Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
2. Chapter Announcements
www.theiia.org
• Board/Officer elections have been postponed
• Upcoming meetings in April & May
• CAE “Virtual” Roundtable in April
• CIA Exam virtual review courses begin in April
• Information can be found on the chapter’s website
• Any questions or comments: Chris Migliaccio, Programs Officer email:
Migliaccio2005@gmail.com
3. [Title Redacted for Privacy Purposes]
How Internal Audit Can Drive Privacy Compliance
4. 3/26/2020 CrossCountry Confidential 4
Introductions
Kenneth Riley
Experienced Managing
Consultant
Kenneth is focused on helping organizations
tackle the growing risks related to
cybersecurity, privacy, and data protection.
He has deep expertise in working with
privacy and security offices to develop the
people, process, and technologies to
improve how sensitive data and critical
infrastructure is protected. Kenneth is a
Certified Information Privacy Technologist
(CIPT), Certified Information Systems
Security Professional (CISSP) and Certified
Information Systems Auditor (CISA)
kriley@crosscountry-consulting.com@
Elizabeth Kelley
Senior Consultant
Elizabeth has experience leading a wide
range of technology risk, cybersecurity, data
privacy, and IT audit engagements. She is a
certified Amazon Web Services (AWS)
professional and has extensive experience
assessing security of cloud environments.
Elizabeth is also a Certified Information
Privacy Technologist (CIPT) and is
passionate about utilizing technology to
enhance maturity and sustainability of
privacy programs.
ekelley@crosscountry-consulting.com@
5. 3/26/2020 CrossCountry Confidential 5
Agenda
A Brief History of Privacy and the Current State
An Overview of CCPA and a New Set of Consumer Rights
Building a Privacy Program
The Use of Privacy Technology and Frameworks to Drive Compliance and
Innovation
Privacy Risk Assessment to Privacy Audit and Internal Audit’s Role in Privacy
Compliance
7. 3/26/2020 CrossCountry Confidential 7
A Brief History of Privacy
FTC FIPPS
The Federal Trade Commission
Fair Information Privacy Principles
were created in response to the
growing use of information
systems.
1977
COPPA
The Children’s Online Privacy
Protection Rule is passed into law
which imposes restrictions on how
websites can advertise to children
under the age of 13.
1998
GLBA
The Gramm-Leach-Bliley Act was
passed in 1999 to enhance
competition in the financial services
industry as well as requirements to
govern the collection, disclosure,
and protection of consumers'
nonpublic personal information.
1999
The Privacy Act
This act established a Code of Fair
Information Practice. It governs the
collection, maintenance, use, and
dissemination of personal
information maintained by the
federal government.
1974
EU-US Privacy
Shield
Following the invalidation of the
International Safe Harbor Privacy
Principles, the EU and US developed
a framework aimed at addressing
deletion of data, collection of large
amounts of data, and clarification of
the new Ombudsperson mechanism.
2016
8. 3/26/2020 CrossCountry Confidential 8
A Brief History of Privacy
Equifax
Equifax admitted that from around the
middle of May throughout July 2017
hackers found a weak spot in a web app
and tapped into sensitive records. It’s
estimated that more than 145 million
users could have been affected.
2017
Facebook-
Cambridge Analytica
Without prior consent, Cambridge
Analytica had been harvesting
personal data from millions of
Facebook profiles. The scandal
served as a key moment in raising
awareness of data abuse by large
tech companies.
2018
CCPA
As of 1/1/2020, the California
Consumer Privacy Act went into effect
as the most comprehensive, state-level
privacy law in the United States.
Similar to GDPR, CCPA provides
enhanced consumer rights and fines
for non-compliance.
2020
GDPR
The most comprehensive privacy law
enacted to date, the GDPR was
passed in 2016 and put into law in
2018. The law provides increased
rights to EU citizens over the data
collected from them and imposes large
financial penalties on organization who
do not protect personal information.
2016
9. 3/26/2020 CrossCountry Confidential 9
Current US Privacy Landscape
State privacy laws
have been passed
1
State privacy law in
committee
2
State privacy laws have been
introduced to legislature or a
task force has been created
3
10. 3/26/2020 CrossCountry Confidential 10
Current US Privacy Landscape
State Regulation Name
Consumer Rights
Access
Rectification
Deletion
Restriction
Portability
Opt-Out
California California Consumer Privacy Act
Nevada SB 220
Maine An Act to Protect the Privacy of Online Consumer Information In
Connecticut RB 1108 Task force substituted for comprehensive bill.
