Building trust in a GDPR world - info.deloitte.no

Building trust in a GDPR worldDeloitte Third Party Assurance Services

Content The General Data Protection Regulation 4

What GDPR means for you 5

Building trust in a GDPR world 6

GDPR Self Evaluation 7

Our GDPR Assurance solutions 8

Our GDPR Assurance methodology 9

About Deloitte Third Party Assurance 11

Frequently asked questions 12

Contact persons 14

3

GDPR Assurance Services

The General Data Protection Regulation

Legal and Compliance Perspective

The GDPR introduces significant new requirements and challenges for legal and compliance functions. Organisations will need to put in place additional governance and controls.

Technology and Digital Perspective

GDPR requirements mean changes to the ways in which technologies are designed and managed, including a focus on profiling and security.

Data Perspective

Individuals and teams tasked with data governance and data management will be challenged to provide clearer, proactive oversight on data storage, journeys and lineage.

For global organizations, the GDPR harmonizes much of the currently

fragmented legal framework for privacy across Europe, providing one data protection regulation for all member states. While the regulations have been harmonized, the GDPR introduces a new maximum penalty of 4% of annual global turnover that can be imposed in cases of serious non-compliance.

Harmonization of effortsOrganizations based outside the EU that process data to offer goods or services to European residents, or to monitor the behavior of European residents will also be subject to GDPR requirements. How enforcement will apply in practice has begun to be seen, and organizations that are not in scope of current EU data protection rules may find themselves subject to significant new requirements.

International reach

After years of negotiations, the EU General Data Protection Regulation (GDPR) is upon us. The law introduces a range of requirements that have a significant impact on organizations. Combined with increasing demands from consumers, privacy is now firmly positioned at the top of the corporate agenda.

The General Data Protection Regulation (GDPR) The GDPR mandates organizational

accountability and requires organizations to implement robust privacy governance and in general take a more proactive approach to privacy compliance. In addition, documented

privacy risk assessments are required for new systems and technologies, and regulators need to be notified of personal data breaches within 72 hours of identification. It is estimated that an additional 28.000 new Data Protection officers will be needed in Europe alone to deal with the

requirements.

Significant New Requirements

4


What GDPR means for you

Process Re-Design

Breach Reporting Significant breaches must be reported within 72 hours

Encryption Organisations may get exemptions from notifying individuals of data breaches when data is encrypted

Online Profiling Individuals have new rights to opt out of and object to online profiling and tracking

Privacy-by-Design Privacy must be at the forefront of the design, build and deployment of new technologies

Key Design Changes

Enforcement Fines of up to 4% of annual revenue for non-compliance. This will extend to countries outside of the EU

Data Protection Officers Organisations will likely need to appoint a DPO if they process personal data on a large scale

Accountability Burden of proof now on the organisation not the indvidual

Privacy Notices & Consent Consumers must give “freely given, specific, informed & unambiguous consent”

Changes to Ways of Working

Data Inventories – Organisations must demonstrate they know what data they hold, where it is stored & who it is shared with

Right to be Forgotten – Consumers have a stronger right to request deletion of their data

Right to Data Portability – Individuals are entitled to request copies of their data in a readable and standardized format

New Definitions of Data – The scope of what Personal Data means has been extended with the concept of pseudo-anonymous data

5


Many EU-based companies, if not all, have extensive GDPR projects under way. Essentially all have business partners with which they exchange information.

Understanding the distribution of responsibilities for these data exchanges in regards to complying with the GDPR is probably one of the areas with which companies are most uncomfortable, as they do not have direct control over all of the processes at these business partners. Companies need to rely on the systems and processes at these business partners for protecting and maintaining the information they share with them and their adherence to the contracts in place.

Trusting your Business PartnerIn regards to GDPR compliance, the concept of ‘trust’ relates to having confidence in your business partners’ ability to meet the requirements of the GDPR such that the information you share with them is ‘safe’. At this point in time, we would say that establishing a basis for this trust in all of a company’s business relationships is difficult to do. This is a complex situation with many uncertainties and no one knows yet as to how enforcement of the GDPR will play out in real life. What will non-compliance look like? How seriously will it be taken? How much is non-compliance going to really cost? Who will be held responsible? How responsible am I really for the actions taken (or not taken) by my business relationships?

