Assessment of the data, privacy, and compliance governance

1. Prof. Hernan Huwyler, MBA CPA
Nov 16th 2020
Boards of Directors and GDPR
Dialogues on privacy obligations

2. Assessment of the
data, privacy, and
compliance
governance

3. GDPR enforcement
Amount of GDPR fines per type of breach all time
Type Cases Fines € Av. Fine
Insufficient legal basis for data processing 162 164,300,342 1,014,200
Insufficient technical and organizational measures to ensure
information security
84 62,761,627 747,162
Non-compliance with general data processing principles 70 17,613,465 251,621
Insufficient fulfilment of data subjects rights 45 9,563,725 212,527
Insufficient fulfilment of information obligations 21 576,105 27,434
Insufficient fulfilment of data breach notification obligations 9 220,725 24,525
Insufficient cooperation with supervisory authority 20 147,779 7,389
Lack of appointment of data protection officer 4 136,000 34,000
Insufficient data processing agreement 2 14,380 7,190
Insufficient fulfilment of data breach obligations 1 286 286

4. Worldwide data breaches
Phishing
Use of stolen creds
Misdelivery
Misconfiguration
Password dumper
Trojan
Ransomware
RAM scrapper
2015 2016 2017 2018 2019 2020

5. GDPR enforcement
Amount of fines per year
2019 2020
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
Germany Italy France UK Austria Sweden Spain Others

6. GDPR enforcement
Amount of fines per country
Spain 139
Romania 41
Hungary 32
Italy 32
Germany 25
Bulgaria 20
Belgium 16
Poland 12
Cyprus 11
Greece 11
Norway 11
Others 68

7. Boards of directors
Members should act as diligent
owners of GDPR requirements to
avoid negligence liabilities and
shareholder claims

8. Boards of directors
Members should acquire GDPR and
cybersecurity skills to demostrate
ownership

9. Boards of directors
Set the tone for privacy
Lead by the example in data security
Monitor the adoption of GDPR
program and data security policy
Allocate resources incl. DPO designation

10. Recommendations to
monitor of the GDPR
program from the
Board

11. Recommendations
to monitor of the GDPR
program from the Board

12. Ask for a transparent gap
analysis for GDPR
compliance (benchmarked a/ ISO 27701)
engaging dialog between
Legal, IT, Information Security,
Compliance and Risk

13. Challenge the responsibility
and accountability roles for
updated policies, procedures
and contracts regarding
privacy compliance and data
security

14. Monitor compliance via
reports with internal and
assurance providers data

15. How to assess the strength
of the GDPR program
• Data-driven risk assessments for
compliance requirements, data
security and external data
processors
• Audited KPIs with targets
• Non-compliance in certifications
and client audits

16. Test your privacy leadership team
A doer approach
Not a journalist approach for paper compliance
Skills in risk, legal and data security
Not a legal-only background
Simplify privacy controls
Not a legalese writer
Target to sell compliance
Not a necessary evil

17. Tips
Challenge the business justification
for privacy software and
consultans

18. Tips
Ask for updates in related
procedures such as data
classification, retention and
acceptable use of IT assets

19. Tips
Lead by the example in protecting
your documentation and the board
by limiting access and retention

20. Tips
Ask internal and external
auditors and certified to cover
privacy in their plans in the
legal and cyber dimensions

21. Tips
Ask for a solid due diligence
and ongoing due diligence
processes on data processors
with risk communications and
exit plans

22. Tips
Resume audits for data processors
Identify new software used for
work from home > VPN, cloud
services, shadow IT
Update data inventory

23. Reporting request
for indicators on
subject access
requests and data
impact assessments

24. Strategy
Governance
RiskCompliance
Skills
Tone
Board and
GDPR

25. Board or delegated committee
Frequency
Informative or for decisions
Assurance with 3 lines
Escalations and centralization

26. Reports to the board
KPIs
• ROPA Data inventory > Updates, DPIAs
• Subject access requests > Time, nr
• Consents > nr
• Training > By seniority/functions, tests
• Risk remediation plans > Delays, tests
• Audits to data processors > Findings
• Audits from clients > Delays

27. Reports to the board
Analysis
• Completed activities in privacy program
• Data driven risk assessments
• Data security and compliance incidents and
near-misses
• Audit issues benchmarked against
international standards

28. Common areas of
improvement in a
data breach
protocol

29. Common improvements
Create, update, train and dry run
a strong breach recovery plan
Encrypt data and devices
Monitor, log and stop data
transfers and downloads

30. Common improvements
Update and patch software incl.
drivers
Enforce strong passwords and 2-
factor authentications

31. Common improvements
Coordinate bi-annual user
certifications
Educate employees and
subcontractors on social
engineering

32. Common improvements
Segments networks and
application to limit data access
(virtual switches)
Audit the preparedness plans

33. Common improvements
Identify external
providers for forensics
and legal advise

34. As the number of data breaches is
increasing, boards of directors will
be held personally responsible for
due diligence in GDPR

35. @hewyler
/hernanwyler
mydailyexecutive.blogspot.com