1. No category

Can privacy really be protected anymore?

Insights on
governance, risk
and compliance
Can privacy really
be protected
anymore?
Privacy trends 2016
Introduction
Can privacy really be
protected anymore?
Contents
Introduction
1
Privacy demands more rigorous accountability
2
The view today:
Building on the key trends from 2015
3
Moving forward:
10
Actions to help improve accountability in 2016
Conclusion
19
As a concept, privacy, and the need to protect it, has been around for decades. Yet the
programs and governance structures in place to turn the concept of privacy protection
into reality remain, if not in their infancy, then certainly in their adolescence.
In EY’s Global Information Security Survey (GISS) 2015 privacy questionnaire, 38% of
respondents admit that they address security in new business processes and technologies,
but not privacy specifically.1
However, more telling, and perhaps more concerning for organizations and individuals alike
when it comes to managing privacy, is that for nearly half (46%) of survey respondents, their
number one or two concern is not having a clear picture of where personal information is
stored or processed outside of their main systems and servers.2 This is exacerbated by the
fact that for 40% of respondents, their number one or two concern is that there are simply
not enough people to support their privacy program.3
In a world where laws and regulations cannot keep pace with digital change, the question
many are asking is: can privacy really be protected anymore? As the onus of accountability
shifts from regulators to organizations, organizations need to take heed of where they are in
terms of their privacy maturity and what they need to do to make privacy protection a part
of everything in an organization.
EY’s Global Information Security Survey 2015 privacy questionnaire asked 630 privacy professionals what concerned them
most when it comes to how privacy is managed in their organization.
(Rate each of the following concerns from 1 to 5; 1 = most important, 5 = least important)
0%
Lack of tone from the top
There is a disconnect between the corporate program and its
level of implementation in the business units
10%
15%
8%
12%
Insufficient funds to address known gaps
11%
Overreliance on policy and training with limited technical
controls to guide correct behavior
We don’t have a full picture of where our personal information is
stored and processed outside of our main systems and servers
Insufficient people assigned to support our privacy program
Other (please specify)
30%
18%
50%
33%
34%
23%
24%
25%
12%
1
12%
20%
11%
33%
3
19%
11%
20%
9%
14%
16%
42%
2
15%
19%
36%
23%
13%
4
90% 100%
23%
30%
23%
15%
80%
23%
26%
12%
70%
18%
24%
14%
60%
33%
24%
13%
40%
25%
20%
We don’t control what our vendors/suppliers are doing with the
personal information they have access to
We don’t control what employees are doing with the personal
information they have access to
20%
15%
10%
20%
5
1 EY’s Global Information Security Survey 2015 asked approximately 630 privacy professionals for their views on a number of critical privacy issues.
2 Ibid.
3 Ibid.
Can privacy really be protected anymore? — Privacy trends 2016 |
1
Privacy demands more rigorous
accountability
We see an increasing overlap of four areas
that were once viewed as distinctly separate:
financial reporting; cybercrime; national
security; and the use of personal information.
The merging of some of these areas is not
new. Some, such as cybercrime and national
security, have had intersecting points for
some time now. However, during 2016, we
expect these intersections to becomemore
frequent and more pronounced.
As organizations increasingly monitor
employees in an effort to track cyber
threats, for example, they need to be doing
so in a way that balances security with
employee privacy. Similarly, the Securities
and Exchange Commission in the US is
considering requiring organizations to
report on cybercrime or cybersecurity risks
as part of its financial reporting because
of the calamitous financial impact a major
cyber breach can have.
In the context of this mashup, organizations
need to be mindful of the impact these
overlaps have and how they address the
associated privacy risks. Specifically,
organizations should be thinking about
three trends that will improve the level of
privacy accountability that all stakeholders,
from customers and clients to vendors to
governments themselves, expect.
1. Governance
Given the increasing complexity of
the cyber world, organizations can no
longer rely solely on ad hoc privacy
processes to protect personal data.
Rather, they need a robust privacy
program that demonstrates accountability
throughout the privacy life cycle and
effectively interacts with other parts
of the organization that process
personal information.
2. Rigor
Promises are fine, but stakeholders are
also demanding proof of accountability,
adopting the motto “trust, but verify.”
To meet the rigors of verification,
auditors acknowledge that they are
serving as independent verifiers not
only of financial reporting, but also
cybersecurity reporting through Reports
on Controls at a Service Organization
Relevant to Security, Availability,
Processing Integrity, Confidentiality and
Privacy (SOC 2) because of increasing
cybersecurity risks.
3. Trust in service providers
Just as customers are looking to trust
organizations to be accountable for
their privacy, organizations are looking
to trust third-party providers with their
data. Following the financial crisis in
2008, the demand for cloud services
spiked, primarily as an effective means
of cost-cutting — even as organizations
worried about the cybersecurity risks.
Now, organizations are moving to the
cloud because cloud services providers
are seen to have more sophisticated
cybersecurity programs to prevent
advanced attacks than in-house resources
can provide. Moving forward, trust
in third-party providers will become
the critical foundation upon which
organizations build their businesses for
a digital era.
Report from the field: top-level engagement in cybersecurity
Each year, EY conducts its Global
Information Security Survey (GISS) to
ask information security executives
around the world to uncover the key
cybersecurity trends and emerging
issues dominating their focus.
Although our research reveals great
strides in the highest organizational
level taking ownership of information
security, much more needs to be
done. The results of this cybersecurity
survey from 1,755 respondents were
published in our GISS 2015 report
“Creating trust in the digital world.”
As an essential part of the GISS 2015,
we asked 630 participants to answer
questions focused on the privacy issues
facing organizations today: many of the
findings quoted in this report are taken
from both sets of results.
We would like to thank all our clients
who took part and are especially
grateful to those who contributed the
insights provided in this report.
Looking forward, expect these trends in
privacy management to become ever more
critical as the lines among financial
reporting, cybercrime, national security
and use of personal information blur into
a single overriding issue for which
organizations will be accountable.
Dr. Sagi Leizerov
EY Global Privacy Leader
[email protected]
2
The view today
| Can privacy really be protected anymore? — Privacy trends 2016
Creating trust in the digital world:
EY’s Global Information Security Survey 2015
www.ey.com/GISS2015
Digital disruption, governmentmandated organizational accountability for privacy, and the concept of “trust but verify”
The view today
Michelle Dennedy
Vice President and Chief Privacy Officer
Cisco Systems
San Jose, CA, USA
Building on the key trends from 2015
As more aspects of an individual’s life
move online, their propensity to share
personally identifiable information, whether intentionally or inadvertently,
has risen exponentially. The digital age
abounds with opportunities to connect
and grow and expand in every direction.