We don’t have all the answers to these questions as no one does at this point, but we do have some ideas as to how the market will react to addressing this trust issue from a practical perspective. We have been dealing with these types of issues for a long time and we have seen how things played out in real life before. We believe that one of the most common ways to build trust in this network of business relationships will be through independent evaluation and attestation of a company’s compliance with the GDPR requirements. We call this GDPR Assurance.

What is GDPR Assurance?GDPR Assurance is a way for companies to be subject to an independent evaluation of their compliance with the GDPR articles. Based on the type of assurance chosen, the resulting report can be distributed to one or many stakeholders to provide them with comfort that the issuing company is meeting the requirements of the GDPR.

A good way to start your journey to GDPR Assurance is to take the GDPR self evaluation on the next page.

Building trust in a GDPR world

Personal dataPersonal data

Personal data

Personal d

ata

Pers

onal

dat

a

Business RelationsCustomers

Managed infrastructure provider

Cloud services provider

Accounting services provider

Trust relationships in the sharing of personal information

6


GDPR Self Evaluation

Here are some questions to consider when assessing your own or your business partners’ compliance with GDPR. Our practitioners use these questions in assessing overall compliance with GDPR and in determining areas which will require attention.

Do you have a privacy strategy in place? If so, is the GDPR incorporated in that strategy?

Do you have a DPO assigned (if mandatory) or a Privacy responsible (if not mandatory) and are relevant roles and responsibilities defined?

Do you have a privacy framework that includes a privacy policy and additional standards/guidelines?

Do you have a incident management strategy in place that includes management of data breaches?

Have you incorporated data privacy clauses (where relevant) in legal agreements with third party service providers or those that data is shared with?

Do you have processes in place for managing data usage and sharing that includes reviewing and monitoring the sharing of data with both internal (e.g. with other business lines, legal entities, or countries) and external (outside the organisation)?

Have you evaluated how you will respond to the rights of the data subject? If so, do you have procedures and processes in place to manage them?

Do you perform any data privacy or GDPR related training and awareness activities?

Are you aware of the privacy risks related to your data processing? If so, are you performing ‘Privacy Impact Assessments’ (GDPR: Data Protection Impact Assessment)?

Do you have requirements concerning excessive processing, data retention, data minimisation, encryption and pseudonymisation when developing new products?

Is data protection considered in all aspects of the data processing life cycle from the outset till the end (data destruction)?

Have you established if and when you are a processor and a controller? And also your responsibilities?

Are you aware of the basis for processing all personal data?

Do you use consent? To what extent?

Do you have a record of your processing activities?

Are you relying on the exemption for unstructured data in the Data Protection Directive (95/46/EC)?

Are you aware of where you have personal data in the organisation? (E.g. applications, databases, file servers, shared drives etc.)

Do you process sensitive types of personal data, e.g. special categories of data or data of children?

Do you have data protection controls in place built into your technology (systems/applications, databases, etc)?

Y N

7


Our GDPR Assurance solutions

We currently offer the following options for issuing GDPR assurance attestations. The options provide flexibility and scalability, depending on the rigor required by stakeholders.

SolutionLevel of detail in the report

Applicability to other compliance areas Level of assurance

Frequency of assessment

General assurance attestation (ISAE3000)

Annual

SOC2 + GDPR attestation Annual

General assurance attestation (ISAE 3000) SOC2 + GDPR Attestation

Background

Applicable to any organization, including business partners, service organizations or data processors, that have the need to provide an independent validation of their implementation and operating effectiveness of GDPR specific controls to one or few clients. Generally covers only GDPR objectives.

For organizations that want / need to provide evidence of an effective security and privacy program to multiple clients and obtain a competitive edge in sales situations. Covers many aspects of Security, Confidentiality, Availability, Processing Integrity and the GDPR objectives.

Scope

Management defined scope with scalable recommended measurement criteria from Deloitte based on GDPR articles. Deloitte recommended criteria includes a recommended framework, derived from the 90+ GDPR articles, that provides organizations with a jumping-off point.

Static scope for SOC2 Trust Criteria with additional GDPR criteria added. The services / areas to be included in the attestation needs to be decided by the organization being evaluated but should be scoped to provide adequate GDPR coverage.

Applicability to other compliance areas

Medium - This audit would be very specific to the requirements in GDPR. There would be some applicability to other areas of compliance that a company may also be reporting on (e.g., ISO27001 certification, SOC2 or ISAE3402 reporting).

