consumer Protection Act (CCPA)
• Vermont - first US privacy law regulating data brokers
• SOC2 Privacy
• Child Online Privacy Act
• ...

• Privacy is gaining momentum

• More awareness
• More complaints
• More fines by national authorities (Europe and US alike)
5
Data Privacy fines so far - Europe
GDPR fines per country Industry Fine Reason
Healthcare €460,000 Insufficient security measures
Failure to conduct a DPIA and
Education €18,630
illegitimate consent
N/A €15,150 Failure to report data breach
Services €20,000
Infringement of “right to be
Online-retail €7,000
forgotten”
Healthcare €50,000 Failure to nominate a DPO
Industrial Lack of transparency for video
€2,500
automation surveillance
Finance €1,165 Inadequate security measures

Consulting €150,000 Illegal use of consent

6
IA of GDPR is a key for building trust
Your employees’ trust in your company’s • Understanding how good is your privacy program (design,
compliance effectiveness)

• Turning GDPR into business as usual

Your own trust in your company’s IA • Verifying the respect of the accountability principle (hence,
function become compliant)

• Using GDPR compliance as a business advantage

Your clients’ (individuals, counterparties)

trust in your brand

7
IA of GDPR - flavours

Transversal audit Audit of specific functions

Help comply with the accountability principle - test of Help comply with the accountability principle – test of design for
design (framework, policies) procedures in place
Signal organizational risks/weaknesses to mitigate Perform independent assessments on the effectiveness of the
measures implemented
Showcase the evolving maturity of the GDPR program Advocate best practices and non-compliance
(when recurrent)
Full risk assessment if there can be a data breach (likelihood, impact, mitigating controls)

1)There are two angles of approaching internal audits on privacy:

1) GDPR accountability overall
2) Embedding GDPR into all internal audit projects/assessments

8
What can be tested when auditing GDPR
Areas Categories Examples
Governance • Governance structure (who, what, how) • DPO and support teams, committees,
• Trainings • Resource allocation
• Reporting lines • Allocation of tasks
• Privacy Framework • Plan of trainings and attendance
• Group/HO requirements • Data protection policy

Risks Analysis • Areas of high risk and priorities
• Third-party risk management
• Processing activities analysis
• Data lifecycle management
• Privacy by design
• Risk dashboard (incl. IT risks)
• Integration with IT function
• DPIA areas
• Data suppression
• Consent management
• Outsourcing agreements

Controls • Technical controls • Test of design of risk assessment templates

• Organisational controls • Test of effectiveness of specific procedures

9
Highlights when auditing GDPR
• What should be tested?
• How bad is the data breach risk?
Key areas

• Key personal data assets

Adapt audit • Size and risk appetite of organisation
plan to • Relation with other group entities
context • Data maturity levels
• Transversal processes
• GDPR is just for legal and compliance to deal with
• Having some policies set up is enough
Avoid • Banking secrecy practices are the answer to all privacy
common issues
mistakes • We outsource so it’s not our problem anymore
• Encryption is the answer to all problems
10 • The business does it all, IT just implements
IA and GDPR – key challenges
Training of IA team GDPR is not yet business-as-usual for the
• Need for specific knowledge on the topic first line of defence
• Need for knowledge on benchmarking or
good practices Personal data flows are difficult to identify
• Need for knowledge on risks / what to immediately
control
Impact on subsidiaries, affiliates, partners
Legal requirements vs. company measures
inside and outside the EU
vs. practice by staff

Dependence among different IT systems being used in different ways

departments

Company mentality/risk appetite Lack of view over personal data assets

11
GDPR is just the tip of the iceberg

GDPR

Evidence-based organisation

Risk management

Data security Data management

Data location Compliance over time

12
Privacy frameworks universe

ISAE
ISO 27001

SOC2
Privacy CARPA
(GDPR)
ISO 27701
...

13
Certified Assurance Report based Processing
Activities

Section I: Accountability criteria

CARPA
Policies and Register of processing
Data Protection Officer Data breach
procedures activities

Principles related to processing of personal data

Section II: Data controller Section III: Data processor
Lawfulness and Contracts with the Exercise of data subject
Storage limitation
transparency controller rights

Integrity, availability Transfer to third-party

Purpose limitation Sub-contracting
and confidentiality countries

Privacy by design and End of provision of the

Data minimisation Security
by default services

Accuracy Outsourcing

14
Q&A

15
Frédéric Vonner, Partner Gabriela Gheorghe, Senior Manager
[email protected] [email protected]
+352 49 48 48 4173 +352 49 48 48 3845

Thank you!