Yet, as individuals, organizations and
governments explore these opportunities,
someone has to be responsible for
monitoring — and managing — the privacy
risks. Given the speed of change,
regulators and individuals alike are
increasingly looking to organizations to
assume this responsibility. And they are
demanding proof.
Digital disruption, government-mandated
organizational accountability for privacy,
and the concept of “trust but verify” are
the 2015 trends we explore.
4 European Commission, “Progress on EU data protection
reform now irreversible following European Parliament vote,”
12 March 2014, http://europa.eu/rapid/press-release_
MEMO-14-186_en.htm.
5 EY’s Global Information Security Survey 2015 privacy
questionnaire.
4
Digital disruption threatens privacy
Digital technology continues to disrupt
everything and everyone in every industry
around the globe. Social, mobile, big data,
cloud, Internet of Things: all of these
technology advances are fundamentally
altering how companies do business. They
are creating massive opportunities for
companies to develop new products and
services, strengthen relationships with
customers and employees, and expand into
new territories.
Social media enables organizations to interact
directly with customers and employees.
Mobile is becoming the primary channel for
commerce and an indispensable tool for
work. Cloud is increasingly being adopted as
the go-to data storage option for anywhere
anytime access. Big data enables
organizations to understand the individual
preferences of their customers and tailor
their products and services accordingly. And
the Internet of Things makes everything
smarter: refrigerators that can tell
homeowners when their milk is going bad;
thermostats that can automatically adjust
based on peak loads and rates; and smoke
detectors can let you know if there’s a
problem when you’re not at home.
Yet for all the opportunities digital
technologies present, they also come with
an abundance of new and unforeseen risks
and complexity when it comes to dealing
with personal information. Who, for example,
is monitoring — and protecting — all of
the data associated with these “smart”
technologies? Likewise, as individuals and
organizations entrust their data to thirdparty cloud providers, how can they make
sure providers are worthy of that trust?
And what about all that big data that
organizations are collecting to personalize
customer experiences, improve products
and generally learn more about their target
audiences? Who’s making sure that all that
personally identifiable data is both safe and
| Can privacy really be protected anymore? — Privacy trends 2016
scrubbed of anything that may jeopardize
an individual’s privacy? The answers to
some of these questions, according to EY’s
GISS 2015, are less than satisfying.
In this year’s GISS survey, 54% of privacy
questionnaire respondents say that
their organization have no formalized
requirements for using big data while
addressing its privacy obligations. Similarly,
although 46% of respondents plan to
increase their use of social media in the
coming year, 37% have no formalized
requirements to address privacy concerns
related to social media. As for minimizing
personal identification of data, 61% of
respondents say that they either have
no mandate to minimize or de-identify
personal information, or they only do it in
unique circumstances.
Innovation, convenience, customer satisfaction,
profitable growth are all important, but they
cannot come at the expense of personal
privacy. Increasingly, organizations are
compelled to determine not only what
information they collect, but how they collect
it, store it, use it, maintain it, and protect it.
Current privacy regulatory regimes may
not be enough to address privacy issues in
digital ecosystems where data flows across
regions and continents, and where different
players are subject to different laws and
users can access the services anywhere. As
such, regulators and individuals are looking
to organizations to assume the mantle.
“ ‘Privacy by Design’ and ‘Privacy by
Default,’ will become essential principles
in EU data protection rules — this means
that data protection safeguards should
be built into products and services from
the earliest stage of development, and
that privacy-friendly default settings
should be the norm — for example, on
social networks.”
European Commission4
Message from regulators to organizations: take responsibility
In 2010 at the 32nd International
Conference of Data Protection and Privacy
Commission in Jerusalem, Privacy by Design
(PbD) gained international recognition
with the signing of the Privacy by Design
Resolution. Five years later, PbD, which
advocates that all new business processes
and technologies be created with privacy
already embedded into them, has become
the international privacy standard that has
been translated into multiple languages.
Further, both the United Nations, the
European Parliament and the US government
have indicated that PbD is absolutely critical
in maintaining personal privacy.
Yet, despite its international reputation
as the leading privacy standard, only 18%
of the 630 GISS privacy questionnaire
respondents use PbD as part of how they
create new processes and technologies.5
Another 24% plan on including PbD in
the near future. However, a full 38% don’t
specifically address privacy at all.
For organizations all over the world, this
laissez-faire approach to managing privacy
has to change, particularly as regulators
mandate that organizations do so.
In the EU, data protection reform produced
MEMO/13/923 and MEMO/14/60, which
improves data protection rules and puts
citizens back in control of their data.
Specifically, PbD became part of the
fundamental principles in EU data protection
rules that put privacy front and center,
rather than an afterthought.
In October 2014 in Australia, the
Commissioner for Privacy and Data Protection
(CPDP) formally adopted PbD as a core policy
to strengthen information privacy
management in the Victorian public sector.
Privacy in the age of the Internet of Everything
When I think about the Internet of Things, I actually refer to it as the “Internet of
Everything”: 50 billion sensors, devices and information gathering technology that
are becoming increasingly integrated into our world. Within this context, strategically
I see four aspects — four “Es” — of the Internet of Things that have created both a
qualitative and a quantitative shift in how companies think about privacy.
1. Internet of Everything. The Internet of Everything looks at the Internet of Things
as a whole. This includes factory sensors, global positioning systems, wearable
devices (Google Glass, Fitbit, etc.), and “smart” technology that tells you when
it’s time to order food or when it’s time for a medical checkup. Right now, there’s
a huge market out there to build cheap sensors to connect ordinary things to the
internet, and to add content and capacity into traditional telecommunications
type networks to enable that connection.
2. Internet of Everyone. This is where privacy as a notion of the authorized
processing of personalized identifiable information according to fair legal and
moral principles lives. In the process of the Internet of Everything gathering
and transferring information, the Internet of Everyone has to have a say. If
the Internet of Everything and the data associated with it offers a quantitative
distinction, the Internet of Everyone identifies a qualitative difference. We need to
be designing the Internet of Things so that everyone can feel as if they have the
right level of control and management over their data.
3. Internet of Ethics. The Internet of Ethics challenges us to ask what our ethics
are in a world of devices that do not recognize our cultural barriers. Around the
world, cultural norming varies vastly from household to household. We need to
have a really robust, cross-cultural and cross-generational discussion around
the Internet of Ethics that considers all kinds of different perspectives, as well as
the quantitative and qualitative differences when we think about exponential
data flow.