High – the Common Criteria (including Security) Trust Principle for SOC2 needs to be addressed and most likely the Confidentiality and Availability Trust Priciples. SOC2 is easily mapped to ISO27001, Cloud Security Alliance (CSA) criteria and many other standards.

GDPR criteria are ‘added on’ and mapped to SOC2 controls already identified and gaps filled.

Level of independent assurance

High. The report includes a high level description of in-scope procedures, controls, tests performed and results. The report also includes an audit opinion. Detail level scalable.

High. The audit report includes a very detailed description of governing policies and procedures, controls, tests performed and results. The report also includes an audit opinion. Assurance can be provided to many receivers, as long as they are in scope for testing.

Other

As the criteria to be met are limited to the GDPR criteria, the scope of these audits is smaller. Also, the level of description of the ‘system’ in place around GDPR in the report would be limited to a brief overview and a list of the criteria and controls in place / results of tests. These factors greatly limit the size and effort to produce the report.

As the criteria to be met include at least the SOC2 common criteria (including the Security Trust Principle) plus the GDPR requirements, the scope is automatically much larger than the ISAE3000 option.

The level of detail in this report is much higher and includes a detailed description of the ‘system’ in place as well as all controls in scope.

8


Our GDPR Assurance methodology

Our approach to providing GDPR assurance starts with a Readiness Assistance phase, including a gap analysis, development support, gap remediation and retesting to ensure that remediated controls function as intended. We use our best practice database of recommended GDPR controls to measure your implementation and provide detailed feedback on areas for improvement in order to ensure compliance.

The next phase of the project is the development of a Type 1 Examination report, which is a point in time report and will show your customers and business partners that you have adequate controls in place as of a specific date (usually 31. December but this is flexible). A company could hop over the issuance of a Type 1 Report and go directly to the issuance of a Type 2 Report, but it is generally beneficial to concentrate on remediating controls to address future processing rather than testing control procedures that may not have historically been designed appropriately to address the control objectives.

The next phase is to monitor the execution of the defined control regime and any further remediation efforts and perform testing of controls to be able to produce the final Type 2 Examination report covering a period of time (usually 1. January through 31. December but this is also flexbile).

Many companies already have a reasonably mature existing internal control structure in place that can be the basis for the assurance project. The degree to which the processes and controls are formalized and documented (both in relation to description of control procedures and to the degree the execution of the control activity can be evidenced in an audit) will have an effect on the effort required for the project. Factors, such as the degree to which controls are common across locations as well as the number of locations to be in scope for the report affect project scope and duration.

Readiness Assistance Type 1 Examination Type 2 Examination

Retesting as necessary

GAP Analysis, recommendations and

remediation

Type 1 Report Start sampling selection Field work testing

Opinion (Qualified or unqualified)

Testing exception analysis

Scope Definition

Support in describing the environment and the entity

level/soft controls

Description fairness

Control design suitability

Description fairness

Control design suitability

Control operating effectiveness

Type 2 Report

9


10


About Deloitte Third Party Assurance Services

Our Nordic TPA GroupOur Nordic Third Party Assurance (TPA) group works closely together to share Deloitte’s latest methodology updates, develop TPA engagement tools and techniques, share resources and to hold TPA specific training. We have monthly meetings with our Global TPA network to discuss the latest developments related to TPA to ensure that our practitioners are kept up-to-date at all times.

In the Nordic region alone, our team of more than 65 TPA practitioners, supported by subject matter experts from our IT audit, Cyber Security, Financial Audit, Legal and Consulting departments, provide TPA services to more than 80 clients in the region. We deliver more than 140 TPA engagements annually. Our current deliveries include, among others:

• Assurance readiness engagements • ISAE3402 reporting engagements • SOC2 reporting engagements • GDPR attestation engagements • ISAE3000 attestation engagements • ISRS4400 attestation engagements • SNT4400 attestation engagements

Take it easy, we’ve been through this before…

Our local organizationDeloitte Norway has a long and proven track record with assisting clients in their Third Party Assurance report development, fulfilling the needs of both the service provider being reviewed and their user organizations.

Our TPA services are aligned under our Assurance Service line and our resources are 100% focused on reviewing, developing and issuing various types of TPA reports. We have issued many ISAE3402, ISAE3000 and SOC2 reports. We have local Norway resources with significant experience from many international TPA assignments.

