gdpr - Blog - Global Risk Community2024-03-29T05:50:08Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/gdpr#RISK London 2022 - Managing a Privacy Program Across Multiple Jurisdictionshttps://globalriskcommunity.com/profiles/blogs/risk-london-2022-managing-a-privacy-program-across-multiple-juris2022-10-14T11:31:07.000Z2022-10-14T11:31:07.000ZNick Richhttps://globalriskcommunity.com/members/NickRich<div><p style="font-weight:400;">Data privacy regulations and practices serve a critical purpose in today’s tech-centric, digitally focused and hyperconnected world.</p><p style="font-weight:400;">Outlining strict rules on the collection, processing, storage and sharing of sensitive data, privacy laws exist to ensure personal information isn’t used in an unfair, irritating, malicious or potentially harmful manner.</p><p style="font-weight:400;">To achieve this, they stipulate that any organisation can only use data for the purposes for which individuals have given consent – otherwise it must be deleted or removed from storage systems.</p><p style="font-weight:400;">For businesses today, adhering to these privacy laws is business critical. Indeed, it is becoming increasingly clear that consumers demand ethical and proper data management practices.</p><p style="font-weight:400;">According to a recent survey from <a href="https://advisory.kpmg.us/articles/2021/bridging-the-trust-chasm.html?utm_source=vanity&amp;utm_medium=referral&amp;mid=m-00005652&amp;utm_campaign=c-00107353&amp;cid=c-00107353">KPMG</a>, 86% of consumers revealed they are becoming increasingly concerned about data privacy, while 78% expressed fears about the amount of data being collected. Equally, four in 10 stated they do not trust companies to use their personal data in an ethical manner.</p><p style="font-weight:400;">Further, the financial penalties for failing to comply with privacy regulations can deal a hugely damaging blow to any business, the $5 billion non-compliance penalty issued to Facebook in 2019 being a prime example.</p><p style="font-weight:400;">The expectations of consumers and governments surrounding the ways in which organisations manage data are growing, and meeting these obligations and fulfilling those expectations is not optional.</p><p style="font-weight:400;">With compliance critical to retaining consumer confidence and avoiding hefty fines, it must be made a priority. However, adhering to data privacy laws is becoming an increasingly complex task.</p><p style="font-weight:400;"><strong>Geographical disparity brings complexity</strong></p><p style="font-weight:400;">There are many basic data privacy principles which organisations will typically need to consider and meet. These include:</p><ul><li>Informed consent: Organisations must obtain affirmative, explicit consumer consent to collect, use and share their data.</li><li>Data minimisation and Retention: Develop operational plans designed to minimise risks with data that is held.</li><li>Purpose limitations: Consider the purpose of data to ensure that it isn’t collected and stored unnecessarily.</li><li>Data subject requests: Produce, correct, and potentially delete all data associated with an individual upon request.</li><li>Data protection obligations: Obligation to secure data and inform individuals and regulators should it be compromised in the event of a data breach.</li><li>Vendor management: Data shared with a third party must be protected under the provisions of the applicable regulations.</li></ul><p style="font-weight:400;">However, complexity arises when organisations are having to meet varied privacy laws across multiple jurisdictions where the actual responsibilities and requirements can differ significantly.</p><p style="font-weight:400;">The most far-reaching and renowned data privacy laws currently in place are the EU’s General Data Protection Regulation (GDPR), the US’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)<em>. </em>Yet today, almost all major economies now have comprehensive data protection laws that apply with extraterritorial effect, and those that don’t will have one soon.</p><p style="font-weight:400;">Equally, within individual countries, organisations often face a complex mix of sectoral privacy laws. In the US, for example, more and more states are passing their own unique privacy laws that are leaving entities with a complex mix of sectoral privacy laws to face up to<em>.</em></p><p style="font-weight:400;">So, how can organisations achieve best practice for managing an effective and effective privacy program across multiple jurisdictions? Thankfully, despite these challenges, there are several fundamentals that will make privacy programmes more adaptable and responsive to differing and changing privacy requirements.</p><p style="font-weight:400;"><strong>Three steps to embracing a privacy-first culture</strong></p><p style="font-weight:400;">Taking a centralised approach to data management is an effective, efficient, and scalable way of ensuring your organisation meets privacy laws.</p><p style="font-weight:400;">By making data privacy and protection a priority, it becomes woven into the DNA of the organisation, ensuring the alignment of all parties with clear policies when collecting, processing, using and/or managing data.</p><p style="font-weight:400;">Of course, this isn’t a quick switch. Embracing a holistic data management and privacy strategy can often entail significant cultural change backed by meticulous planning and interdepartmental cooperation. Yet there are three key steps to follow in pursuing this strategy adaptation.</p><p style="font-weight:400;"><strong>1) Start with a data inventory</strong><br />To align with privacy rules, entities first must gain a comprehensive understanding of exactly where data is kept, what it consists of and how it is being used is vital. Improving this understanding requires a data inventory – a neatly organised central platform containing accurate and detailed information on all your organisation’s data. These can play a vital role in helping to identify data that isn’t being used, is sensitive, or is subject to regulatory or policy controls. Further, they also outline how risky an organisation’s storage practices are. To both build and maintain a data inventory without placing a massive strain on resources, automated technologies can be used, helping you to find, identify and classify personal information as well as assess data compliance and calculate risk across the entire data landscape quickly, accurately and securely.</p><p style="font-weight:400;"><strong>2) Only keep the data you need</strong> <br />Organisations should equally only keep the data they need. If it’s duplicative, outdated, doesn’t serve a specific and explicit purpose, and isn’t linked to a lawful purpose, it shouldn’t be processed. To understand the value (or lack of value) of data, key documentation principles need to be adopted. Outlining key parameters will allow the business to determine what is relevant or excessive, which can then be applied to the elements of personal data and each proposed use.<em> </em></p><p style="font-weight:400;"><strong>3) Work with trusted partners</strong><br />A key challenge stems from the fact that organisations are responsible for what their third-party vendors do with personal data. Data shared with a third party must be protected under the provisions of the applicable regulations, so entities must ensure they perform due diligence and audits on all partner vendors so that they are not held accountable for data breaches or regulatory violations. Indeed, it is vital to work with trusted partners – if you wouldn’t trust them with your personal data, why would you trust them with your customers’ data?</p><p style="font-weight:400;"><strong>The first mover advantage</strong></p><p style="font-weight:400;">Evolving and expanding privacy regulations across various jurisdictions can make compliance a daunting task. Yet with the right changes and appropriate policies, data privacy programmes can become streamlined and scalable to meet changing regulatory requirements.</p><p style="font-weight:400;">Embracing these need not be a burden. By remaining ahead of the curve, organisations will be able to better break down organisations siloes and use data to innovate, collaborate, unleash creativity more effectively.</p><p style="font-weight:400;">Indeed, to ensure compliance in the future, it is critical that firms get their houses in order today. </p><p style="font-weight:400;"><a href="https://www.grcworldforums.com/risk/risk-2022/london/attend-risk">Register here to attend #RISK 2022</a>, of which the Global Risk Community is a partner, and gain entry to the speaker session <strong>Managing a Privacy Program Across Multiple Jurisdictions</strong> at <strong>13:40-14:25</strong> on <strong>17th November</strong> within <a href="https://www.grcworldforums.com/risk/risk-2022">#RISK</a>’s <a href="https://www.grcworldforums.com/risk/risk-2022/london/agenda">Data Protection & Privacy Hub</a>. </p></div>Webinar | 7 Ways to Build a Future Proof Data Privacy Programhttps://globalriskcommunity.com/profiles/blogs/webinar-7-ways-to-build-a-future-proof-data-privacy-program2021-03-18T08:10:00.000Z2021-03-18T08:10:00.000ZGlobalRiskCommunityhttps://globalriskcommunity.com/members/GlobalRiskCommunity<div><center>
<table border="0" width="650">
<tbody>
<tr>
<td><a href="http://www.navexglobal.com"><img src="http://trust.navexglobal.com/rs/852-MYR-807/images/ng-logo_186x50.png" alt="Learn valuable strategies to keep your company ahead of data privacy trends like GDPR and CCPA" width="186" border="0" /></a></td>
</tr>
<tr>
<td align="right"> </td>
</tr>
<tr>
<td> </td>
</tr>
<tr>
<td>
<table border="0" width="600" align="center">
<tbody>
<tr>
<td>
<div id="body_copy">