Florida H 963
Hawaii SB 418 Task force substituted for comprehensive bill.
Illinois Illinois Data Transparency and Privacy Act
Louisiana HR 249 Task force substituted for comprehensive bill.
Maryland Online Consumer Protection Act
Massachusetts SD 341 / S 120 Study order issued.
Minnesota HF 2917
Nebraska Nebraska Consumer Data Privacy Act
New Hampshire HB 1680
New York Right to Know Act of 2019 and SB 8641II ; New York Privacy Act
North Dakota HB1485 Task force substituted for comprehensive bill.
South Carolina South Carolina Biometric Data Privacy Act
Texas Texas Privacy Protection Act Task force substituted for comprehensive bill.
Washington Washington Privacy Act
11. 3/26/2020 CrossCountry Confidential 11
Current US Privacy Landscape
State Regulation Name
Key Components
Age-basedOpt-
in
Notice/
Transparency
DataBreach
Notification
Prohibitionon
Discrimination
Purpose
Limitation
Processing
Limitation
California California Consumer Privacy Act 16
Nevada SB 220
Maine An Act to Protect the Privacy of Online Consumer Information
Connecticut RB 1108 Task force substituted for comprehensive bill.
Florida H 963 16
Hawaii SB 418 Task force substituted for comprehensive bill.
Illinois Data Transparency and Privacy Act
Louisiana HR 249 Task force substituted for comprehensive bill.
Maryland Online Consumer Protection Act
Massachusetts SD 341 / S 120 Study order issued.
Minnesota HF 2917
Nebraska Nebraska Consumer Data Privacy Act 16
New Hampshire HB 1680
New York Right to Know Act of 2019 and SB 8641II ; New York Privacy Act
North Dakota HB1485 Task force substituted for comprehensive bill.
South Carolina South Carolina Biometric Data Privacy Act 16
Texas Texas Privacy Protection Act Task force substituted for comprehensive bill.
Washington Washington Privacy Act
13. 3/26/2020 CrossCountry Confidential 13
The Basics of CCPA
The California Consumer Privacy Act (CCPA)
requires organizations that do business in
California (regardless of where they are
located) to comply with privacy rules
regarding the collection, sale, and use of
personal information.
These rules apply regardless of whether data
is stored electronically, on paper, or on other
materials.
October 2017 – Privacy ballot
initiative submitted
June 28, 2018 – CCPA law
signed
January 1, 2020 – CCPA
law effective*
July 1, 2020 – CCPA
becomes fully enforceable
Lobbying and proposed
amendments
*CCPA includes a 12-month lookback period, enabling consumers
to request data collected and processed as early as January 1,
2019.
14. 3/26/2020 CrossCountry Confidential 14
Scope & Applicability of CCPA
CCPA applies to any business that is:
• For profit
• Collects consumer personal
information
• Determines purpose and means
of processing
• Does business in California
Plus
One or more of the following:
• Revenue greater than $25 million
• Personal information consumers,
households, or devices greater than
or equal to 50k
• Revenue from personal information
is greater than or equal to 50%
Business Consumer
Any natural person
who is a California
resident
15. 3/26/2020 CrossCountry Confidential 15
What does CCPA consider to be personal information?
Other
• Geo-location services
• Biometric
• Education information
• Professional or
employment-related
information
• Audio, electronic, visual,
thermal, olfactory, or similar
information
Inferences drawn from any of the information identified in this
subdivision to create a profile about a consumer reflecting the
consumer’s preferences, characteristics, psychological trends,
preferences, predispositions, behavior, attitudes, intelligence,
abilities, and aptitudes.
Identifiers
• Name
• Alias
• Address
• Online identifiers (e.g.,
IP addresses)
• Email address
• Account name
• Social Security Number
• Driver’s license
number
• Passport number
Internet Information
• Browsing history
• Search history
• Interactions with web
sites, applications, and
advertisements
Commercial Information
• Personal property records
• Purchase history
• Purchasing or consuming
tendencies
CCPA requirements apply to all personal information (not just sensitive data) belonging to individuals who reside in CA.