4. Internet of Experience. People like the experiences of being able to communicate
on our smartphones and tablets. However, the Internet of Experience isn’t only
about what the technology can do for us, but also what experience we want to
have, and who gets to control these experiences. As well, we need to consider
whether all of these billions of micro-experiences need to be recorded, tracked
and saved. We need to do a better job of documenting what’s important and
deleting the rest.
For the most part, we tend to see the Internet of Things as technology that gathers
data for the purposes of making our lives easier or more enlightened. But the missing
ingredient within all of this quantitative data is the human element — the qualitative
differences that explain what the data can’t. Ultimately, in the age of the Internet,
the age of the Internet of Things, the most important thing we need to remember is
to be human.
Continued
Can privacy really be protected anymore? — Privacy trends 2016 |
5
The view today
Werner Bednarsch
Head of Group Data Protection
BMW Group
Munich, Germany
In 2012 in the US, a Federal Trade
Commission (FTC) report, Protecting
Consumer Privacy in an Era of Rapid
Change, proposed a framework that made
PbD a core value for business and
policymakers. Then in January 2015 the
FTC issued a staff report that addresses
privacy and security related to the Internet
of Things, and makes recommendations
based on PbD.6
Also in the US in 2015, the White House
released a draft of the proposed Consumer
Privacy Bill of Rights. The bill is intended
to govern the collection and dissemination
of consumer data. It will also require
organizations to disclose data breaches in
a timely manner to mitigate risk of identity
theft. Although the title suggests the bill of
rights is for customers, it has the potential
to help both consumers and businesses.
Proof of privacy programs emphasizes accountability
To date, more than 5,000 entities globally
have certified under the US-EU Safe
Harbor Framework. However, on 6 October
2015, the European Court of Justice (ECJ)
declared the US Safe Harbor agreement
to be invalid because it does not protect
data transferred from the EU to the US
against access by US intelligence agencies.8
Although we have yet to understand the full
impact, we do know that Safe Harbor will
have to change. EU and US authorities are
working on a Safe Harbor 2.0 framework
to meet a January 2016 deadline imposed
by the ECJ. However, it remains a work in
progress. In the meantime, Safe Harbor
cannot be relied on as a certified framework
for transferring data from the EU to the
US in compliance with EU data protection
laws. Organizations using the Safe Harbor
framework will need to review their data
protection policies, contracts, and terms and
conditions as a result of this ruling. They will
also want to consider other mechanisms,
such as BCR, to meet EU requirements.
BCR in EU and CBPR in Asia-Pacific
come of age, while Safe Harbor in the
US faces a setback
In today’s global and increasingly digital
economy, processing and transferring
personal information across borders is a
fundamental part of an organization’s daily
activities. That’s why standard-setters in the
US, EU and Asia-Pacific regions, established
frameworks and guidelines that set the
tone for cross-border privacy protection.
There are three recognized programs for
transferring personal data: the US-EU Safe
Harbor Framework, Binding Corporate
Rules (BCR) and the Asia-Pacific Economic
Cooperation (APEC) Cross-Border Privacy
Rules (CBPR).
EY’s GISS privacy questionnaire asked 630 respondents “when it comes to adopting
BCR as a means of legitimizing those transfers out of the EU, which of the following
statements best describes your organization?” (Select one)
0%
“Companies should build-in privacy
protections at every stage as they
develop their products and services…
Privacy protections are most effective
when they are part of a company’s
fundamental business model and
not overlooked or added later as an
afterthought.” 7
Jessica Rich,
Director, Bureau of Consumer Protection
10%
20%
We don’t transfer personal information
out of the EU countries
50%
60%
17%
We are in the process of, or have already
obtained, BCR approval
It is very likely that we will apply for BCR
but don’t know when
40%
57%
Undecided as to whether to take it or not
BCR is not a path we intend to take
30%
Approximately 60 companies have
successfully applied for approval of their
BCRs — 20 more companies than the
number approved when we reported on
BCR in 2013. Adopted by APEC in 2011,
CBPR has gained traction beyond the
Asia-Pacific, with Mexico joining in 2013,
Japan in 2014 and Canada in 2015. These
certifications push more responsibility
from regulators to companies themselves,
requiring companies to have relatively
mature privacy programs in place, from
having a privacy official, to training, to
maintaining the program.
Until the October 2015 ruling, there was
every indication that all three programs
were reaching or had already reached a
tipping point. Yet, despite their increasing
adoption across the globe, according to
EY’s GISS 2015 privacy questionnaire,
of the 43% of respondents who plan on
transferring personal information out of the
EU, only 10% are in the process of or have
already obtained BCR approval. Similarly,
of the 42% of respondents intending
to transfer personal information out of
regulated APEC countries, only 6% are in
the process of or have already obtained
CBPR approval.
As accountability for privacy protection
continues to shift to corporations, companies
who are on the fence about implementing
a certifiable privacy framework will need to
make a move sooner rather than later.
The conundrum of privacy in the connected car
In the automotive industry, the notion of the connected car is not new. The emergency
“e-call” feature in BMW cars has been available since 1999. What is new is the level of
connectedness in vehicles as digital technology revolutionizes the driving experience.
This is a challenge for the automotive industry because the development cycle of a
vehicle is seven or eight years, whereas the development cycle for technology can be
as short as seven to 14 days.
BMW has a Privacy by Design (PbD) policy that we maintain and enhance. We also
spend time training the appropriate resources within the business to adhere to the
principles outlined in the policy. Part of that policy states that at a very early stage, our
privacy professionals need to be involved in the development of new features and apps.
More importantly, we have defined methods for privacy that consider and
synchronize the traditional long-term development cycle of classic car production
with the extremely short-term IT development life cycle.
We have also achieved BCR certification to establish and maintain consistent and
adequately protective data privacy policies across all of our legal entities around
the world.
We believe that PbD and BCR offer robust frameworks for establishing privacy
programs. However, today’s and tomorrow’s connected cars offer automated driving
features. The questions automotive companies are asking are: who should be
controlling these features and who should control the data? The e-call feature is a
good example. If the driver has the option to deactivate the feature, but the next
driver doesn’t reengage it, experiences an accident and no one comes to the rescue,
who is responsible? One person’s choice is impacting another’s driving experience.
Similarly, there is the issue of who controls the data that a vehicle collects. Does
the driver or owner of the vehicle control it? Or does the original equipment
manufacturer (OEM)? The connected car creates conflicts between consumer choice
and the OEM. Much like the health care industry, consumers and OEMs alike may look
to regulators to resolve these conflicts.
Ultimately, privacy may become a feature that influences a consumer’s car-buying
decision so it’s important that automotive manufacturers get it right early. Privacy
professionals add that level of value.