Our delivery teams are comprised of TPA, IT auditors, financial auditors, cyber experts, legal or tax experts, branch experts or international experts, based on the needs of the assignment.

Our TPA group is part of the Deloitte Global TPA services group and works to ensure that we are up-to-date on the latest standards and methods, tools and techniques and related audit methodology guidelines related specifically to TPA attestation.

Our global organizationDeloitte is a global leader in performing Service Organization Control (SOC) examinations, having served large global clients since the inception of the standards.

We have more than 700 practitioners in the United States, and more than 1,000 practitioners globally that perform SOC examinations. Our experience includes complex internal control attestation and assessment projects.

Our Norwegian TPA team has had long term contact with our practitioners in both Europe and globally in regards to these services and have the pleasure of sharing resources, tools and templates with many valuable SOC resources within our global network. If we have an issue we need to discuss, help is only a call away.

11


Frequently asked questionsWe have tried to provide answers to some of the most common questions we receive in regards to attestation services here:

If my organization already has an ISAE3402, SOC2 attestation report, an ISO27001 Certification or something similar, do I still need a GDPR Assurance report?

Each type of report/certification has it’s own response here as they are produced for different purposes:

ISAE3402 report – An ISAE3402 report is generally created to cover internal controls related to the processing of financial information. These are used mostly to provide assurance to companies in regards controls at a service organization relevant to the processing of financial transactions through to the company’s financial statements. Though there are some possible areas of overlap, there will most likely be only limited relevance for GDPR coverage and a GDPR Assurance report would then be recommended to provide full coverage.

SOC2 report – A SOC2 report, even one including the Privacy Trust Principle, would still not completely cover the GDPR requirements. Companies already issuing a SOC2 report would realize significant efficiencies when adding the GDPR requirements to their existing SOC2 report to be able to issue a SOC2 + GDPR report.

ISO27001 Certification – Although relevant in many fundamental ways, an ISO27001 certification provides less assurance than an attestation report as the scope, period for testing and requirements for independent verification are less stringent. Also, an ISO27001 certification would not be sufficient to cover all areas of GDPR. Being certified should provide some efficiencies in producing either an ISAE3000 GDPR or SOC2+GDPR report. A company issuing a SOC2 + GDPR report should though realize significant efficiencies in applying their SOC2 + GDPR control testing to their ISO27001 certification process as the majority of the ISO27001 controls would have been tested according to a more stringent standard in the SOC2 + GDPR assurance process.

Do independent attestation reports like the GDPR Assurance reports provide a higher level of assurance than other methods of confirming internal control effectiveness (e.g. self assessment, internal audit reports, audits by stakeholders)?

The work performed to issue an ISAE3000 or SOC2 attestation report is required to be performed by an independent auditor, subject to strict independence rules to ensure that the issuer of the attestation is providing a completely independent evaluation of the company. Self assessments and internal audit reports are issued by the company itself and are not considered independent and may not be acceptable to the receivers of the reports as sufficient evidence.

The scope of independent attestation audits are generally set to meet the needs of many customers, making them often quite wide in scope. The methodology requirements for the testing necessary to confirm operating effectiveness of controls are among the most strict available to the auditing industry. Audits performed through self assessment, internal audits or audits performed by stakeholders may not be subject to the same strict requirements. A very focused and carefully scoped review performed by the internal auditors or a stakeholder may provide more specific assurance but that is dependent on the maturity of the internal audit function stakeholder’s audit term and the results are only useful for the one stakeholder.

Other certification processes like obtaining an ISO27001 certification allow for more freedom in the scoping of test procedures ISO certifications allow confirmation of compliance on a 3 year cycle while TPA attestation standards generally cover a one year period with full confirmation operational effictiveness of all controls each year.

It is our opinion that independent attestation engagements provide the highest possible level of assurance in regards to the design, implementation and operating effectiveness of internal controls. Having said this, these attestation reports are sometimes scoped as such that they are relevant to a limited number of customers, locations or services and the user of the attestation reports should always carefully evaluate the scoping in order to determine whether the report covers all aspects of the services provided them.

12


Given the relative similarities between the standards available for reporting (ISAE3000 or SOC2) what should I consider when choosing the type of standard for my GDPR Assurance Project?