Definition of personal information from CCPA: “Information that identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Sample Types
of Personal
Information
16. 3/26/2020 CrossCountry Confidential 16
Roles within CCPA
Business (Controller): Person or organization which, alone or
jointly with others, determines the purposes and means of the
processing of personal data
Consumer (Data Subject): Individuals who are or can be identified
by the personal information collected by the business
Service Provider (Data Processor): Processes information on
behalf of a business and to which the business discloses a
consumer’s personal information for a business purpose pursuant
to a written contract
Third Party: A person who is not the business or a service provider
above and is a broader category to include any party to which data is
shared
17. 3/26/2020 CrossCountry Confidential 17
The EU and California Views on Privacy
What is the same and what is different between major privacy laws?
• Restrictions on the sale of personal
information
• Protections against customers who
opt-out
• No ceiling on enforcement penalties
• Personal information definition
includes the concept of “household”
data
• Right to correction and to stop
automated decision making
• Data Protection Impact Assessments
(DPIA)
• Data processor requirements
• Cross-border transfer restrictions
• Processing restrictions
• Supervisory and regulatory authority
• Breach notification
• Privacy by design
• Access, portability, and erasure/deletion
• Private right of action
18. 3/26/2020 CrossCountry Confidential 18
CCPA Enforcement Actions
Private/Direct Right of Action
(Data Breach*)
Prosecutor Consumer
Penalty $100 - $750 per consumer per
incident, injunctive or
declaratory relief, any other
relief court deems necessary
Injunctions and Civil Penalties
(CCPA Violation)
Prosecutor Attorney General
Penalty Up to $2,500/violation
Up to $7,500/intentional
violation
Businesses have a 30-day “cure” period, during which they have the
ability to remediate violations identified; however, as you know, a
breach cannot be “cured”, rather new processes can be implemented
to minimize future incidents
*Data Breach – Consumer’s nonencrypted and nonredacted personal information is subject to an unauthorized
access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and
maintain reasonable security procedures and practices appropriate to the nature of the information
20. 3/26/2020 CrossCountry Confidential 20
CCPA Key Principles & Requirements
Privacy Policies
and Notices
Technical
Safeguards
Vendor
Management
Incident Response
& Breach
Management
Data Inventory &
Mapping
Right to Opt Out Right to Notice
Right to Non-
Discrimination
Right to Access
and Deletion
Consumers should have
control over who can
access their information
Consumers should know
how companies will use
their information
Companies should be held
responsible for the misuse
of consumer information
CONTROL TRANSPARENCY ACCOUNTABILITY
21. 3/26/2020 CrossCountry Confidential 21
COOKIE MONSTER: Right to Opt Out
ELMO: Right to Non-Discrimination
COUNT VON COUNT: Right to Notice
BIG BIRD: Right to Access
OSCAR THE GROUCH: Right to Deletion
Introducing: CCPA Consumer Rights Champions
22. 3/26/2020 CrossCountry Confidential 22
What is a cookie?
According to IAPP, a cookie is a “small text file stored on a client machine that may later be
retrieved by a web server from the machine which allows the web server to keep track of the
end user’s browser activities”
Why should consumers care about cookies?
Companies often “sell, rent, release, disclose, disseminate, make available, transfer, or
otherwise communicate” the information they collect from cookies
CCPA’s “Opt Out” Requirement
CCPA provides consumers the right to opt out of the sale of their personal information, and
companies must provide a clear, inconspicuous button or link on their website that allows
consumers to opt out
Right to Opt Out and Cookies
24. 3/26/2020 CrossCountry Confidential 24
CCPA’s “Non-Discrimination” Requirement
If a consumer opts out of the sale of their personal information after collection, CCPA prohibits
business from discriminating against those consumers. The business must provide equal
prices and services to all consumers.
Interestingly, CCPA does not place restrictions on businesses ability to collect information or
deny service if a customer does not want to participate in initial collection – the requirement
only protects consumers if they opt out of the sale of their personal information collected.
Why should consumers care?