<p><a href="https://www.navexglobal.com/en-us/campaigns/data-privacy-2021-why-your-organization-could-still-be-at-risk?utm_source=grc&utm_medium=syndication&utm_campaign=data-privacy-2021-why-your-organization-could-still-be-at-risk" target="_blank">7 Ways to Build a Future Proof Data Privacy Program</a></p>
<p>Last week Virginia was the second state, after California, to pass comprehensive data privacy legislation. This marks yet another step towards increasing data privacy regulations - a trend that started with GDPR and CCPA and is only expected to accelerate.</p>
<p>Are you confident in your organization's ability to manage a complex data privacy policy?</p>
<p><a href="https://www.navexglobal.com/en-us/campaigns/data-privacy-2021-why-your-organization-could-still-be-at-risk?utm_source=grc&utm_medium=syndication&utm_campaign=data-privacy-2021-why-your-organization-could-still-be-at-risk" target="_blank">Join Jay Cline who leads Privacy for the US for PwC</a> and Sam Abadir from NAVEX Global to learn how companies can gain a competitive advantage by effectively navigating the changing landscape of data privacy.</p>
<p>Join this webinar to learn:</p>
<ul>
<li>How upcoming privacy regulations will reach all aspects of your organization</li>
<li>If your organization is prepared for upcoming privacy regulations</li>
<li>How to build a future-proofed data privacy program</li>
</ul>
<!--start of button row-->
<table border="0" cellspacing="0" cellpadding="0" align="center">
<tbody>
<tr>
<td valign="middle" bgcolor="#F57E20"><a href="https://www.navexglobal.com/en-us/campaigns/data-privacy-2021-why-your-organization-could-still-be-at-risk?utm_source=grc&utm_medium=syndication&utm_campaign=data-privacy-2021-why-your-organization-could-still-be-at-risk" target="_blank">REGISTER NOW</a></td>
</tr>
</tbody>
</table>
<p> </p>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td><hr /></td>
</tr>
<tr>
<td>
<table border="0" width="625" align="center">
<tbody>
<tr>
<td>
<table border="0" width="100%">
<tbody>
<tr>
<td valign="top" width="20%">
<div>Americas:</div>
</td>
<td>
<div>5500 Meadows Road, Suite 500, Lake Oswego, OR 97035 <br /> +1 (866) 297 0224</div>
</td>
</tr>
<tr>
<td colspan="2" align="center"><hr /></td>
</tr>
<tr>
<td valign="top">
<div>EMEA +<br /> APAC:</div>
</td>
<td>
<div>Vantage London - 4th Floor, Great West Road, Brentford, TW8 9AG, United Kingdom <br /> +44 (0) 20 8939 1650</div>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top"><a href="http://www.linkedin.com/company/navex-global"><img src="http://na-sj11.marketo.com/rs/navexglobal/images/EM-Template_LinkedIn_D-Gray.png" alt="LinkedIn" width="28" height="38" border="0" /></a></td>
<td valign="top"><a href="https://twitter.com/NAVEXGlobal"><img src="http://na-sj11.marketo.com/rs/navexglobal/images/EM-Template_Twitter_D-Gray.png" alt="Twitter" width="28" height="38" border="0" /></a></td>
<td valign="top"><a href="https://www.facebook.com/NavexGlobal"><img src="http://na-sj11.marketo.com/rs/navexglobal/images/EM-Template_Facebook_D-Gray.png" alt="Facebook" width="28" height="38" border="0" /></a></td>
<td valign="top"><a href="http://www.navexglobal.com/blog"><img src="http://na-sj11.marketo.com/rs/navexglobal/images/EM-Template_Blog_D-Gray.png" alt="NAVEX Global Blog" width="28" height="38" border="0" /></a></td>
<td valign="top"><a href="%7B%7Bsystem.forwardToFriendLink%7D%7D"><img src="http://na-sj11.marketo.com/rs/navexglobal/images/EM-Template_FtF_D-Gray.png" alt="NAVEX Global Blog" width="28" height="38" border="0" /></a></td>
</tr>
<tr>
<td colspan="6"> </td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td align="center">
<div> </div>
</td>
</tr>
</tbody>
</table>
</center>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p></div>Interview with Steven Minsky, founder and CEO at LogicManager about Data Privacy and GDPRhttps://globalriskcommunity.com/profiles/blogs/interview-with-steven-minsky-founder-and-ceo-at-logicmanager-abou2021-02-05T10:45:00.000Z2021-02-05T10:45:00.000ZBoris Agranovichhttps://globalriskcommunity.com/members/BorisAgranovich<div><p><span style="font-size:12pt;"><strong>This is a transcription of our interview with Steven Minsky. You can watch the original video interview <a href="https://globalriskcommunity.com/video/interview-with-steven-minsky-logicmanager" target="_blank">here</a> or listen to the podcast episode <a href="https://globalriskcommunity.libsyn.com/steven-minsky" target="_blank">here</a>.</strong></span></p>
<p><span style="font-size:12pt;"><strong><a href="https://globalriskcommunity.com/video/interview-with-steven-minsky-logicmanager" target="_blank"><img class="align-left" src="{{#staticFileLink}}8510983296,RESIZE_584x{{/staticFileLink}}" alt="8510983296?profile=RESIZE_584x" width="520" /></a></strong></span></p>
<p> </p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> Welcome to our Interview with Steven Minsky. Steven is a CEO and founder of LogicManager, which is a powerful risk management software with a comprehensive solution that supplies organization with focused and improved risk management processes.</span><br /> <br /> <span style="font-size:12pt;"> Steven thank you for your time and coming to our interview today.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> Thank you so much is a pleasure to be here today with you on <strong>Privacy Day</strong>.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris:</strong> Exactly, today is the Privacy Day and we have a very interesting interview in front of us. I must say that you have been a prolific blogger and contributed to a lot of blogs including Global Risk Community. I wanted always to connect with you and now is a good time to have a comprehensive interview.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven</strong>: It's been a pleasure. I've been blogging on risk management since 2005. So it's been a long time.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris:</strong> Apart of your blogging, you were able to create a very dynamic company. Can you perhaps tell us a short story about who you are and what you guys at LogicManager have been up to these days?</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> Excellent. So LogicManager is the first risk management software built by practitioners for practitioners. We focused on a risk-based view for helping all governance areas. Of course the privacy being a topic of today, but everything within IT and IT Governance of security as well as audit, business continuity, compliance, vendor management, the list goes on and on, taking all of them and putting them on a common platform with a risk-based point of view. This all rolls up to the world we live in, which is the see-through economy.</span><br /> <br /> <span style="font-size:12pt;"> And that's something that basically, since the advent of the mobile phone, the smartphone, there is a recording and pictures of everything that you do. And of course with other technology the data is transferred around the world with social media and the risks have never been higher in a very rapidly changing society. And really this is what Risk Management is all about in COVID days and what our role is in helping organizations.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris:</strong> Fantastic. Today we will do a deep dive into data privacy and how regulations like GDPR changed the game for businesses. Steven, you often speak about a see-through economy. Could you perhaps walk us through, what does it mean for us and how is it applicable to the business?</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> Sure. It's easiest to understand that in terms of how things were just 10 years ago to today, 10 years ago, you could have a press release and if there was a stumble or a scandal in some way, or a company or an organization could put their viewpoint out and dominate the news cycle with their view on whatever happened. Now with the see-through economy, every consumer can weigh in on their opinion of what happened.</span><br /> <br /> <span style="font-size:12pt;"> And now the company press release is only one of millions of voices on the internet and it gets drowned out nearly completely. The truth comes out within days instead of within years and therefore the accountability for anything that comes out. There's been a really three, a big findings in the last 15 years that we've proven. </span></p>
<p><span style="font-size:12pt;"><strong>Number one, all scandals are known by the organization, which they occur at least four to six months before the scandal gets known externally.</strong><strong><br /> </strong></span><br /> <span style="font-size:12pt;"> That has been 100% of the cases, therefore, since it's known and it's usually known by several people within the organization that makes it preventable. And in 2010, they actually changed the legislation for fraud and negligence to have the same penalty. <strong>So if it was known by your employees and you didn't do something about it, that's negligence, if you knew about it and you purposely didn't do anything about it, it's fraud, but the penalty is the same</strong>.</span><br /> <br /> <span style="font-size:12pt;"> So leaders of organizations need to say do they want to be in the news for negligence or fraud? And the answer is neither since if it's hundred percent knowable it's a hundred percent preventable. And that's really what the see-through economy is all about. As the world has demanded that these scandals come to an end.</span></p>
