Deloitte Risk Services B.V. Cyber & Privacy Advisory. Deloitte Cyber & Privacy Risk Services Data Breach Management



Similar documents
Compliance in motion A closer look at the Corporate Sector. Deloitte Risk Services March 2015

Global Tax and Legal September OECD s BEPS initiative a global survey Multinational survey results

5 th ISACA Athens Chapter Conference

1. Understanding Big Data

EMEA TMC client conference Using global tax management systems to improve visibility and enhance control. The Crystal, London 9-10 June 2015

Credit management services Because a sale is a gift until it is paid

Student Analytics. Enabling personal, proactive and fact-based student services. Deloitte Consulting NL Amsterdam, 2016

THE DELOITTE CFO SURVEY 2015 Q1 RESULTS GETTING BACK TO NORMAL

PRIIPs Key Investor Documents The new reporting challenge

Business Breakfast. Information on assets hide impossible to declare. Private client services

Cyber intelligence exchange in business environment : a battle for trust and data

Supplier Relationship Management (SRM) Redefining the value of strategic supplier collaboration

Auditing Outsourcing Arrangements

Clear, transparent reporting The new auditor s report

Securing tomorrow today Achieving enterprise technology and 'big data' solutions that support the tax lifecycle

FSB: Reinsurance Regulatory Review Summary of Discussion Paper

Protected cell companies in Malta Making the complex simple

Enterprise Risk Services. Aware vs. committed where do you stand? Business continuity management

Consulting. Cost cutting Methodology and tools

THE DELOITTE CFO SURVEY 2015 Q2 RESULTS PATH TO GROWTH

Risk committee performance evaluation

EMEA TMC client conference Country-by-country reporting. The Crystal, London 9-10 June 2015

Corporate Secretarial Services Your guide to corporate compliance

Consulting. The importance of optimizing maintenance management for efficient operations

HR Business Partnering A Custom Approach

Management consulting services. Consulting, 2015

The Deloitte Millennial Survey

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

IAB Report on Search Advertising The Netherlands DRAFT June 2015

Risk Intelligence Challenge Going beyond risk in business

Brand Ambassadors From pre-foundation to advanced recruitment process through Social Media

Rosemary M. Amato, CISA Deloitte Accountants B.V.

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Stakeholder Engagement

Fixed asset registers Finding hidden value in LNG assets

Take the right steps 9 principles for building the Risk Intelligent Enterprise

Spain Tax Alert. Corporate tax reform enacted. Tax rate. Tax-deductible expenses. International Tax. 2 December 2014

Efficiently balance workload variability in your warehouse with Labour Management in SAP EWM.

NamCode. The Corporate Governance Code for Namibia

Tax Analysis. China relaxes foreign exchange procedures on outbound payments. for trade in services. PRC Tax. Tax Issue P184/ July 2013

Australia Tax Alert. Investment manager regime bill introduced into parliament. Overview of proposed requirements for IMR exemption.

Internal Audit Landscape 2014

Sample risk committee charter

Darling, do you want to marry me? Business process outsourcing, a shared future together. A possible new business in Luxembourg?

Accounting & Auditing News IFRS 15 Revenue from Contracts with Customers: Part 2 Differences vs. IAS 11 Construction Contracts

Simplification of work: Knowledge management as a solution

WIFIA Water Infrastructure Finance and Innovation Act: An Introduction

Unique combination of Business, Academia & Technology

Municipal Clean Audit Efficiency Series Effective Cash Management

How To Understand The Business Case For An Analytics Firm

Wealth Advisory Services Winning with clients

Keys to success in multi-channel marketing in Japan

Mary E. Galligan Director Deloitte & Touche LLP August 4, 2015

New incentive regimes in Thailand IHQ and ITC June Anthony Visate Loh

Thailand Tomorrow Tech Trends 2015 What is the catch?

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Managing the message. Businesses brace for new digital marketing compliance requirements

Appointment of the audit committee and independence requirements

Risk Considerations for Internal Audit

Financial education Improving financial skills for prosperity

Deloitte Discovery Caribbean & Bermuda Territory Guide

The potential legal consequences of a personal data breach

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Wealth Advisory Services Winning with clients

Indonesia Individual Income Tax Guide

OECD Tax Alert. BEPS action 2: Neutralizing the effects of hybrid mismatch arrangements. OECD proposals. International Tax. 16 October 2015.

Accounting Alert. Staying on top of developments

Integrated Business Services (IBS) Next generation of high performance Shared Services. Deloitte Consulting GmbH February 2016

UCITS V Depositaries:

REPORT. Next steps in cyber security

005ASubmission to the Serious Data Breach Notification Consultation

Deloitte Malta Financial Advisory Services January Independent Business Review The Deloitte methodology

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Central Asian Information Security Survey Results (2014) Insight into the information security maturity of organisations, with a

It s all about the results Moving from process to outcome management for strategic project execution with the Results Management Office

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Transcription:

Deloitte Risk Services B.V. Cyber & Privacy Advisory Deloitte Cyber & Privacy Risk Services Data Breach Management

2

Index Cover pages & Index 1-3 Data breach management 4 Challenges and opportunities 6 Contact 7 Deloitte Cyber & Privacy Risk Services - Data Breach Management