The Right to Non-Discrimination allows consumers to exercise their Right to Opt Out without
being worried about not getting full services or the best prices offered by the business.
Right to Non-Discrimination
25. 3/26/2020 CrossCountry Confidential 25
CCPA’s “Right to Notice” Requirement
Business are obligated to inform their consumers of the following at or before the point of
collection:
• What categories of personal information they are collecting
• The purpose of collecting the personal information
• How they are collecting the personal information
• Any time they begin collecting new or different forms of personal information not
previously reported
Why should consumers care?
Consumers should be aware of what information
is being collected from them at any point,
and diligent to ensure that
information is not excessive for the
service requested or purchased. The Right to
Notice allows consumer to easily track
and manage this.
Right to Notice
Recounting of all
purposes for collecting
personal information
Numbered list of
personal information
categories collected
Count of cookies
types used
26. 3/26/2020 CrossCountry Confidential 26
• CCPA’s “Right to Access” and “Right to Deletion” Requirements
Access: Businesses must provide consumers the ability to request access to the personal
information it has collected on them the past 12 months. The business has 45 days to provide
access accordingly.
Deletion: Like the Right to Access, businesses must provide consumers the ability to request
deletion of all personal information that the business has collected on them. There are certain
exceptions to this requirement (e.g. legal holds)
• Why should consumers care?
Having the ability to request access to or deletion of personal information allows consumers to
have more control over their personal information and understand the breadth of information
they share without realizing it.
Right to Access and Deletion
Personal Information Profile
Full name
Financials SSN
Email address
Browsing history
Phone number
28. 3/26/2020 CrossCountry Confidential 28
CCPA Exemptions
CCPA currently has included specific exemptions to the data deletion requirement:
Transactional
Legal Obligation
Functionality
Expected, Internal, and Lawful
Uses
Free Speech
Security
Research in the Public Interest
CalECPA Compliance
30. 3/26/2020 CrossCountry Confidential 30
CCPA Applicability
• Have you determined how the
CCPA applies to your organization
(whether you are a covered
business, a service provider or third
party)?
Data Mapping
• Do you understand what personal
information your organization is
processing, who has access to it,
whether it’s “sold”, and with which
third parties it is shared?
Vendor Contract Updates
• Are your vendor or customer
contracts updated to comply with
the CCPA and limit your
organization’s liability?
Consumer Requests
• Have you created processes to
verify and enable consumer
requests for access, deletion and
opt out of sales?
Privacy Policy Updates
• Are your privacy policies and other
disclosures updated to provide
consumers the information required
by the CCPA at the appropriate
time?
Security Procedures
• Have you implemented reasonable
security practices to protect
consumers’ personal information
and avoid a breach?
Incentives
• Do you have a strategy for
disclosing any financial incentives
you offer for the collection, sale or
deletion of personal information?
Employee Training
• Have you informed customer-facing
employees about requirements and
how to direct consumers to exercise
their rights?
Milestones to Compliance
Source: IAPP
31. 3/26/2020 CrossCountry Confidential 31
Example Approaches
Security Procedures
• Review security policies in place to determine whether appropriate processes and controls are in place to protect
personal data, for example:
o Access Control
o Encryption
o Logging and Monitoring
o Data Destruction
o Environment Segregation
Privacy Policy Updates
• Add required language to internal and external Privacy Policies and Privacy Notice(s)
• Design and implement supporting standard operating procedures for new requirements, for example:
o “Do not sell my personal information”
o Cookie management
o Privacy incident response
Consumer Requests
• Ensure procedures for responding to and managing consumer requests for access and deletion are
operationalized
• Perform analysis of current tools to understand capabilities for inventorying and managing consumer requests
• Consider implementing a privacy program management software solution, such as OneTrust or TrustArc
33. 3/26/2020 CrossCountry Confidential 33
The Evolution of Privacy Maturity – ISO 27701
What is the ISO 27701?
The standard specifies requirements and provides guidance for establishing, implementing, maintaining and continually
improving a Privacy Information Management System (PIMS) in the form of an extension
to ISO/IEC 27701 and ISO/IEC 27702 for privacy management within the context of the organization.