<p><span style="font-size:12pt;">From a privacy standpoint, just think about the massive changes we've had even in the last several months, new legislation that companies have to show who they are.</span><br /> <br /> <span style="font-size:12pt;"> You can't have blind Companies anymore, that the GDPR has moved to its next level. Just November of this last year, taking the personal Privacy of GDPR and extending it to the data that organizations have. And these are some massive, Privacy changes happening</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> Let's dive into the data Privacy topic. What are the biggest challenges organizations are facing when it comes to data privacy and how companies need to proactively address any issues or gaps in their compliance related to this issue.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> So you can think about it a little bit, like the problems of say data security 15 maybe 20 years ago. If you have security too tight, then you can’t function and if you have your security too loose, then you have breaches and things of that nature.</span></p>
<p><span style="font-size:12pt;">So Privacy is that kind of challenge. Unless you have a flexible way to manage Privacy, if you go too far without this risk-based approach, you can actually hurt your consumers, that you and your audience and stakeholders that you have a mission to serve. And of course going in the other direction and being too loose would also hurt those stakeholders.</span></p>
<p><span style="font-size:12pt;"><strong>So I think the key of Privacy is how do you put in the flexible systems that allow you to do business and serve your constituency, but still be respectful and give them control of their information, which they deserve.</strong><strong><br /> </strong></span><br /> <span style="font-size:12pt;"> <strong>Boris:</strong> We are currently in the midst of a major crisis, I think the most important disruptive period in our society in the peace time history and the pandemic is having serious implications for businesses across the globe as they adapt to the new normal of operation. So can you perhaps elaborate more on this topic because there are many security and privacy issues involved with the work from home situation? What tips do you have for risk manager's to help them to stay the course during this pandemic crisis?</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> I think the first thing to realize is that in terms of crisis, bad actors will take advantage of that void. So whether it be Privacy or security or vendor Management, they're looking for the easiest way in to your organization's Data and that on the flip side. So, needing to divide this and say, you can't just let Privacy be a backburner topic just because there's a pandemic going on.</span><br /> <br /> <span style="font-size:12pt;"> People expect organizations to be able to walk and chew gum at the same time, they expect them to Privacy as an inalienable right. And you should be able to do your mission and protect your privacy at the same time. It’s not one or the other it's both. And I think that's an important lesson for risk managers.</span></p>
<p><span style="font-size:12pt;">Third one I think is carving Privacy out on one hand to be able to focus on, but integrating it in terms of all that you do. Marketing is involved, which is not a traditional risk management stakeholder, but they're very much involved from a privacy standpoint and so all the other areas of your organization.</span></p>
<p><span style="font-size:12pt;">So understanding that GDPR and privacy is not a single siloed problem. This is something that has to happen on the enterprise level and has to happen at the activity level. Again, the message to risk managers, it's not one or the other -enterprise or the activity level. It's both.</span></p>
<p><span style="font-size:12pt;">So I think those are the, probably top three strategic take-aways and they sound maybe a very simple, but if you remember any other massive change, like in financial reporting or compliance or technology. In practice, just rolling out these three alone is a significant challenge.</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> It makes me sometimes very nervous when people and brands know about me or my company. So for example, they know the appliances I use in my house, the software that I installed, websites that I've visited. They can even can read emails that I am sending. It's like there is no privacy anymore. So where do you think the data privacy as a whole is headed. And what the other trends in this area and what should we expect from you guys in the future?</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> So I think that you've brought up a very important perception versus reality. So first of all, again, <strong>I think the starting point is that Privacy is an inalienable right. This is not optional and companies and all organizations, governmental non-governmental private public, all organizations need to protect the rights of their individuals that they serve and the information that they collect on them.</strong></span><br /> <br /> <span style="font-size:12pt;"> I think when you start from this position, from a positive standpoint, that glass is half full. And you say like when you visit a doctor, you need help and you give your doctor private information. That's okay. You're just expecting the doctor to do the right thing with it. If that information is going to be used for medical research, you consent to have medical research done and have this data available for medical research and has kept private and it's anonymized.</span><br /> <br /> <span style="font-size:12pt;"> So it's not about preventing things, it's about enabling things in a responsible way. And I think it's really that kind of a mind shift. Of course we have some very bad business models in the marketplace, notably Facebook and things of this nature that they, instead of making the business model around the customer, they are giving the services free to the customer and then selling the Data off on the other side.</span><br /> <br /> <span style="font-size:12pt;"> This is really what has been, I think the worst precedent that has been established. Because it needs to be - let the people pay for the services and then let them opt into their data is being sold. And there will be lots of those if it's done in a responsible manner, they would be happy to have the data sharing. You share certain information willingly to responsible parties all the time. As long as it's dealt with, as long as the game rules are established and expectations are set and then those game rules are followed, I think pretty much everybody is okay.</span></p>
<p><span style="font-size:12pt;">Most people are okay with sharing as long as they are asked and they're involved and that they're respected. And I think at a very high level, these are the principles, but then you need to bring it down to the operating level and saying<strong>, how can I forget somebody in my organization? How do I identify where that data is? How do I identify what game rules I'm playing, what sport, if you will, and playing and how do I respect those rules? How do I have internal controls on those rules?</strong><strong> How do I have auditing on those rules internally and so forth and so on? </strong></span></p>
<p><span style="font-size:12pt;">And because good people sometimes make mistakes, how do you make a response? And what should the response be? Much like you have fire drills and you have all kinds of fire protection. You can’t eliminate fire, but you can respect fire and you can plan for fires so that it heats your house, cooks your food, but doesn't burn it down. And I think Privacy is very similarly. You can have a safe relationship with people with individual and organizational Data and have it not burn your house down and have it do great things for your organization and for your constituencies.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris:</strong> Fantastic. I would like to hear your personal opinion, what is a commonly held belief as it relates to Data Privacy that you strongly disagree with?</span></p>
<p><span style="font-size:12pt;"><strong>Steven:</strong> I think that Europe is far ahead of the United States in this area, which is where I agree. My personal view is that Europe has got it right with GDPR, that Europe has put a lot of thoughts into not just GDPR, but into the larger sense of Privacy and the world has been following, Asia Pacific and the rest of the world.</span><br /> <br /> <span style="font-size:12pt;"> And very slowly in United States as well with legislation in California, in New York that is starting to take notice and follow those protocols a lot more work to be done. Going to the other side of it, the most egregious part is which I personally feel is unacceptable is for organizations to feel as though they have a right to your data and that you don't. This is a very similarly to the lawlessness on the street to say that people don't have rights to life and Liberty.</span><br /> <br /> <span style="font-size:12pt;"> These are some of the things that we've worked through in the last centuries that people have a right to live and right to be healthy. They have a right to privacy. And I think this is the core when, if you don't have people on the same page with this recognition of this fundamental right, it's very hard to have a conversation on being a good steward of that information. So it really has to start with a tone from the top in the organization. And it needs to go through and permeate all aspects of the organization and with the appropriate controls and the appropriate processes and procedures.</span><br /> <br /> <span style="font-size:12pt;"> And it's not so difficult to do, it really starts with one thing. Do you recognize the right that people have and organizations have to their data and to their Privacy and then work from there is it is all a manageable, the technologies are there, the processes are there. This is not a technology problem, this is a policy problem.</span></p>