10%
9%
7%
Numbers may not sum due to rounding
6 FTC Staff Report, internet of things: Privacy & Security in a Connected World, January 2015, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff- report-november-2013workshop-entitled-internet-things-privacy/150127Internet of Thingsrpt.pdf.
7 Rich, Jessica, “Beyond Cookies: Privacy Lessons for Online Advertising,” AdExchanger Industry Preview 2015, 21 January 2015, https://www.ftc.gov/system/files/documents/public_statements/620061/15
0121beyondcookies.pdf.
8 EY, Navigating the European Court of Justice’s data protection ruling, 2015.
6
| Can privacy really be protected anymore? — Privacy trends 2016
Can privacy really be protected anymore? — Privacy trends 2016 |
7
The view today
Kevin Murphy, CISM, CIPM, CIPT, CIPP/E/U
Information Security and Data Privacy Officer
Corning International
Corning, NY, USA
More countries adopting breach notification regulations
36%
more than a third of EY’s GISS cybersecurity
respondents say that it is unlikely that they
would be able to detect a sophisticated attack
In the US, in the absence of federal
regulatory action to produce standardized
breach notification requirements, the
states are going it alone. In 2015, at least
32 states introduced or are considering
security breach notification bills or
resolutions. Many of these bills would
amend existing data breach laws to require:
Despite the financial, operational and
reputational damage a privacy breach can
cause, breach notification remains a
tactical rather than a strategic imperative.
Executives continue to be more interested
in compliance than understanding the risks
that precipitated the breach.
• Companies to report breaches to state
As we have stated in previous Privacy
trends reports, this leaves individuals
increasingly vulnerable to both aggressive
organizations seeking to create competitive
advantage, or nefarious actors looking
to profit from unauthorized access to
personally identifiable information.
attorneys general or other central
state agency and expand the definition
of “personal information” to include
medical, insurance or biometric data
(fingerprints)
• Businesses and governments to
implement security plans or security
measures
• Educational institutions to notify parents
or government entities if a breach occurs.
This patchwork of data breach laws across
47 states makes it hard for organizations
to implement consistent breach notification
programs that address every state’s
compliance requirements. Moreover, there
is no single standard reporting mechanism.
EY’s GISS privacy questionnaire asked 630 respondents “when it comes to adopting
CBPR as a means of legitimizing transfers out of regulated APEC countries, which of the
following statements best describes your organization?” (Select one)
0%
10%
20%
30%
40%
50%
We don’t transfer personal information
out of regulated APEC countries
It is very likely that we will apply for CBPR
but don’t know when
We are in the process of, or already
obtained, CBPR approval
Most recently, in December 2015, the EU
issued a Network and Information Security
Directive (NIS Directive), the first EU-wide
legislation for cybersecurity. In addition to
improving cybersecurity capabilities in EU
Member States and enhancing member
state cooperation on cybersecurity, it
requires “operators of essential services
in the energy, transport, banking and
healthcare sectors, and providers of key
digital services like search engines and cloud
computing, to take appropriate security
measures and report incidents to national
authorities.” 9 Once the text of the NIS
Directive is formally approved, Member
States will have 21 months to implement
the directive into national laws. This new
law will have particular implications for
organizations deemed digital service
providers — online retailers, cloud computing
services and search engines.
Q
A strong foundation for privacy accountability makes compliance easier
At Corning Incorporated (Corning), we take the protection of personal data seriously,
particularly when it is being transferred across borders among the Corning group
of companies.
Four and a half years ago, Corning implemented policies that would enable us
to adhere to the principles associated with US-EU and US-Swiss Safe Harbor
Frameworks. These certify that we comply with appropriate standards for privacy
protection when transferring data between Corning’s US and EU entities. When
we started working on complying with Safe Harbor, we made a conscious effort to
address as many BCR requirements as possible. We have since gone on to receive
BCR certification, making it possible to transfer personal data between Corning
entities throughout the world. Formally adopting the BCR requirements was easier
mainly because we already had many of the basic principles in place — a data privacy
office, a corporate privacy policy, privacy impact assessments that identified current
practices and any gaps, and an inventory system for third parties.
Furthermore, we had embedded privacy into our culture. The principles that certify us
under BCR and Safe Harbor are the same principles we apply globally when it comes
to protecting personal information.
BCR, Safe Harbor and other certifications serve as motivational compliance tools
for organizations to be accountable for the personal information in their care. We
found at Corning that compliance is much easier if organizations implement a strong
privacy foundation and accountability mindset from the outset.
70%
58%
Undecided as to whether to take it or not
CBPR is not a path we intend to take
60%
In June 2015, Canada’s mandatory federal
security breach notification law received
royal assent. Organizations are now
required to notify the Privacy Commissioner
and affected individuals of any security
breach involving personal information
the organization experiences if there is a
reasonable expectation that the breach
will create a real risk of significant harm to
an individual.
21%
8%
7%
6%
Numbers may not sum due to rounding
9 “Commission welcomes agreement to make EU online environment more secure,” European Commission, 8 December 2015, http://europa.eu/rapid/press-release_IP-15-6270_en.htm.
8
| Can privacy really be protected anymore? — Privacy trends 2016
Can privacy really be protected anymore? — Privacy trends 2016 |
9
Moving forward
How can companies improve
their accountability and become trend leaders?
Actions to help improve accountability
in 2016
The pace at which new and emerging
technologies are penetrating and
disrupting every aspect of our lives is far
outstripping the pace at which lawmakers
can keep up. As a result, regulators — and
consumers — are looking to companies to
assume accountability for privacy.
There are eight actions companies can
take to help improve their accountability
and become trend leaders.
1
Develop KPIs for privacy 2
Build privacy impact assessments into the system development life cycle 3
Prepare a robust incident response
plan — and prepare to respond 4
Monitor for insider threats
5
Know the assurance options 6
Implement identity and access management for privacy 7
Consider right-on-time notice of privacy policy 8
Get consensus on an approach to
de-identification
1
Develop KPIs for privacy In EY’s GISS privacy questionnaire, we
asked 630 respondents to rank which KPIs
they think are most important to track, as
well as the KPIs that executive leadership
thinks are most important. Many are the
same. Where the results deviate is where
it gets interesting. Both rate progress in
addressing compliance obligations, tracking
the number and impact of breaches and
progress in addressing privacy risks as their
top three priorities. However, management
appears to be far more concerned about
priorities two and three than their executive
counterparts. Attitudes deviate even
further on management’s priorities around
measuring the company’s ability to close
known gaps and its ability to complete and
maintain inventory of personal information.