Scope and Applicability
The standard specifies PIMS related for PII controllers and PII processors holding responsibility and accountability for PII
processing. It is applicable to all types and sizes of organizations, including public and private companies, government
entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
Source: ISO27001 Security
• Organizations may be subjected to multiple privacy compliance obligations from different jurisdictions in
which their data lives and/or operates.
• As it is a management system it defines processes for continuous improvement on data protection and
allows organizations to develop a managed approach towards requirements of frameworks such as the
GDPR.
Privacy
Compliance
• Upon obtaining the PIMS certification companies will be able to maintain compliance with applicable
requirements.
• Privacy Officers can provide the necessary evidence to assure stakeholders such as senior
management, owners and the authorities that applicable privacy requirements are satisfied.
Compliance
Maintenance
• Companies can use PIMS certification to communicate their privacy compliance to partners and key
stakeholders.
• As ISO 27701 is a uniform evidenced framework based on an international standard it can provide
compliance transparency to clients, especially since the standard requires evidence that is validated by a
third-party auditor.
Compliance
Transparency
Key Advantages of ISO 27701
34. 3/26/2020 CrossCountry Confidential 34
Function Category
IDENTIFY Inventory and Mapping: Data processing and individuals’ interactions with systems, products, or services are understood and inform the
management of privacy risk.
Addition of privacy controls to the following NIST CSF categories:
Business Environment, Governance, Risk Assessment, Risk Management, Supply Chain Risk Management
PROTECT Protected Processing: Technical data processing solutions increase disassociability consistent with related policies, procedures, and
agreements and the organization’s risk strategy to protect individuals’ privacy.
Addition of privacy controls to the following NIST CSF categories:
Access Control, Awareness and Training, Data Security, Data Protection, Maintenance, Protective Technology
CONTROL Data Management Processes and Procedures: Policies (that address purpose, scope, roles, responsibilities, management commitment, and
coordination among organizational entities), processes, and procedures are maintained and used to manage data consistent with the
organization’s risk strategy to protect individuals’ privacy.
Data Management: Data are managed consistent with the organization's risk strategy to protect individuals’ privacy and increase manageability.
INFORM Transparency Processes and Procedures: Policies (that address purpose, scope, roles, responsibilities, management commitment, and
coordination among organizational entities), processes, and procedures are maintained and used to increase transparency of the organization’s
data processing practices.
Data Processing Awareness: Individuals and organizations have an awareness of data processing practices, and processes and procedures
are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy.
RESPOND Redress: Organizational response activities include processes or mechanisms to address impacts to individuals that arise from data processing.
Addition of privacy controls to the following NIST CSF categories:
Response Planning, Communications, Analysis, Mitigation, Improvements
The Evolution of Privacy Maturity – Draft NIST Privacy Framework
37. 3/26/2020 CrossCountry Confidential 37
Implementing the mechanisms needed to comply with CCPA does have both procedural and
system interface challenges.
Technical Challenges
•Tracking data elements in age of data proliferation
•Identifying disconnected systems with independent data sources
•Extending mapping to data archivals and back-ups
Data Identification
• Managing centralized data sources with writes from multiple systems
• Recognizing independent data sources with similar data elements
• Considering disaster recovery and RPOs/RTOs targets
Data Accuracy
• Protecting data at rest and data in transit
• Deciding criticality of platform versus field-level protections
• Deploying alternatives protection mechanisms, such as tokenization or pseudonymization
Data Security
• Utilizing automated processes to delete data from connected data sources
• Creating a paper trail for any manual data deletion efforts
• Defining of a new data source restore point is necessary to prevent data from re-appearing
Data Deletion
• Including critical language in all vendor contracts
• Conducting recurring due diligence on implementation of expected vendor controls
Vendor Management
38. 3/26/2020 CrossCountry Confidential 38
• There is not a single solution to
mitigate the technical risks
• A layered approach to mitigate the
risk is recommended, using a
combination of mechanisms across
technology tiers
• Utilizing previously deployed
solutions reduces the
implementation and adoption cost,
and tightens the alignment between
privacy and security initiatives
Potential Solutions/Strategies
Data
App Security
Client/Server
Network
Field-Level Encryption
Anonymization
Data Classification
Pseudonymization
Network Authentication
NetworkMonitoring
Hashing or Salting
GoldenSourceData
Storage
39. 3/26/2020 CrossCountry Confidential 39
Technology Enablers/Drivers
Determine
Scope &
Applicability
Map & Tag
Data
Establish
Privacy Policy
& Compliance
Processes
Implement &
Review
Security
Controls
Update Vendor
Contracts &
Privacy
Policies
Train
Employees
Industry leading tools provide
acceleration opportunities for
data mapping and tagging
tasks. Platforms such as
1Touch and Collibra allow for
data mapping through
automated workflows. Manual
efforts may still be required to
map data to disconnected
systems.