<p><span style="font-size:12pt;"><strong>Boris:</strong> For someone who is listening to this interview and want to take action, what do you recommend as a starting point?</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> I think that there's two ways to look at this. And that's a really excellent question that you've just asked. <strong>I always look at it from a risk-based point of view. </strong>One could look at it and say, there's so much to be done, this is so broad, it will take me 10 years. And that's, if all Privacy issues, you're going to do them all at once and treat them equally. No activity is ever done that way.</span><br /> <br /> <span style="font-size:12pt;"> So we need to take a risk based approach and look at where are my highest risks? And it starts with a risk assessment to say, where are my greatest and most egregious vulnerabilities from a privacy standpoint, let's identify them and rank order them. And start with number one, for example, and look at it from a risk reward, trade off. I think in Europe, which is very important class action lawsuits have never been a precedent before they have started.</span><br /> <br /> <span style="font-size:12pt;"> And when you look at the new lawsuits, particularly with a Marriott and several others, a British Airways and so on, the penalties were much lower than what people had expected. So the population felt that they have fallen short and the government perhaps is falling short. The private legal community is stepping in and class action lawsuits are now showing up and now the injured parties, which are in the hundreds of millions for these kinds of breaches and Data negligence and Privacy negligence, they're being rectified in the courts.</span></p>
<p><span style="font-size:12pt;"><strong>So I think this is an enormous new Risk for organizations that never knew that there could be a class action lawsuit on Privacy or those class action lawsuits on Privacy or working themselves through the courts.</strong></span><br /> <br /> <span style="font-size:12pt;"> And this is going to change the dynamic. And I think in a good way. I mean, it's difficult to hear what I just said as a good thing, but you have to say, change is painful, change is difficult. And this is showing in our risk registers. This issue is coming up to the top and the population in the organizations are expressing their demand. So if it were not important, there wouldn't be a class action lawsuit. So the fact that there is one is evidence that this is an important issue.</span><br /> <br /> <span style="font-size:12pt;"> So I think that's really, when you look at both your risk on Privacy and your liability on Privacy, and you start working down your Risk list, it will be a much more manageable task. <strong>And by the way, I just wont to throw in there, when you do this risk based approach, you eliminate 95% of your penalties just by doing what I just talked about, because you're no longer negligent. Remember being negligent means, you say it's overwhelming and you don't do anything and you have no demonstrated plan on how to address something bad. </strong></span></p>
<p><span style="font-size:12pt;">Things do happen, a good people. And that's taken into consideration into the courts and into these kinds of actions. And if you're putting together a risk assessment and you're showing material steps being taken, and some scandal or a bad thing were to happen, your penalties would be reduced in the 90% range, because you would be eliminating negligence just by putting your plan and starting to put material action and responsibilities around it.</span><br /> <br /> <span style="font-size:12pt;"> So that's probably the number one recommendation to risk managers that you can't see, although it's easy to fall into a trap that it's overwhelming, we need to take those action plans to take negligence off the table as soon as possible.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris:</strong> Fantastic. These were all of my questions. Is there something that I forgot to ask you and you would like to add?</span></p>
<p><br /> <span style="font-size:12pt;"> <strong>Steven:</strong> I think the most important thing is also another a piece of advice. I'm a practitioner of Risk, I've always taken a helping people kind of view. So what I would say to the risk management community is it takes a village to get this thing done, and we need to take the fear out of it. We need to talk to our stakeholders around the organization. We need to talk to our risk committees. We need to talk to our fellow peers and the executive suite. We need to talk to people throughout the organization. We need to let them know that we invite them to participate in our risk management plans.</span><br /> <br /> <span style="font-size:12pt;"> And in this way, like I said, all scandals and I mean, all there isn't been a single one were the scandal wasn’t known, the vulnerability wasn't known with certainty six months in advance by the organization, typically by the frontline of the organization. Since they already know and if you don't know about it as a manager or as a leader in your organization, you're already negligent. So taking that very first step to engage them in the process takes negligence on the table, takes the fear and actually protects you in the sense, not just legally, but also from your reputation, because your employees are going to say, okay, we understand that this is a problem we've known about this, I'm so glad my organization is doing something about it.</span></p>
<p><span style="font-size:12pt;">The other way that is you get afraid. You think that nobody knows, and you try to hide it. And that is just in this day and age, as we talked about it with the see-through economy, there's no hiding in the see-through economy. So we need to change our mindsets and say, it's already known. So let's take that first step and engage with our employees, engage with our customers, engage with our stakeholders and let them know we want to do better. We are doing better, here's our plan.</span></p>
<p><span style="font-size:12pt;">That will take the stigma out of it. That will take the fear out of it and that will put you on your path to health. So that I think is all I would love to leave people with that positive thinking instead of a fear thinking because that’s just not a healthy view. We've got a lot going on in the world right now. And privacy can be a contributor by the way. COVID has a lot of Privacy information about it. If we can have privacy as we do with COVID, why does it have to be either or. We will be able to help crowdsource if you will, medical information from the community.</span><br /> <br /> <span style="font-size:12pt;"> That's what the new laws that that were proposed in November 25th in Europe with the next level of GDPR. Let's just do this medical research in a responsible way. It's necessary, but it doesn't have to be at a sacrifice a Privacy. We can solve world’s problems and have a Privacy at the same time.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Boris</strong>: All right. Thank you. Steven for your very thoughtful interview, and I wish you and your acompany success and growth in coming years. And I hope to see you again on our show.</span><br /> <br /> <span style="font-size:12pt;"> <strong>Steven:</strong> I'm a big fan. Thank you as well, happy Privacy Day and it has been a great honor to participate as always with the Global Risk Community.</span></p>
<p><span style="font-size:12pt;"> </span></p></div>What’s the Best Way to Stay Compliant with GDPR?https://globalriskcommunity.com/profiles/blogs/what-s-the-best-way-to-stay-compliant-with-gdpr2018-10-03T17:00:00.000Z2018-10-03T17:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028274053,original{{/staticFileLink}}"><img width="350" src="{{#staticFileLink}}8028274053,original{{/staticFileLink}}" class="align-right" alt="8028274053?profile=original" /></a>We’d like to congratulate the 25% of US-based companies that achieved GDPR compliance by the May 25<sup>th</sup> deadline, and to share a little guidance on how to stay compliant over time.</p><p>As we all know, the GDPR is a huge deal. In addition to the scope of this new regulation, there’s also the consequences of non-compliance, i.e. up to €20 million or 4% of annual global revenue, whichever is higher.</p><p>Aside from incurring steep fines and lofty litigation, the risk of non-compliance also includes losing your customer base and investors to the competition, should a data breach hit your organization.</p><p>Every time you make an account online or even just make a one-time purchase, you’re putting a little bit of your well-being into the hands of an organization. If your data falls into the wrong hands, the impact can be huge, from money being drained from your accounts, to not being able to get that loan you need. The consequence of failing to comply with the GDPR, or any privacy regulation of the like, is so much more than a lawsuit or a hefty fine; it’s losing the trust, loyalty, and business of current and future customers.</p><p>So again, if you’ve already met <span><a href="https://www.logicmanager.com/erm-software/plugins/gdpr-compliance/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">GDPR compliance</a></span>, congratulations! You’re paving the way to a better tomorrow!</p><p>But now that you’ve done everything you can to get your policies and procedures up to snuff and have declared compliance, what’s next? How do you maintain compliance over time? Your company will inevitably change, more data will flow in, and the processes that worked for X employees and customers won’t work for Y.</p><p>In my experience, professionals of all types who worked hard to achieve GDPR compliance are still anxious, not only about maintaining compliance over time, but about whether they actually achieved it in the first place, whether their compliance status would stand up to scrutiny, and what report they would pull to prove it.