For executives, tracking complaints received
trumped closing known gaps as their
number four priority. And maintaining an
inventory of personal information fell to
number seven on their list, below closing
known gaps (number five) and collaborating
with the business (number six).
For privacy accountability to be successful,
leadership and management need to be
aligned in terms of both priorities and
culture when it comes to managing privacy.
Organizational leaders need to understand
that it’s no longer enough to know what
they are tracking. They have to know why
they are tracking it and which KPIs will
enable them to develop a robust privacy
program that zeros in on accountability,
within and outside the organization.
Companies will want to consider adopting
KPIs for privacy in the same way they do
for any other performance-based program.
These KPIs can be tied to the company’s
existing GRC program. In a recent survey
conducted by the International Association
of Privacy Professionals (IAPP) and
sponsored by EY, IAPP-EY Annual Privacy
Governance Report 2015, 31% of
respondents indicate that they plan to
increase their use of GRC tools in the
coming year, with more than half ranking
data protection controls as their most used
GRC tool.10
Automating KPIs helps enable companies to
gather and analyze accurate privacy data
that they can then use to develop, implement,
monitor and maintain robust privacy
programs that help increase compliance
with regulations, and meets increasing
consumer demands.
KPI
Top priority for
management
Top priority for
executive leadership
Progress in addressing compliance obligations
42%
41%
Number and impact of breaches and incidents
42%
32%
Progress in addressing risks to privacy
39%
23%
Closing known gaps
32%
19%
Complete and maintain inventory of
personal information
31%
12%
Complaints received
22%
22%
Degree of collaboration with the business
14%
23%
10 IAPP-EY, IAPP-EY Annual Privacy Governance Report 2015.
Can privacy really be protected anymore? — Privacy trends 2016 |
11
Moving forward
Ben Carr
Chief Privacy Officer
Telstra
Melbourne, Australia
2
Build privacy impact assessments into the system development life cycle 3
Prepare a robust incident response
plan — and prepare to respond Privacy impact assessments (PIAs) analyze
how personally identifiable information is
collected, used, shared and maintained.
It aids organizations in identifying and
mitigating privacy risks within projects and
across the entire enterprises. PIAs are not
new. But where they were once optional,
today they are leading practice. In the
recent IAPP-EY survey, 59% of privacy
professionals indicate that they use PIAs,
with approximately 50% saying that they
are part of their organizations system
development life cycle process.11
In EY’s GISS only 7% of 1,755 respondents
to the cybersecurity questionnaire claim
to have incident response programs for
cyber attacks. These include third parties
and law enforcement and are integrated
with their broader threat and vulnerability
management function — a percentage that
remains unchanged from last year. The
next question becomes, of the 7% that have
incident response programs in place for
cyber attacks, how many have incorporated
responses to privacy breaches as part of
their program?
One of the PIA leaders is the UK. It was
the first country in Europe to develop and
disseminate a privacy impact assessment
methodology. In 2012, the EC’s Data
Protection Regulation introduced made
PIAs mandatory for both public and private
sector organizations throughout Europe.
In April 2015 in the US, the cybersecurity
unit of the Department of Justice released
new guidance on leading practices for
responding to data breaches. The guidance
is divided into four sections that address
what steps to take before a cyber attack,
how to respond when a cyber attack occurs,
what not to do following a cyber incident
and what to do in the aftermath.12
We see 2016 as the year that organizations
build PIAs into their development system
life cycle so that they are conducted
consistently for every project, every time.
First and foremost, the guidance
recommends that before a breach occurs,
organizations should conduct risk
assessments to identify and prioritize
critical assets, data and services. From a
privacy perspective these risk assessments
should particularly focus on identifying
and flagging any personally identifiable
information. The guidance goes on to
suggest that organizations develop a robust
incident response plan that outlines the
concrete steps they need to take in the
event of a cyber breach.13
Governments in Canada, the EU and the
UK all have similar advice regarding incident
response. Yet, for global organizations, a
country-by-country response is a poor option.
Instead, multinational organizations may
want to consider developing a robust,
consistent, unified and clearly articulated
approach to addressing incidents related to
privacy breaches before they occur.
Given that more than a third of EY’s GISS
cybersecurity respondents say that it is
unlikely that they would be able to detect a
sophisticated attack, there’s a good chance
that one or more readers of this report is
currently experiencing a breach and doesn’t
even know it yet.
Monitor for insider threats
7%
of GISS cybersecurity respondents have
incident response programs for cyber attacks
that include third parties and law enforcement
and is integrated with their broader threat and
vulnerability management function
12 “Best Practices for Victim Response and Reporting of Cyber Incidents,” Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice, April 2015,
http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf.
Proposed breach notification law eases customer anxieties
In EY’s GISS 2015, when we asked the
cybersecurity respondents what they
consider to be the most likely source of a
cyber attack, 56% indicated their employees,
a 12 percentage point increase from last
year, and second only to criminal syndicates.14
In early December 2015, the Australian government proposed a new law that will
require organizations operating in Australia to disclose serious breaches of people’s
information within 30 days if the breach has a potential to cause serious harm. The
concept of mandatory data breach notification has been around for a long time. In
fact, the previous government introduced similar legislation, but it was not put to
parliament for a vote.
When asked whether they monitor their
employees’ use of data, 42% indicate
they have formalized requirements for
monitoring employees while balancing their
privacy obligations. That said, a majority
of respondents admit that protecting
proprietary information is more important
than protecting employee privacy.
Broadly speaking, Telstra is supportive of a mandatory breach notification law
because we believe customers expect that they should be notified if there is a
significant breach that can cause them harm. We haven’t seen the final details of
the legislation. However, we believe that organizations should be doing everything
they can to notify, remediate and manage to the best of their ability any such lapses.
Certainly, this is what Telstra does.
Although a healthy minority monitor their
employees’ use of data, few organizations
assess their employees’ adherence to data
protection requirements through their
performance evaluation process. Instead,
organizations rely on more traditional,
administrative mechanisms, such as
computer-based education, emails, posters
and agreements. Many of these mechanisms
focus on communicating expectations rather
than emphasizing deterrence.
11 IAPP-EY, IAPP-EY Annual Privacy Governance Report 2015.
13 Ibid.
4
Understandably, organizations want to
use monitoring tools to keep an eye on
their data. However, these tools can also
end up monitoring an employee’s personal
information. This is particularly evident
in the case of bring your own device
(BYOD), which is now ubiquitous across
organizations.
However, we need to make sure that laws such as these do not produce notification
fatigue. A lack of harmonization in breach notification laws around the world means
organizations need to understand the different laws in different jurisdictions. Does
a breach require telling the regulator before the consumer? When contacting the
consumer, which form must the notification take — verbal, written? And then there’s
the additional requirement of notification based on the size of the breach. We’re
conscious of over notifying customers and creating levels of anxiety for breaches that
will have no material impact. That said, we are fully in favor of legislative instruments
for instances where serious harm can occur.