Designing & operationalizing
processes utilizing a centralized
platform allows for easier
program oversight. Advanced
dashboards help visualize
compliance readiness, and
store latest versions of privacy
policies and notices for
company-wide use.
Ensuring proper security
mechanisms are deployed
throughout the enterprise to
enable a privacy by design
approach. Key aspects to
consider include data
encryption (both at rest and in
transit), anonymization, and
proper access controls.
40. 3/26/2020 CrossCountry Confidential 40
Leaders in the Privacy Tech Market
• Single platform focusing on Internal Controls (SOX), Compliance, Workflow
Automation, and Internal Audit
• Provides a single view for the audit program and control libraries
• Recognized in 2020 G2 Grid Report as “Best Audit Management Solutions”
• Modularized platform offering services such as Privacy Program Management,
VRM, Consent Management, and User Training
• Provides a flexible workflow developer and a full library of pre-built connectors
• Named a Leader in the Forrester New Wave™: GDPR and Privacy
Management Software, Q4 2018
• Specialized platform that focuses on advanced Data Discovery, Data Mapping,
and Data Monitoring
• Utilizes machine learning, AI, and data lineage to track data through all flows
• At RSAC, announced the launch of Inventa, an automated data discovery tool
feeding to an enhanced master catalog
43. 3/26/2020 CrossCountry Confidential 43
Internal Audit and Privacy Officers – Partners in Compliance
Expertise in privacy
regulations and expert
knowledge in organizational
privacy risks
Independent assessment
of organizational measures
to protect data
Increase organizational
awareness of privacy
compliance initiatives –
including with the board and
executives
Set organizational priorities
for privacy initiatives
Internal Audit
Privacy Office
44. 3/26/2020 CrossCountry Confidential 44
The Privacy Audit Process
Privacy Risk
Assessment
Utilize traditional risk management
techniques to identify privacy and
data-related risks
Analyze and Assess
Risk
Assign inherent risk ratings and
evaluate the implemented controls
Monitor
Privacy Risk
Continuously monitor, evaluate, and
update the privacy program and internal
controls framework to address new risks
Consider various risk areas
to identify privacy risks
such as:
• Operating model (IaaS,
PaaS, SaaS)
• Media Presence
• Mobile/BYOD
• AI/Automation
Perform detailed testing
on privacy controls
using a standard
privacy framework
(NIST, ISO, etc.) or
internal controls
Utilize technologies as well
as manual processes to
monitor for threats and risks
to the organization’s privacy
well-being
45. 3/26/2020 CrossCountry Confidential 45
A Privacy Risk Assessment is a great way to gain an understanding of how your organization
identifies sensitive data and what mechanisms are in place to protect the data.
➢ First, understand the landscape of what data privacy and governance risks may exist.
Performing a Privacy Risk Assessment
− Data lifecycle definition and associated controls
− Data governance and privacy policy definition
− Regulatory compliance
− Use of third parties for data processing and storage
− Data mapping and lineage
46. 3/26/2020 CrossCountry Confidential 46
The Privacy Risk Universe
Privacy Policy
› Choice and consent
› Notice and disclosure
› “Do Not Sell My Personal
Information”
› Data Subject Access Request
(DSAR)
› Data Processing Agreements
(DPA)
Technical Safeguards
› Access management
› Cryptography
› Data loss prevention
› Logging & monitoring
› Network security
Data Governance
› Data integrity and
accuracy
› Data transfers
› Data sovereignty
› Minimization in
collection
Operational
› Security and privacy by design
› Breach detection and response
› Vendor Risk Management
(VRM)
› Monitoring and reporting
› Reputational risk
Privacy Risk
Universe
47. 3/26/2020 CrossCountry Confidential 47
Assessing Privacy Risk
Likelihood &
Impact of
Privacy Risk
● Formality of the governance and oversight structure
● Clear articulation of a privacy program
● In-house skills, talent, and ongoing training
● Maturity of security protocols and data governance
controls
● Known privacy security incidents or other control
breakdowns
● Alignment of current SDLC methodology to privacy
principles
● Regulatory compliance implications (e.g. GDPR,
CCPA, HIPAA)
● Implementation of privacy focused technology to assist
with data subject access requests, cookie
management, DPIAs, etc.