</p><p>I’ll take you through some steps you can take to maintain and prove GDPR compliance.</p><p></p><h2><strong>An Integrated Approach is the Best Way to Stay Compliant with GDPR</strong></h2><p>A critical mistake companies make when deciding how to tackle GDPR is looking at it like an IT-only or Compliance-only endeavor. Yes, data sounds like it belongs to IT, and yes, it’s a regulation so Compliance should be involved. But realistically, data of all types runs through every single department across the organization. Therefore, the best way to comply with the GDPR is to integrate every department into the compliance process.</p><p>Let’s think more about why an <span><a href="https://www.logicmanager.com/erm-software/product/risk-based-process/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">integrated approach</a></span> is best. Most basically, the GDPR is a monstrously huge regulation, so breaking it down into small, actionable parts is in everyone’s best interest. Such a large task should never fall on one person or department.</p><p>Second, more heads are always better than one. How is one person supposed to know every single type of data being collected, who collects it, where it’s stored, how it’s protected, etc.? They just can’t. It takes a host of subject matter experts and process owners to get the answers to all these questions.</p><p>Third, sharing information across silos within <span><a href="https://www.logicmanager.com/erm-software/product/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">one centralized platform</a></span> drastically cuts down on the amount of time spent on achieving compliance. Different departments often share similar risks, so instead of taking the time to design two different controls or policies, you can kill two birds with one stone and design a centralized control. Of course, without communicating across silos, you never would have known to do that!</p><p>Lastly, every department really does hold a piece of the puzzle when it comes to data privacy. For instance, IT knows where data is stored, but they don’t necessarily know what kind of data it is. Rather, Sales might know that it’s the name, title, and company of potential customers, while Finance knows that it’s the billing information of current customers. You get the picture.</p><p>Taking an integrated approach is the best way to comply with the GDPR because it drastically reduces the headache, time, and effort it takes to achieve compliance.</p><p></p><h2><strong>The Best Way to Comply with GDPR</strong></h2><p>Last but not least, here are the steps that constitute the best way to maintain and prove compliance with the GDPR:</p><ol><li><span><a href="https://www.logicmanager.com/erm-software/product/assess/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Identify and assess the data you collect</a></span> – Build out uniform risk assessments with standardized evaluation criteria to identify the kinds of data you collect, who’s collecting it, and how it flows through the company. In the same assessments, evaluate the criticality of the data. Administer risk assessments across departments and levels to get a full and accurate picture of the data your company collects.</li><li><span><a href="https://www.logicmanager.com/erm-software/product/risk-taxonomy/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Perform a Readiness Analysis</a></span> – Start compiling and looking into all of the data policies across the company. What parts of the GDPR do they cover? Have they proven to be effective? Are there any parts of the regulation you’re having trouble tying a policy to? This step, in combination with step 1, will help you prioritize how to tackle compliance.</li><li><span><a href="https://www.logicmanager.com/erm-software/product/mitigate/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Fill in the Gaps</a></span> – Once you’ve set a list of priorities and can home in on exactly which areas of the GDPR you need to address next, you can start designing and implementing new controls. Maybe you need a way to notify affected parties of a breach within 72 hours, or you need to create a workflow for when someone requests their data be destroyed. Whatever your controls are, make sure they’re operational across departments.</li><li><span><a href="https://www.logicmanager.com/erm-software/product/dashboard-reports/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Set Up a Flexible Reporting Structure</a></span> – The best way to prove compliance to your board or regulators is to have a multitude of reports you can easily generate. You might consider a centralized <span><a href="https://www.logicmanager.com/erm-software/plugins/gdpr-compliance/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">risk management software</a></span> that can house, pull, and analyze data, which could save you countless hours of hunting down information needed to prove compliance.</li><li><span><a href="https://www.logicmanager.com/erm-software/product/risk-based-process/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">Repeat</a></span> – Make this an iterative process. Even if the GDPR doesn’t change for a few years, your company will. Processes that worked for 200 people won’t necessarily work for 400. Set up regularly recurring testing and monitoring activities to check in on your GDPR-related policies and pull reports on whether they’re working for the company.</li></ol><p>These steps are the best way to keep up with GDPR compliance and defend your compliance status. An integrated approach will save you time and eliminate oversights that occur from a silo’d approach. Once you’ve successfully applied these steps to <span><a href="https://www.logicmanager.com/erm-software/plugins/gdpr-compliance/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic">GDPR compliance</a></span>, try them out on other governance areas in your business. I think you’ll find them helpful in a variety of scenarios as you pave the way towards a better tomorrow for your customers.</p><p></p><p><em>This article was originally posted on <a href="https://www.logicmanager.com/erm-software/2018/10/03/stay-compliant-gdpr/?utm_source=GlobalRisk&utm_medium=referral&utm_campaign=Referral%20Traffic" target="_blank">LogicManager.com</a></em></p></div>GDPR Readiness: How Do You Stack Up?https://globalriskcommunity.com/profiles/blogs/gdpr-readiness-how-do-you-stack-up2018-08-16T14:51:59.000Z2018-08-16T14:51:59.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><span style="font-weight:400;"><a href="{{#staticFileLink}}8028273687,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028273687,original{{/staticFileLink}}" class="align-right" alt="8028273687?profile=original" /></a>The GDPR is the strictest set of data protection rules any nation has published, featuring some of the most severe penalties connected to data privacy seen yet. Now that the compliance deadline has passed, we started to wonder about GDPR readiness. How are companies stacking up to the new regulation?</span></p><p></p><p><span style="font-weight:400;">We compiled a host of GDPR statistics to answer that exact question, alongside some quick facts about what this new regulation is asking of international companies.</span> <a href="https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html"><span style="font-weight:400;">92% of US-based multi-national companies</span></a> <span style="font-weight:400;">view</span> <a href="https://www.logicmanager.com/erm-software/plugins/gdpr-compliance/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">GDPR compliance</a> <span style="font-weight:400;">as their top security priority for the next year, but only 30% of companies will be compliant within a year of the May 25th deadline.</span></p><p></p><p><span style="font-weight:400;"><a href="https://www.logicmanager.com/erm-software/2018/08/16/gdpr-readiness-statistics/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic" target="_blank">Check out our inforgraphic</a> on GDPR statistics to see how your organization’s GDPR readiness stacks up.</span></p><p></p><p><span>Companies are, quite understandably, anxious to ensure that they do not fall out of compliance with new data privacy laws. That’s why you see some companies willing to spend as much as $10 million on GDPR readiness.</span></p><p></p><p><span>We believe companies should be spending far less. The truth is, there is no new work to achieving compliance. At some level, somewhere within the business, organizations know what data they’re collecting and what they’re using it for – which is a huge part of complying with the GDPR. It’s just a matter of finding this information out, and ensuring corresponding policies, controls, and monitoring activities are in place.</span></p><p></p><p><a href="https://www.logicmanager.com/erm-software/product/risk-based-process/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">Enterprise risk management</a><span> is built on a foundation of organization-wide risk assessments. When you administer risk assessments to employees on the front-lines, you might be surprised by the wealth of information they have to offer about the company’s data practices. Remember, IT can’t know everything; oftentimes, the information you need lies with Finance or Sales.</span></p><p></p><p><span>After you’ve collected information about your organization’s data practices and how they stack up to GDPR readiness, you can start building and improving your data privacy systems. ERM can assist you with many of the GDPR’s requirements; it’s just a matter of </span><a href="https://www.logicmanager.com/erm-software/2017/08/24/how-to-achieve-gdpr-cybersecurity-compliance-with-erm-software/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">choosing the right ERM software.