Data Breach Management A challenge lies ahead of your organization with the upcoming impactful changes of the Dutch Personal Data Protection Act. Both the introduction of the personal data breach notification obligation as well as the Dutch Data Protection Authority s ( DDPA ) widely extended right to impose fines urgently call for action: correctly interpreting the rules, understanding the required steps and developing the required business processes. Every step is essential. When a data breach nonetheless spins out of control, your crisis management function can help your organization to emerge stronger from the event. Altogether the new regulations create a new stimulus to further embed privacy compliance. It is an opportunity for enhancement, optimization and future-proofing of your organization. When and where will you start? January 1 st, 2016 - a big date in personal data handling in the Netherlands. From that moment onward data breaches are to be reported to the DDPA and potentially to your clients, your customers, your business relations, and your employees as well. At the same time, perhaps just as strikingly, the DDPA will be equipped with an extensive fining authority: up to 810.000,. Such fines are not only a financial concern for your organization, they may also evoke negative publicity, seeing as that data breaches can also draw a bill on your organizations public goodwill. Is your organization prepared to meet these new personal data protection challenges? And are there any opportunities to enhance your organization with the new personal data legislation in sight? First, allow us to provide some insight in the upcoming changes: The new rules of the game as of January in a nutshell 1. Your organization is obliged to report security or data breaches to the DDPA. Not all breaches, only those that may adversely affect the privacy of the individual concerned (data subject). Your organization should be equipped to make this assessment. Timing is essential: the DDPA is to be notified of a data breach within two working days after the occurrence. 2. Further, in some cases, a breach should also be reported to the data subject directly. Apart from a need to take effective mitigating measures to contain the breach, this situation also calls for clever and effective communication with your clients, your customers, your business relations and your employees. 3. An even more significant change in the new rulebook is that in 2016, the DDPA can also distribute penalties based on violations of legal obligations that go beyond the newly introduced broad data breach notification obligation. Improper processing, insufficient security, poorly managed personal data handling or abuse of sensitive data, these are all violations that can be subject to fines. The maximum fine is currently set to be 810.000, but a higher amount may apply in the course of 2016. 4. If your organization offers public electronic communication services, you are currently already obliged to report data breaches. However, there is a reshuffling between addressees: no longer does your 4

organization report to the Authority for Consumers and Markets ( ACM ), but to the DDPA instead.. Deloitte Cyber & Privacy Risk Services - Data Breach Management

DDPA guidelines: key questions Figure 1 1 Being Prepared for the obligation to report Data Leaks Is the reporting obligation applicable to me? What should I arrange for if my organization processes personal data? 2 Report or not? Is this a data breach? Should I report this data breach to the DDPA? Should I report this data leak to the data subject? 3 Report to the DDPA How should I report the data breach to DDPA? When should I report the data breach to DDPA? 4 Report to data subject How should I report the leak to the data subject? When should I report the leak to the data subject? 5 After reporting Which information do I need to record in my report about the data breach? What does the DDPA do with my report? What are your organization s challenges? In short: to interpret the new rules, to embed them in your organization s processes, to make a good assessment and to take the necessary actions whenever a data breach occurs. Questions arise such as: What is a data breach and how should I report it?, When should I report a breach?, and Should I report a data breach when the processor is not located in the Netherlands? First, your organization will need to be aware of the questions that arise from the new rules in order to give the right follow-up. We created a shortlist of key questions that should be considered based on the framework guidelines published by the DDPA (figure 1). Another challenge might be to meet the DDPA s requirements of strict monitoring in order to detect data breaches. Especially, as there is a strict timeline of two working days to decide whether reporting is compulsory. Within these two working days after a data breach occurs, your organization needs to determine whether the breach should be reported only to the DDPA or also to the data subject. How can we help? Our multi-disciplinary Privacy Team can help you with setting up the needed data governance structures, processes and policies to monitor data flows, detect data breaches and manage them in a streamlined and efficient way. If necessary we can provide First Aid on the short term in three steps: Identify, Adapt, and Roll Out: 1. Identify the readiness of your internal business processes for internally and externally reporting data breaches; 2. Adapt existing internal processes to the DDPA requirements; 3. Roll out the new approach by providing instructions, training and communication to prepare all stakeholders for the updated processes and assist in dry runs of your internal data breach notification procedures. After having rolled out the new approach, or when your organization has established some of these processes already, we can assist with the follow-up and build a long term sustainable and mature firmament for future data handling and make privacy compliance part of your organization s DNA. And what if a crisis does occur? Some crises can hardly be avoided. Even with well-designed data governance structures, policies and processes in place to prevent a data breach, the possibility of a data breach turning into a full-blown crisis especially when mismanaged - should be taken into account. Also note that today s social media can dramatically increase your visibility during these situations, which can lead to significant reputational damage. A random, uncoordinated response to such a crisis will almost certainly exacerbate it. Successful organizations are capable of preparing in advance for those data breaches that get out of hand, respond effectively to crisis situations and recover successfully in an organized and structured way. Effective crisis management can transform data breaches into a situation that strengthens customer relationships, builds brand value and enhances market perceptions. It shows you are in control, even in bad times. If you have any questions on how to organize the processes and capabilities needed to prepare for, respond to and recover from a data breach crisis, our Resilience & Crisis Management Team can help. Why Deloitte? Our joint teams offer the privacy and resilience services your organization needs. We answer your legal, organizational and technical privacy questions, assist in establishing a data breach management process and crisis management approach and help your organization emerge stronger from major crisis events. Contact Would you like to know more on this subject? Please find our contact details below. 6

Contact Mr. Annika Sponselee Director Privacy Team ASponselee@deloitte.nl +31 (0) 6 10 99 93 02 Theodorus Niemeijer Director Resilience & Crisis Management Team TNiemeijer@deloitte.nl +31 (0) 6 82 01 93 85 Deloitte Cyber & Privacy Risk Services - Data Breach Management

8

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.nl/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2015 Deloitte The Netherlands

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information