48. 3/26/2020 CrossCountry Confidential 48
Likelihood of Occurrence
SignificanceofImpact
LowHigh
Low High
Risk Level
Significance of
Impact
Likelihood of
Occurrence
High High High
Moderate High Low
Moderate Low High
Low Low Low
Data Access
Management
Performing a Privacy Risk Assessment – Sample Risk Heat Map
Team Skills and
Training
Data Mapping
Consent
DLP
Vendor
Management
Secure Disposal
Strategy and
Governance
Notice
Privacy Policy
Incident Detection
and Response
Collection
Privacy by Design
Regulatory
Readiness
Reputation
49. 3/26/2020 CrossCountry Confidential 49
• Develop audits that directly correlate to higher risks
• Individual and/or Privacy Specific Audits
Risk Assessment to Audit Plan
Data
Processor
Review
Controls
Maturity
Assessment
• Assess vendors who
handle sensitive or
personal data
• Review data processing
agreements or other
contracts to determine
data handling
requirements
• Incident and breach
management coordination
with third parties
• Identify sensitive and
personal data in the
environment
• Scope high-risk data
based on regulatory or
operational impact
• Assess the full lifecycle
(Collection, Access, Use,
Store, Transfer, Retire) of
in-scope data elements
• Mix of technical and non-
technical controls which
establish the privacy
program including:
• Data encryption
• Data access
• Vendor risk
management
• Collection, notice,
disclosure
• GDPR records of
processing
Data Lifecyle
Management
50. 3/26/2020 CrossCountry Confidential 50
Different Flavors of Privacy and Data Protection
Healthcare Data and HIPAA Financial Data and GLBA PCI DSS
Financial institutions covered
by the Gramm-Leach-Bliley Act
must tell their customers about
their information-sharing
practices and explain to
customers their right to "opt
out" if they don't want their
information shared with certain
third parties.
The Privacy Rule protects all
"individually identifiable health
information" held or transmitted
by a covered entity or its
business associate, in any form
or media, whether electronic,
paper, or oral.
The Payment Card Industry
Data Security Standard (PCI
DSS) was developed to
encourage and enhance
cardholder data security and
facilitate
the broad adoption of
consistent data security
measures globally.
51. 3/26/2020 CrossCountry Confidential 51
Different Flavors of Privacy and Data Protection
Insurance Data Security Changing/Growing Tech Data
Establishes requirements for
data security standards for
insurance providers. The
standard includes both
cybersecurity and data
governance requirements.
Changes in technology such as
RPA, IOT, data analysis, and AI
may mean that data is used,
collected, stored, or otherwise
processed in ways that have
not been previously considered
by privacy teams.
52. 3/26/2020 CrossCountry Confidential 52
The Data Lifecycle
Any data audit should be rooted
in the data lifecycle and focus
on risks from collection to
retirement.
Collect/Create
Access
Use
Store
Transfer
Retire
53. 3/26/2020 CrossCountry Confidential 53
?
The Questions Internal Audit Should be Asking
Can data
be deleted
upon
request?
Is
unused
data
retained?
How long is data
kept?
How is data
protected within the
environment?
Where is the
data being
stored?
How is the data
being used?
What data is being
collected?
54. 3/26/2020 CrossCountry Confidential 54
Conversation Starters
We have customers visiting
our website from California.
Do we need to do anything on
top of GDPR requirements?
There seem to be so many
new privacy requirements,
how can we possibly keep
up?
We have a privacy compliance
program in place, but what are
the technical safeguards we
should have in place to protect
personal information?
We have manual processes to
respond to privacy requests from
customers and regulator. Are
there technologies we can
consider to automate the
process?