</a></p><p></p><p><span>When choosing a software, use this checklist to decide whether it’s a good investment for GDPR readiness:</span></p><ul><li><b>Audit:<span> </span></b><span>Software can help you</span><span> </span><span>gain a clear understanding of where all of your data resides and bring this together into a single view</span></li></ul><ul><li><b>Capture:<span> </span></b><span>Platform can help standardize your consent forms and capture the ensuing data in a compliant fashion</span></li></ul><ul><li><b>Process:<span> </span></b><span>Framework can ensure</span><span> </span><span>sensitive information is properly encrypted</span></li></ul><ul><li><b>Monitor:<span> </span></b><span>Dashboards can assist with monitoring your progress and set up automated alerts so you can act quickly if there are issues</span></li></ul><ul><li><b>Customize:<span> </span></b>Software can be customized and configured to meet your company’s unique needs</li></ul><p></p><p><span>With enough research, you’re sure to find an ERM platform that checks off all of these boxes and empowers you to achieve </span><a href="https://www.logicmanager.com/erm-software/plugins/gdpr-compliance/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">GDPR compliance</a><span> without spending $10 million!</span></p><p></p><p><em>Find the infographic on <a href="https://www.logicmanager.com/erm-software/2018/08/16/gdpr-readiness-statistics/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic" target="_blank">LogicManager.com!</a></em></p><p></p></div>Why Cybersecurity Risk Is a Top Priority: Facts and Figureshttps://globalriskcommunity.com/profiles/blogs/why-cybersecurity-risk-is-a-top-priority-facts-and-figures2018-05-25T14:58:52.000Z2018-05-25T14:58:52.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>Chief risk officers and heads of operational risk responded to a survey held by <a href="https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018">Risk.net</a> and identified their top risk concerns. Their number one concern was IT disruption, while their second highest concern was data compromise. Why is cybersecurity risk on everyone’s mind?</p><p>For one thing, technology is an inescapable reality of every business. Even the smallest of mom and pop shops have an electronic system to make credit card transactions, while larger corporations rely on immense data centers to safeguard thousands to millions of personal records. As technology continues to permeate throughout the business world, cybersecurity risk will start to creep to the top of the list.</p><p>But what are the risks associated with cybersecurity and what impact do they have on the average business?</p><p>There are of course cybersecurity risks like system downtime, human error, and other business continuity concerns that can cause a costly domino effect on other parts of the business. There is also the risk of regulatory non-compliance which can result in lofty financial damages. But what about the less tangible effects of IT disruption and data compromise, such as reputational damage? </p><p>According to a study by PwC, 60% of consumers hold the companies who collect their data wholly responsible for its protection. 87% of consumers say they will take their business elsewhere if they don’t believe a company is handling their data responsibly. These statistics show that the public’s expectation for data protection is extremely high. Therefore, there is a large potential for reputational fallout.</p><p>Advances in technology have not only increased cybersecurity risks, but have connected consumers, investors, and regulators – the three constituents that stand to greatly impact a business. Consumers have leveraged social media and fast-paced news outlets to make their expectations clear. Investors can now be immediate witnesses to consumer outrage when expectations are not met, which in turn affects their investment behavior. Regulators and law makers, while not as quick to react to scandal, are also on the watch and are ready to ramp up any means necessary to protect their citizens’ rights.</p><p></p><p><a href="https://www.logicmanager.com/erm-software/2018/05/21/why-cybersecurity-risk-is-top-priority-stats/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic" target="_blank">Check out our infographic on LogicManager.com</a> for more facts and figures about how cybersecurity impacts businesses and their reputations.</p><p></p><p>Although the facts and figures surrounding cybersecurity risk are daunting, there is good news. We believe 100% of cyber attacks are entirely preventable with an effective <a href="https://www.logicmanager.com/grc-software/cybersecurity-risk-management/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">cybersecurity risk management program</a> and infrastructure.</p><p>Here are some steps your company can take to get ahead of cybersecurity risk:</p><ol><li>Ensure off-site backups are up to date</li></ol><p>Backing up data with off-site servers is widely considered a best practice. Every organization and industry must determine the optimal frequency and scope of data backups, which depends on the type of information being handled.</p><p>Studies have shown that anywhere from 10-15% of critical organizational data – scheduled for backups – is not actually backed up due to preventable, operational errors. Without backup verification, ransomware attacks can have an enormous impact on business continuity.</p><ol start="2"><li>Implement Windows patches and virus scan software updates as they’re released</li></ol><p>Employees around the world are using computers that simply need to be updated. Your security team likely assesses and approves patches and updates on a regular basis. However, are implementations regularly verified? As many as 30% of patches fail to deploy. Without governance (in this case, regular reviews of actual patch deployment), you might have an inaccurate understanding of which vulnerabilities are covered.</p><ol start="3"><li>Manage passwords and access rights</li></ol><p>Most organizations have internal password policies, but not an efficient way to operationalize them. Automated governance tasks – such as monitoring the percentage of employees maintaining access rights policies – is an essential to staying ahead of cybersecurity risk.</p><p>Without regular monitoring, the evolution of employee roles and organizational structure can lead to unnecessarily high risk exposure. The technology to accomplish this step exists at most every organization. Usually, the missing component is effective governance in the form of recurring risk assessments and control monitoring.</p><p>Taking these simple steps will put your company at a huge advantage. It’s often the case that hackers aren’t trying to spend inordinate amounts of time and energy to break into a secure system; they’re looking for the lowest hanging fruit. When it comes to cybersecurity, you don’t have to outrun the bear.</p><p>While cybersecurity is and will continue to be top of mind for companies and consumers alike, risk managers should take comfort in the fact that there is a solution. Better yet, the solution doesn’t entail huge investments in technology; rather, all it requires is good governance and a proactive mindset.</p><p><em>This article was originally posted on <a href="https://www.logicmanager.com/erm-software/2018/05/21/why-cybersecurity-risk-is-top-priority-stats/?utm_source=GlobalRisk&utm_medium=Referral&utm_campaign=Referral%20Traffic">LogicManager.com</a></em></p></div>Are You and Your Vendors Ready for GDPR?https://globalriskcommunity.com/profiles/blogs/are-you-and-your-vendors-ready-for-gdpr2018-04-27T20:50:31.000Z2018-04-27T20:50:31.000ZMichael Joneshttps://globalriskcommunity.com/members/MichaelJones<div><p class="p1"><em><br />Don’t assume you’re immune from this European regulation with huge </em><em>fines</em></p><p class="p1"><em><br /><a href="{{#staticFileLink}}8028269265,original{{/staticFileLink}}"><img width="750" src="{{#staticFileLink}}8028269265,original{{/staticFileLink}}" class="align-full" alt="8028269265?profile=original" /></a><br /></em></p><p>All may be relatively quiet on the regulatory front in the U.S., but this May new privacy regulations are taking effect in the European Union, which will likely impact even the most provincial U.S. financial institutions.<br /><br />The E.U.’s General Data Protection Regulation (GDPR), approved in April 2016, is much broader than the U.S.’s most well-known privacy regulations, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA). GDPR will be implemented on May 25, 2018. It protects any information that links to an individual, including names, email addresses, IP addresses, photos, social networking sites in addition to what Americans consider sensitive customer data. Breaches must be disclosed within 72 hours.<br /><br />The bad news for U.S. institutions is that GDPR doesn’t just apply to E.U. members. It also applies to organizations outside the E.U. that offer goods or services or monitor the behavior of EU data subjects. Simply put, it applies to all companies processing and holding the personal data of subjects residing in the E.U. regardless of the company’s location. This includes both the controller of the data, which is responsible for storage, use and disclosure policies and procedures, and the processor, which houses the data for the controller.<br /><br />The worse news is that fines are huge: up to four percent of gross revenues for the most egregious violations, including insufficient customer consent to process and two percent of gross revenues for violations like not having records in order or failing to promptly notify customers and authorities of a breach.<br /><br />Don’t think this includes you? Think again. These strict privacy regulations can apply to financial institutions in the United States.<br /><br /><strong>Customers, Clients & Members</strong> <br /> <br />You may not do business overseas directly, but your customers might. <br /><br /></p><ul><li><strong>Clients or members with dual citizenship.