In recognition of the anxiety customers feel around breach notification, the Australian
Privacy Commissioner has released guidance on what he expects should happen if
there is a data breach, but at the moment, without a law, it’s entirely voluntary.
Telstra already has a framework in place that ensures we not only meet our legal
obligations, but also our customers’ expectations on privacy and data protection.
As a large organization, we have large numbers of resources invested in compliance
and management of regulatory requirements. We will be well-positioned to meet any
compliance obligations the new breach notification law imposes.
The same cannot be said for smaller organizations with fewer resources, less
experience, and no back office IT systems to support the requirements of the new law.
For them, this new law will likely pose significant challenges — ones worth resolving
to keep customers informed and to remediate and mitigate the impact today’s data
breaches can cause.
56%
of GISS cybersecurity respondents consider
their employees to be the most likely source
of attack — second only to criminal syndicates
14 EY’s Global Information Security Survey 2015 “Creating trust in the digital world.”
12
| Can privacy really be protected anymore? — Privacy trends 2016
Can privacy really be protected anymore? — Privacy trends 2016 |
13
Moving forward
Steve Wright
Chief Privacy Officer
Unilever
London, UK
Rather than monitoring employees, which
is a less than ideal option for all parties,
organizations may want to consider some
or all of the following options to better
balance privacy and regulation with the
need to monitor for insider threats:
• Partitioning. This would help to alleviate
at least some of the privacy issues
associated with dual-use devices (laptops,
tablets and smartphones). Partitioning
would provide the device with two
different desktops — one for work and one
for personal — located on two separate
components of the device’s hard drive.
• Guest network. A guest network separate
from the main network allows employees
to use their personal device to gain
access to the web directly, perhaps even
through a work-only email account.
• Sandboxes. Using third-party services or
an organization’s own coding to create
“sandboxes” enables organizations to
separate company data and companyissued applications from any interaction
with personal data, applications or
online services.
As the workforce becomes increasingly
mobile and technologies continue to evolve,
finding the right balance between personal
privacy and corporate security is more
important than ever.
5
Know the assurance options Service providers are often asked to obtain
an independent assessment of their privacy
and data security practices. Previously,
organizations used the Statement on
Auditing Standard No. 70 reports (SAS 70
reports). However, these reports are not
intended to address privacy or security.
In 2011, AICPA issued a new framework —
Reports on Controls at a Service
Organization Relevant to Security,
Availability, Processing Integrity,
Confidentiality and Privacy (SOC 2). SOC
2 reports provide independent assurance
on a wider range of service provisions than
simply financial reporting. They enable
service providers to be transparent and
accountable to their clients. Additionally,
organizations that outsource can use the
SOC 2 reports to be accountable to their
shareholders and other stakeholders.
SOC 2 reports enable service providers
to be transparent and accountable to
their clients. Further, organizations that
outsource can use the SOC 2 reports to be
accountable to their shareholders and other
stakeholders.
37%
of GISS cybersecurity respondents have no
formalized requirements to address privacy
concerns related to social media
SOC 2 audits are conducted based on the
AICPA’s five trust services principles:
1. Security. The system is protected
against unauthorized access (both
physical and logical).
2. Availability. The system is available for
operation and use as committed.
3. Processing integrity. System
processing is complete, accurate, timely
and authorized.
4. Confidentiality. Information designated
as confidential is protected as
committed.
5. Privacy. Personal information is
collected, used, retained, disclosed
and destroyed in conformity with the
commitments in the entity’s privacy
notice and with criteria set forth in
Generally Accepted Privacy Principles
issued by the AICPA and CICA. The
principles of security, availability and
processing integrity are used to evaluate
whether a system is reliable.15
SOC 2 reports play a different role in giving
consumers, commercial customers,
shareholders and the market at large the
confidence that an organization is meeting
a comprehensive standard when protecting
their data.
6
Implement identity and access management for privacy Identity and access management for privacy
differs from traditional identity and access
management programs because it’s about
privacy, not security. Organizations can
control access by modifying, or de-identifying
the data.
Identity and access management for
security focuses on determining what level
of detail a user needs, which is determined,
in part, on role. Identity and access
management for privacy needs to be
customized, not by role, but by customizing
data elements with privacy in mind.
Organizations can be smarter about how
they handle privacy by providing users with
the least-specific data based on a user’s
need. For example, a company provides
reports to 1,000 users over the course
of a year. Currently, every one of those
1,000 people gets access to the complete
set of data. However, not everyone needs
complete access. Identity and access
management for privacy helps companies
to evolve their privacy programs so that
only 100 of the 1,000 get a complete set
of data. The rest of the people get a subset
of the data based on their need.
The benefits of this approach as organizations
move to implement it in the coming year
are twofold: fewer vulnerabilities related
to insider threats; and greater rigor for
organizational accountability.
Monitoring program effectiveness through KPIs
With a market capitalization of $124b, revenues of approximately $50b, and more
than 400 diverse brands globally, Unilever is a large organization with unique
challenges in terms of data privacy. When we embarked on a cross-enterprise, crossgeography privacy program in 2013, we were interested not only in developing and
implementing a robust global privacy program, but also in monitoring and measuring
its success.
When we officially launched our privacy program, we broke it down into four or five
main components: 1) governance, which encompassed accountability, ownership
and responsibility, as well as establishing a data protection network; 2) policy, which
related to standards, guidance and legal requirements; 3) privacy awareness and
training; and 4) operationalizing privacy and introducing privacy monitoring, which
included establishing KPIs.
With regard to the last component, we’ve been implementing a privacy tracking and
monitoring tool, which to date has been rolled out to more than 50% of our data
protection officer network. Using this self-assessment tool, data protection officers
are responsible for checking that the controls we’ve stipulated in our global privacy
standard are operating effectively. We’ve also been working with corporate audit to
educate and train data protection officers on the types of issues our organization
faces, including where data is stored and how long we retain it. Additionally, we’ve
trained our procurement people in terms of what model clauses should look like as
well as responses.
Based on the standards, policies and tools that we’ve implemented, we are getting
to a place where we can monitor and measure the effectiveness of our program.
So far, we have been able to test the monitoring across our European countries
to determine how they are doing against our KPIs. We report the results of our
progress on a quarterly basis to the Chief Legal Officer and the Quarterly Information
Protection Council.