There are a lot of things to consider when choosing a reporting option, For example:

Addressing Customer/User Needs – Mature organizations with well functioning Governance and Control programs in place will require sufficient insight as to the maturity level of their business partners in regards to GDPR compliance. This generally translates into a desire to ‘see the work’ of the business partner. The SOC2 report provides a high level of descriptive detail in regards to the system in place to address GDPR (and other areas specific to the in scope Trust Criteria) and the control routines in place to address GDPR. If the organizations receiving the reports are not mature in respect to internal control or have not specifically asked for a high level of detail, an ISAE3000 based report may be an option. Companies in the process of choosing new business partners or service providers may prefer a SOC2 report over an ISAE3000 report due to its higher degree of coverage and transparency.

Ability to decrease the number of individual audits that your organization undergoes – The scope of the ISAE3000 assurance report is limited to GDPR related requirements. The SOC2 + GDPR assurance report covers at least the SOC2 Common Criteria and Security Trust Principle. In our experience, the extra cost of issuing this type of report can result in the ability to easily ‘generate’ other reports like an ISAE3402 report covering information security and other areas of IT based internal control with a greatly reduced effort than issuing these reports alone. The scope of work for the SOC2 portion of the audit can easily be mapped to an ISO270001-based ISAE3402 report and the testing performed to confirm the operational effectiveness of the controls can be ‘reused’ in the issuance of the ISAE3402, given that it is the same audit provider issuing the reports. The more coverage you provide in the report, the less questions your business partners will have.

The effort to develop a SOC2 Report is more than an ISAE3000 Report – Given the increased coverage and scope of the SOC2 assessment, combined with the much shorter reporting format of the ISAE3000 report, a SOC2 + GDPR attestation report takes more effort to produce. The extra effort should be weighed against:

• External requirements for reporting (e.g., contractual – if a customer wants it, you may have no choice)

• Already existing reporting - If you have an ISAE3402 or SOC2 report already, then it may be possible to gain efficiency in combining the reporting efforts to avoid duplication of control testing

• Future sales opportunities – prospective customers may look for a SOC2 report regardless of GDPR compliance reporting or not

Distribution of attestation reports – The intended audience of the GDPR Assurance report may not also be the intended receiver of all of the information also included in a SOC2 report. This may require the separation of GDPR Attestation from the SOC2 in an ISAE3000 type report.

13


Contact persons

Kevin McCloskey, DirectorCISA, CIA, CRMAThird Party Assurance ServicesEmail: [email protected]: +47 913 68 848

Kevin is responsible for Deloitte Third Party Assurance (TPA) services in Norway and has almost 30 years of experience working with TPA Advisory and Reporting, IT audit, Internal Audit, Risk Management, Data Analysis, Information Security Advisory and IT-based internal control in general.

He has had responsibility for the production of multiple TPA reports in the USA under the original SAS70 regime and has delivered many ISAE3402 and ISAE3000 assignments in Norway. He is also responsible for the delivery of multiple SOC2 assignments in Norway and for services related to the provision of attestation services related to GDPR compliance.

He is a frequent author of articles in regards to TPA as well as a subject matter expert in regards to TPA and GDPR assurance with responsibility for presenting these topics to both internal and external audiences. Kevin was an instructor in IT audit at the Norwegian School of Economics and Business Administration (NHH) for several years.

Bjørn Jonassen, PartnerCyber Risk ServicesGDPR LeadEmail: [email protected]: +47 992 27 420

Bjørn is a privacy & cyber risk expert and program manager with more than 20 years experience in privacy, risk and IT consulting. He is a Partner in the Deloitte Cyber Risk Services in Norway and has a background from both the financial and IT sector.

He has supported numerous clients in assessing and addressing privacy & GDPR compliance. Bjørn is proficient in local and EU privacy regulations in addition to several Cyber Risks and information security frameworks. He is certified as CISSP, CISM, ISO 27001 Lead implementer & Auditor and within ITIL.

14


Deloitte AS and Deloitte Advokatfirma AS are the Norwegian affiliates of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.no for a more detailed description of DTTL and its member firms.

Deloitte Norway conducts business through two legally separate and independent limited liability companies; Deloitte AS, providing audit, consulting, financial advisory and risk management services, and Deloitte Advokatfirma AS, providing tax and legal services.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2018 Deloitte AS

Building trust in a GDPR world - info.deloitte.no

Documents

Transcript of Building trust in a GDPR world - info.deloitte.no