</strong> If you have a client or member with dual citizenship, you can fall under this regulation.</li><li><strong>Clients or members with customers in the E.U.</strong> If one of your clients or members has a website that sells products and ships them overseas, you may have E.U. individuals interacting with your institution.<br /><br /></li></ul><p><strong>Vendors<br /></strong><br />From global and internet banking to peer-to-peer payment and bill pay, your vendors may be conducting business operations or transactions with individuals in the E.U. If your vendor gets fined under the regulations, the financial damage could have a major impact on its ability to operate. It could also implicate your institution because you are responsible for the actions of your vendors taken in your name.<br /><br />Make sure your vendors are ready and limit liability with four key questions:<br /><br /></p><ol><li><strong>Are consent forms updated?</strong> If a vendor conducts an overseas payment transaction for a U.S. business leveraging your financial institution, you need to ensure consent forms are updated and ready.</li><li><strong>Does the vendor have a data protection officer?</strong> This is required by GDPR for large scale processors and monitors of data.</li><li><strong>Does the vendor’s process for notification of breaches comply with GDPR?</strong> Notification of authorities and customers must occur within 72 hours, a big change for institutions operating in one of the many U.S. states with notification requirements that have much longer timeframes.</li><li><strong>Are agreements with vendors updated pursuant to GDPR?</strong> Make sure your vendor agreement includes provisions that address GDPR and any other new regulation that comes along.<br /><br /></li></ol><p class="p1">Taking the time to ask these questions can save you from potentially larger issues. Don’t assume GDPR doesn’t impact you.<br /><br /></p></div>GDPR Webinar: Your Company May Be Ready…But What About Your Vendors?https://globalriskcommunity.com/profiles/blogs/gdpr-webinar-your-company-may-be-ready-but-what-about-your2018-04-11T16:00:00.000Z2018-04-11T16:00:00.000ZRosalind Morvillehttps://globalriskcommunity.com/members/RosalindMorville<div><p>With the General Data Protection Regulation, the EU is taking privacy very seriously. They expect the same from you – and your third parties. How are you preparing your Vendor Risk Management program to handle these sweeping changes?</p><p></p><p>Join ProcessUnity for <a href="http://info.processunity.com/gdpr-and-third-party-risk-management.html?Source=Social%20Media&Code=GLORC180411&Product=VRM" target="_blank">a 45-minute webcast on Wednesday, April 18, 2018 at 11:00 AM EDT</a> and see how forward-thinking organizations are incorporating GDPR best practices into Third-Party Risk processes. Our team of experts will:</p><p></p><ul><li>Outline GDPR requirements as they pertain to your vendors</li><li>Discuss the adjustments organizations are making to their programs</li><li>Provide instruction for assessing third parties specifically for GDPR</li><li>Demonstrate how automation streamlines the process while minimizing GDPR risks</li></ul><p></p><p>Done right, GDPR compliance doesn’t need to be a separate workstream. <a href="http://info.processunity.com/gdpr-and-third-party-risk-management.html?Source=Social%20Media&Code=GLORC180411&Product=VRM" target="_blank">Register for the webinar</a> and learn how to incorporate GDPR into your existing Vendor Risk program.</p></div>GDPR and Your Third-Party Vendors: Did you also know that you are responsible?https://globalriskcommunity.com/profiles/blogs/gdpr-and-your-third-party-vendors-did-you-also-know-you-that-you2018-01-22T20:00:00.000Z2018-01-22T20:00:00.000ZRosalind Morvillehttps://globalriskcommunity.com/members/RosalindMorville<div><p><a href="http://info.processunity.com/GDPR-Third-Party-Risk-Management.html?Source=Community&Code=GLORC180122&Product=VRM" target="_blank"><img width="286" src="{{#staticFileLink}}8028267281,original{{/staticFileLink}}" class="align-left" alt="8028267281?profile=original" /></a>As you likely know, GDPR (the EU’s new General Data Protection Regulation) takes effect in May 2018. Are you ready? If your organization stores or processes EU citizen or resident personal information – any information that can be used to directly or indirectly identify someone – you need to know about GDPR.</p><p><strong>But did you also know you that you are responsible for the personal data managed by your third-party vendors?</strong><span> </span>Enterprises are responsible for the EU personal data managed by their own third parties, and can be subject to penalties for their vendors’ violations.</p><p>How can you quickly prepare for GDPR and ensure that your third parties are doing the same? ProcessUnity's guide,<span> </span><em>The EU and the New General Data Protection Regulation (GDPR)</em>outlines three simple steps to becoming compliant with GDPR – internally and throughout your vendor network.<span> </span></p><p><br /> Download <span><a href="http://info.processunity.com/GDPR-Third-Party-Risk-Management.html?Source=SocialMedia&Code=GLORC180122&Product=VRM" target="_blank">The EU and the New General Data Protection Regulation (GDPR)</a></span><span> </span>to learn:</p><ul><li>Exactly what the EU considers as Personally Identifiable Information (PII)</li><li>How your organization could be impacted financially by this regulation</li><li>Your responsibility for GDPR compliance – for both your organization and your third parties</li><li>Three simple steps your organization can take to facilitate compliance</li></ul><p><span><a href="http://info.processunity.com/GDPR-Third-Party-Risk-Management.html?Source=SocialMedia&Code=GLORC180122&Product=VRM" target="_blank">Read: The EU and the New General Data Protection Regulation (GDPR)</a></span></p></div>GDPR is coming. Are you ready?https://globalriskcommunity.com/profiles/blogs/gdpr-is-coming-are-you-ready2017-12-03T20:30:00.000Z2017-12-03T20:30:00.000ZDouglas Naganhttps://globalriskcommunity.com/members/DouglasNagan<div><p>On May25, 2018 the General Data Protection Regulation (GDPR) becomes enforceable. While it was created in the European Union (EU) it applies to the personal information of all individuals within the EU as well as all personal data exported outside of the EU.</p><p>Which means if you use the web to sell to individuals in the EU, you are thereby responsible for their submitted personal information. Which means you are covered by the regulation, also if you process similar data you are likewise covered.</p><p>Why should you care? Because this regulation has teeth and has a series of sanctions that increase from initial warnings in writing to fines of up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year.</p><p>To comply you best have you need to be compliant with concepts such as the ‘Lawful Basis for Processing’, Data Protection Officer, Pseudonymisation, Right to erasure and many, many others.</p><p>Many organizations in the EU have been working for two years to get themselves compliant with all aspects of GDPR. Have you done the same? If so I congratulate you and support your efforts to be ready in May.</p><p>If you are not well down the road to GDPR compliance, not sure what GDPR means to your organization, or just want to learn more about GDPR consider taking our GDPR course: ‘<a href="https://globalriskacademy.com/p/gdpr/" target="_blank">GDPR Essentials for Risk Managers</a> available in January 2018. It is a three part course, with a quiz, that will provide information on the basic concepts embedded in GDPR.</p><p>Hope you can make it. By that I mean both the May deadline and the course.</p><p></p><p></p></div>How to Achieve GDPR Cybersecurity Compliance with ERM Softwarehttps://globalriskcommunity.com/profiles/blogs/how-to-achieve-gdpr-cybersecurity-compliance-with-erm-software2017-08-24T14:00:00.000Z2017-08-24T14:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028260475,original{{/staticFileLink}}"><img width="300" src="{{#staticFileLink}}8028260475,original{{/staticFileLink}}" class="align-right" alt="8028260475?profile=original" /></a>In less than 10 months, the General Data Protection Regulation (GDPR), the most important change in data privacy in 20 years, will take effect on May 25, 2018. The <a href="http://www.eugdpr.org/">GDPR</a> is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and standardize personal data protection.</p><p>The new regulation will replace the current data protection directive of 1995, and is truly democratizing data privacy. Its objectives are to give European citizens control over their personal data and to simplify the regulatory environment for international business.</p><p>The business impact is serious: Unlike previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy severe fines in amounts exceeding 20 million euros or four percent of annual global revenue, whichever is higher. And unlike the protection directive it’s replacing, the GDPR applies to all companies in all countries who handle data collected from residents of Europe.</p><p>The GDPR is the most stringent and comprehensive data privacy regulation to date, and there is no marginalizing the amount of time and effort it will take companies to properly comply. A <a href="http://www.experian.com/data-breach/2017-data-protection-risks-regulations.html">survey by Experian</a> found that only 9% of companies say they are prepared for the regulation, while 32% said their organization doesn’t have any plan in place, despite knowing the financial consequences of non-compliance.