Our next step is to test the awareness level of our employees through surveying,
again, to measure the effectiveness of our controls, to raise awareness, and to
identify and remediate any issues that arise. As an unregulated industry, our
organization is unaccustomed to adhering to compliance requirements. This has
presented some unique challenges, as well as some opportunities to shift our
corporate culture and embed accountability for privacy into the senior management
levels of the organization. It makes our efforts as much a process as a program,
helping the business to understand its responsibilities through awareness and KPIs.
61%
of GISS privacy questionnaire respondents say
that they either have no mandate to minimize
or de-identify personal information, or they
only do it in unique circumstances
15 “Trust Services Principles and Criteria,” AICPA, www.aicpa.
org, ©2006-2015 American Institute of CPAs,
http://www.aicpa.org/interestareas/informationtechnology/
resources/soc/trustservices/pages/trust%20services%20
principles%E2%80%94an%20overview.aspx.
14
| Can privacy really be protected anymore? — Privacy trends 2016
Can privacy really be protected anymore? — Privacy trends 2016 |
15
Moving Forward
Jeimy J. Cano M., PhD, CFE
Chief Information Security and Privacy Officer
Ecopetrol S.A.
Bogota, Colombia
7
Consider right-on-time notice of privacy policy Traditional privacy notifications and choice
options have largely lost their meaning.
Consumers blindly click on the “Accept”
button without reading or understanding
their privacy rights, often because it’s
several pages long and written in legalese.
These notifications also tend to be blanket
consent for every subsequent interaction
consumer has with organization.
A better option for organizations and
consumers alike is right-on-time
notification. This would require consumers
to consent to each interaction. At the
same time, for each of these interactions,
organizations would have to explain what
they plan on doing with a customer’s
information and what options consumers
have with regard to that use.
In the recent IAPP-EY survey, nearly a third
of respondents indicate having completed
initiatives around privacy choice and
consent consolidation with a further third in
the short- or long-term planning stages.16
It is unclear, however, whether these initiatives
included a review and implementation of
right-on-time notification.
In 2016, organizations should consider
working towards making consent more
detailed and relevant to the interaction and
explain the specific intent of the use it has
for the data.
8
Get consensus on an approach to
de-identification
Loosely defined, de-identification involves
the scrubbing of data until any hint of an
individual’s identity is gone. The purpose
is to make the data safe from a privacy
perspective, but useful from a big data/data
analytics standpoint.
In EY’s GISS privacy questionnaire, we
asked participants about their use of big
data, as well as what steps they were taking
to de-identify personal information. Over the
last year, 37% of organizations have
invested in identifying new uses for their
data in the context of big data analysis.
In the next year, 45% plan to invest more
in big data. Yet 54% have no formalized
requirements for using big data while
addressing their privacy obligations. Further,
for 61% there is either no mandate, or a
requirement only in unique circumstances,
to de-identify personal information.
As big data plays an increasingly important
role in almost every decision a company
makes, the debate over what data a company
collects, stores, manages and protects will
continue to escalate. It is in this context
that the concept and the definition of
de-identification grows increasingly critical.
Yet, the definition, particularly when it’s
considered in a legal context, remains vague
— which may explain why only a little more
than a quarter (27%) of survey respondents
have a plan for de-identification.
However, that has not stopped regulators
from trying. In the US, the Health Insurance
Portability and Accountability Act (HIPAA)
defines protected health information
as identifiable data that “identifies the
individual or for which there is a reasonable
basis to believe [that the information]
can be used to identify an individual.”17
The FTC doesn’t provide a definition
per se. Instead, it offers advice to help
organizations assess whether data is
identifiable. However, there is currently no
leading practice.
In Europe, the General Data Protection
Regulation promotes techniques such as
anonymization (removing personally
identifiable information where it is not
needed), pseudonymization (replacing
personally identifiable material with
artificial identifiers), and encryption
(encoding messages so only those authorized
can read it) to protect personal data.
Two organizations have taken additional
steps to help de-mystify de-identification:
Despite these noble efforts, before
organizations can move forward in developing
and implementing a de-identification plan,
the global community needs to agree on a
common approach to de-identification.
In a recent draft report, FPF makes the
argument that rather than focusing on what
constitutes personal data and therefore
which data should be de-identified, we
should consider reorienting legal rules for
data based on “multiple categories of
identifiability, while keeping the option open
to assess other factors such as the data’s
sensitivity, accessibility and permanence
to modify additional legal requirements.”18
This approach allows that rather than
a black and white approach to data,
organizations and policymakers should
“view data in various shades of gray.”19
In 2016, we expect to see progress by the
global community in finding consensus in
terms of what constitutes de-identification,
and a framework to help organizations
develop a plan to achieve it.
Q
1. Future of Privacy Forum (FPF) has
developed a framework for
de-identification.
2. National Institute of Standards and
Technology (NIST) has published the
De-Identification of Personally
Identifiable Information to provide an
overview of the different approaches
and gaps associated with common
de-identification technique.
The human side of data
In 2012, Colombia’s congress issued new statutory law related to a new data
protection law. Part of these regulations requires that the data controller within
an organization must be in charge of the company’s data protection compliance
program. As the Chief Information Security Officer for my organization, that
operational responsibility was delegated to me and my team. I now serve as the Chief
Information Security and Privacy Officer.
Combining these two roles provides a unique perspective for me to look at the issue
of data protection from both a security and a privacy standpoint. My team and I need
to know what information needs to be protected, where it needs to be protected
and how it needs to be protected. It’s not good enough to protect the information
itself. It also requires a better understanding of where the privacy issues are within
the various functions of the organization, and to identify and implement policies and
procedures to mitigate the associated risks.
When we talk about protecting information, we are, of course, talking about customer
data and employee data and how to protect both. How to protect the privacy of our
employees. But also, how to ensure that our employees respect and protect our
customers’ privacy too.
One of the biggest advantages I see to having dual responsibility for information
security and privacy is our visibility and ability to trace the flow of information across
the enterprise from start to finish so that we can ensure that the data is protected at
every touch point. When I only held the role of Chief Information Security Officer, my
primary focus was securing the data. As both Chief Information Security Officer and
Chief Privacy Officer, my focus is now on the people as well as data security. This is a
significant shift that enables us to look at more than the compliance implications — it
enables us to look at the human implications.
54%
of GISS privacy questionnaire respondents
have no formalized requirements for using big
data while addressing their privacy obligations
16 IAPP-EY, IAPP-EY Annual Privacy Governance Report 2015.
17 “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,” U.S. Department of Health
and Human Services, HHS.gov, http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html.
18 Polonetsky, Jules, Tene, Omer, Finch, Kelsey, “Shades of Gray: Seeing the Full Spectrum of Practical Data De-Identification,” Future of Privacy Forum, 2015.