</p><p><a href="http://www.logicmanager.com/grc-software/compliance-management/">Integrated risk and compliance management software</a> is often the best solution to successfully meet such broad regulations, as it enables you to scope, prioritize, track, and report on the critical information that is scattered throughout your organization. To properly protect your data, you need to put in place a common <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">risk taxonomy</a> so that you can understand how this disparate information is connected. Below you’ll find some essential questions every company should ask themselves as they progress towards compliance.</p><h2> </h2><h2><strong>1. What data is your organization collecting?</strong></h2><p> </p><p>The <a href="https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/" target="_blank">GDPR</a> separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights.</p><p>Many companies will find it difficult to even begin engaging the right processors to meet compliance because they are unaware of what personal identifiable information is being collected and who’s involved in that process.</p><p>The first step to reaching compliance is to determine the answers to those questions. Can your risk management software help you answer them with ease? Effective risk management software should lend you a transparent view into which areas of the business are responsible for collecting different types of data.</p><p>Once you’ve obtained this view, it’s important to have conversations with those in charge of handling the data. These conversations should pertain to what the data is being used for, how it is being collected, and whether it’s collection is necessary or not. (After all, you can’t be held liable for losing data you never had).</p><p>Your software should be facilitating these conversations. An effective compliance software should be able to send automated notifications and tasks that will ultimately help you answer any questions you have about data collection, maintain good governance over the collection process, and determine the priority of the data your organization is collecting.</p><p>One feature of the GDPR is “Right to Access,” which stipulates that companies must be able to provide electronic copies of private records to any individual requesting what personal data of theirs is stored and for what purpose. This is very different from the United States, where employees and other individuals do not have a legal claim to validate their information.</p><p>A key benefit of <a href="http://www.logicmanager.com/erm-software/product/dashboard-reports/">ERM software</a> is that information about the data is housed in one centralized location, meaning that when a report needs to be generated, senior management will know which personnel is responsible for the data in question and who should be sent a task to compile this report. This requires robust permission access on an individual records basis, as the challenge is to give individuals access only to the information they are entitled to while preventing disclosure to others.</p><p>ERM software with taxonomy technology allows permissions to be highly granular based on identity and need-to-know parameters to protect privacy while providing transparency to stored information.</p><p> </p><h2><strong>2. How is the organization securing this data?</strong></h2><p> </p><p>The <a href="https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/">GDPR</a> requires that data be processed in a way that ensures an appropriate level of security, including “protection against unlawful processing, accidental loss, and destruction of data.”</p><p>The problem most companies will face on the way to ensuring this level of security is that they are unaware of who has access to sensitive data. With cyber risk abounding and data breaches dominating headlines, your customers’ data privacy is paramount.</p><p>One important question to ask your software provider is how they manage third party vendors. Third party relationships are often responsible for handling sensitive sets of data. It is often the case that the organization has policies in place that stipulate how data should be secured. However, it’s one thing to have a policy in place, and another to ensure it is implemented.</p><p>Ultimately, your software should assist you in governing these policies by assigning accountability to these vendors. Robust platforms can task personnel with conducting tests and checks for each policy, which will let senior management know that security measures are both in place and operational.</p><p>The regulation also demonstrates a shift in data protection towards “Privacy by Design,” meaning that data protection measures must be designed into the development of business processes.</p><p>ERM software is your best bet to meet this regulation. Inherently, ERM solutions heavily rely on objective and inclusive <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/">risk assessments</a> collected across departments. These assessments unify all areas of the business from the front lines to the board, meaning that risk managers can easily share security concerns with IT and front-line process owners for more informed strategic decision making and policy operationalization.</p><h2> </h2><h2><strong>3. What response systems are in place if a breach should occur?</strong></h2><p> </p><p>The GDPR mandates that a breach be reported to the supervisory authority and all potentially affected individuals within 72 hours of occurring.</p><p>A problem companies may encounter when addressing this stipulation is that they do not have a system in place that, one, knows exactly who the affected parties would be, and two, has the power to alert these parties in such a short amount of time.</p><p>Robust software solutions should be able to <a href="http://www.logicmanager.com/grc-software/incident-management/">send automated notifications</a> to the right people almost immediately after a breach occurs.</p><h2> </h2><h2><strong>4. Can the organization prove GDPR compliance?</strong></h2><p> </p><p>Those that fail to show they are taking steps to comply with the GDPR will face fines and liability for negligence. The <a href="https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-10-consequences-for-grpr-violations/">GDPR</a> creates two tiers of maximum fines. The higher fine threshold is four percent of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower fine threshold fine is two percent of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.</p><p>Let’s say you are taking steps to comply with the GDPR and a breach occurs. Your organization will be able to avoid these fines if they can prove they’ve taken steps towards compliance by way of thorough reporting and documentation. If you have taken these steps, but cannot prove it, you will be held liable.</p><p>Many organizations find it difficult to prove compliance even when they’re taking the steps to achieve it. This may be because they do not have a system in place to keep track of the multitudes of moving parts involved in a large regulation like the GDPR. Or perhaps they are trying to document their progress, but do not have a way of consolidating the documentation.</p><p>Can your risk software provide you a full compliance readiness checklist? Ideally, your risk management platform should make it easy to build out a regulation report where each requirement of the GDPR is a line item, to which administrators can answer ‘yes,’ ‘no,’ or ‘N/A.’ This feature not only helps your business keep track of where they are achieving or lacking compliance, but it also assists you in building out comprehensive reports to show auditors and regulators.</p><h2> </h2><h2><strong>The Key to Successful GDPR Compliance</strong></h2><p> </p><p>Rob Coleman, CTO for UK&I at CA Technologies, said, “The key to getting ready in time for most large enterprises will be to create a cross-functional program of work containing representatives from legal, IT, HR and business units – this is not just an IT problem.”</p><p>Cross-functionality in risk management is intrinsic in an enterprise risk management approach. Achieving GDPR compliance can be overwhelming. But when businesses take an ERM approach, they can easily break down the process into segments that different individuals are accountable for. Step by step, as individuals complete their own tasks, these segments will be brought back together into a picture of compliance.</p><p>The GDPR is the biggest change to data privacy regulation in 20 years, it’s just around the corner, and it’s going to take a village. ERM is the only approach to risk management that <a href="http://www.logicmanager.com/erm-software/product/risk-based-process/">considers the village</a> while on the road to compliance.</p><p></p><p><em><strong>Learn how <a href="http://www.logicmanager.com/grc-software/risk-management/">LogicManager’s ERM software</a> can help your business achieve GDPR compliance, and <a href="http://www.logicmanager.com/enterprise-risk-management-software-demo/">request more information</a> on LogicManager’s suite of integrated solutions.</strong></em></p><p></p><p></p><p><strong>Another option is to join the online Cyber Exposure Management Course Series.</strong></p><p>Here are the options:</p><p><br /><a href="http://globalriskacademy.com/p/cyber-exposure/" target="_blank">Option 1. Understanding Cyber Exposure - For Beginners</a><br /><br />Option 2. Advanced Cyber Exposure Management<br /><br />– <a href="http://globalriskacademy.com/p/cyber-exposure2/" target="_blank">Part 1 - Identifying Cyber Exposures</a> <br />– <a href="http://globalriskacademy.com/p/cyber-exposure11/" target="_blank">Part 2 – Cyber Exposure Program Management</a></p><p></p><p><a href="http://globalriskacademy.com/p/the-definitive-guide-to-cyber-exposure-management" target="_blank">Option 3. A Bundle of all 3 courses - 35% off the original price - ...</a></p><p>(most cost effective option)</p><p></p></div>