19 Ibid.
16
| Can privacy really be protected anymore? — Privacy trends 2016
Can privacy really be protected anymore? — Privacy trends 2016 |
17
Conclusion
The need for maturity in
privacy accountability
If the evolution of privacy protection is still in the adolescent phase, then
it needs to grow up — fast. The digital future is upon us and it won’t wait for
governments to craft laws that address the myriad privacy risks it creates.
Organizations are increasingly being held to account for the reams upon reams
of personally identifiable data they collect. Yet, alarmingly large numbers of
organizations still have no idea where this data lives within their systems, let
alone how to protect it.
Organizations need to be taking clear and decisive action to develop and enhance
privacy management beyond ad hoc policies and toward fully accountable,
certified and trusted privacy programs. Knowing how information is collected,
used, shared and maintained, developing KPIs, finding the balance between
monitoring for insider threats and employee privacy, controlling access by
modifying and de-identifying data, preparing for the worst and providing
independent assurance on privacy programs are all signs of an evolving maturity
that governments and individuals alike are demanding.
For years, we’ve been talking about the need for accountability in privacy
management. We expect 2016 may be the year when privacy programs mature
from adolescence to adulthood.
Organizations need to take clear and decisive action to develop and enhance privacy management
Want to learn more?
Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks
and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues
and provide you with valuable insights about our perspective.
Please visit our Insights on governance, risk and compliance series at: www.ey.com/GRCinsights.
Creating trust in the digital world:
EY’s Global Information Security
Survey 2015
www.ey.com/GISS2015
Enhancing your security operations with
Active Defense
www.ey.com/activedefense
Achieving resilience in the cyber ecosystem
www.ey.com/cyberecosystem
If you were under cyber attack, would you ever know?
Reducing risk with Cyber Threat
Intelligence
www.ey.com/CTI
Cybersecurity and the Internet of Things
www.ey.com/IOT
Cyber program management: identifying
ways to get ahead of cybercrime
www.ey.com/CPM
As many organizations have learned, sometimes the hard way, cyber attacks are
no longer a matter of if, but when. Hackers are increasingly relentless. When one
tactic fails, they will try another until they breach an organization’s defenses. At
the same time, technology is increasing an organization’s vulnerability to attack
through increased online presence, broader use of social media, mass adoption
of mobile devices, increased usage of cloud services, and the collection and
analysis of big data. Our ecosystems of digitally connected entities, people and
data increase the likelihood of exposure to cybercrime in both the work and home
environment. Even traditionally closed operational technology systems are now
being given IP addresses, enabling cyber threats to make their way out of backoffice systems and into critical infrastructures such as power generation and
transportation systems.
Anticipating cyber attacks is the only way to be ahead of cyber criminals. With
our focus on you, we ask better questions about your operations, priorities and
vulnerabilities. We then collaborate with you to create innovative answers that help
you activate, adapt and anticipate cybercrime. Together, we help you design better
outcomes and realize long-lasting results, from strategy to execution.
Using cyber analytics to help you get
on top of cybercrime: Third-generation
Security Operations Centers
www.ey.com/3SOC
20
There’s no reward without risk:
EY’s global governance, risk and
compliance survey 2015
www.ey.com/GRCsurvey2015
| Can privacy really be protected anymore? — Privacy trends 2016
Unlocking the value of your program
investments: How predictive analytics can
help in achieving successful outcomes
www.ey.com/PRM
We believe that when organizations manage cybersecurity better, the world
works better.
So, if you were under cyber attack, would you ever know? Ask EY.
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax,
transaction and advisory services. The insights
and quality services we deliver help build
trust and confidence in the capital markets
and in economies the world over. We develop
outstanding leaders who team to deliver on
our promises to all of our stakeholders. In
so doing, we play a critical role in building a
better working world for our people, for our
clients and for our communities.
EY refers to the global organization, and may
refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is
a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee,
does not provide services to clients. For more
information about our organization, please
visit ey.com.
© 2016 EYGM Limited.
All Rights Reserved.
EYG no. AU3733
ED None
This material has been prepared for general informational
purposes only and is not intended to be relied upon as
accounting, tax, or other professional advice. Please refer
to your advisors for specific advice.
About EY’s Advisory Services
In a world of unprecedented change, EY Advisory believes a better working world means
helping clients solve big, complex industry issues and capitalize on opportunities to grow,
optimize and protect their businesses.
Through a collaborative, industry-focused approach, EY Advisory combines a wealth of
consulting capabilities — strategy, customer, finance, IT, supply chain, people advisory,
program management and risk — with a complete understanding of a client’s most complex
issues and opportunities, such as digital disruption, innovation, analytics, cybersecurity,
risk and transformation. EY Advisory’s high-performance teams also draw on the breadth
of EY’s Assurance, Tax and Transaction Advisory service professionals, as well as the
organization’s industry centers of excellence, to help clients realize sustainable results.
True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk
management when working on performance improvement, and performance improvement
is top of mind when providing risk management services. EY Advisory also infuses
analytics, cybersecurity and digital perspectives into every service offering.
EY Advisory’s global connectivity, diversity and collaborative culture inspires its consultants
to ask better questions. EY consultants develop trusted relationships with clients across the
C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to
leading disruptive innovators. Together, EY works with clients to create innovative answers
that help their businesses work better.
The better the question. The better the answer. The better the world works.
Our Risk Advisory Leaders are:
Global Risk Leader
The views of third parties set out in this publication are not
necessarily the views of the global EY organization or its
member firms. Moreover, they should be seen in the context
of the time they were made.
Paul van Kessel
ey.com/GRCinsights
Americas
+31 88 40 71271
[email protected]
+1 612 371 8537
[email protected]
+971 4 312 9921
[email protected]
+61 8 9429 2486
[email protected]
+81 3 3503 1100
[email protected]
+44 20 795 15769
[email protected]
+1 513 612 1591
[email protected]
+44 207 951 6930
[email protected]
+65 8691 8635
paul.o’[email protected]
+81 3 3503 1100
[email protected]
+1 703 747 0899
[email protected]
Area Risk Leaders
Amy Brachio
EMEIA
Jonathan Blackmore
Asia-Pacific
Iain Burnet
Japan
Yoshihiro Azuma
Our Cybersecurity Leaders are:
Global Cybersecurity Leader
Ken Allan
Area Cybersecurity Leaders
Americas
Bob Sydow
EMEIA
Scott Gelber
Asia-Pacific
Paul O’Rourke
Japan
Shinichiro Nagao
Global Privacy Leader
Sagi Leizerov

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz