gdpr compliance using servicenow · 2019-12-15 · kpmg’s belief that servicenow can be an...

April 2019

kpmg.com

KPMG point of view

Enabling your privacy program using ServiceNow

KPMG’s point of view – enabling privacy in ServiceNowPrivacy Laws: The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are laws designed to unify an approach to personal data privacy and protection in their respective regions. Full text for GDPR is available at http://ec.Europa.eu and full text for CCPA is available at https://leginfo.legislature.ca.gov.

Additional countries will continue to pass privacy laws over time requiring companies to have to adhere to their requirements and have a sound approach to data privacy and protection of personal information.

Maturing through technology enablement: Many organizations have been focused on getting a handle of their assets, processing activities, and how personal information is stored and transferred within their organization. As these privacy laws go into effect, and additional laws are approved, organizations will need to operationalize their privacy program and allow it to scale. This is where the use of technology is very important.

Implementation of technology such as ServiceNow allows an organization to centralize their privacy processes and automate key privacy processes including privacy risk assessments, data subject access requests, responding to privacy incidents, and measuring privacy controls.

How can KPMG help?: KPMG LLP is different. We work alongside our clients to design, implement, and govern a self-service, on-demand, and solutions focused approach to privacy compliance that will demonstrably deliver real business value helping to lower the cost of compliance, lowering the cost of control, and increasing the confidence that Executives have with regards to protecting at-risk personal data assets.

Our team is made up of professionals with deep privacy experience and ServiceNow technical resources with functional skills in all risk and compliance domains. Our team has the skills and experience to assist clients in maturing their privacy program to scale.

Our approach to privacy KPMG’s privacy reference architecture allows organizations to define key privacy considerations. The privacy reference architecture is made up of domains within areas such as Privacy Program Operations, Privacy Oversight, and Objective Validation. Each domain will be made up of capabilities that an organization needs to consider as part of their overall privacy program. These capabilities will equip an organization to respond to privacy regulatory requirements including those from GDPR and CCPA.

The ability to define organizational privacy strategy, expectations, and structure to monitor program effectiveness

Privacy risk management

The ability to manage regulatory relationships, including responding to regulator requests and assessing current and future privacy regulatory requirements

Regulatory management

The ability to promote awareness and understanding of privacy risks, rules, and safeguards

Organizational change

Privacy oversightPrivacy program operations

The ability to know what, where, why, and for how long an organization uses, processes, stores or shares personal data

Inventory

The ability to allow individuals to request access, changes, or deletion of their personal information and fulfill these requests within the time limits defined by applicable regulations

Data subject rights

The ability to assess privacy and data protection risks and influence how data is used, processed, stored or shared

Privacy risk management

The ability to apply and maintain security controls to protect personal data

Data protection

The ability to notify individuals about how their personal data is used, processed, stored, or shared while accurately obtaining and tracking their granular consent

Privacy notice and consent management

The ability to understand and mitigate the liabilities associated with transferring data to and from third parties

Third-party privacy management

The ability to detect and respond to a data breach within the time limits defined by applicable regulations

Privacy incident management

The ability to provide internal or external objective validation of the effectiveness of the privacy program’s governance, risk management, and systems of internal controls

Objective validation assurance

Objective validation

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 854713

ServiceNow and your privacy programLike other compliance management efforts, technology implementation is an integral component of privacy program enablement. ServiceNow can be an effective enablement to automate privacy processes by using ServiceNow’s out of the box modules, features, and Configuration Management Database (CMDB) integration capabilities along with KPMG accelerators such as asset tagging, application to manage processing activities, and Data Protection Impact Assessment (DPIA).

Core functionality

GRC solution

SecOps solution

Non-core functionality

Security incidents

Service portal

DPIA

Authority document

Policies

Processing activity

Privacy scoping (profile types)

Policy statements Controls Risks

Risksstatements

Risksframework

Auditengagement

Control test

Vendors

Privacy vendor assessment

CMDB

Legend:

Conceptual integrated architecture to help enable a privacy program in ServiceNow

Audit management

Risk management

Policy and compliance

management

Vendor riskmanagement

# AreaPrivacy reference architecture component

Enablement in ServiceNow

Processing activity — Capture processing activities within a table in ServiceNow and map to core data elements within

ServiceNow GRC and SecOps applications (i.e. controls, vendors, security incidents) as well as assets within the CMDB (i.e. applications).

1

Privacy program

operations

Inventory — Inventory assets within the ServiceNow CMDB and tag each asset within privacy scope

2 Data protection — Apply data protection controls (e.g. DLP, access management, encryption) and measure the

effectiveness of those controls within ServiceNow GRC.

3 Data subject rights — Allow individuals to submit Data Subject Access Requests (DSAR) through the ServiceNow Portal

where tickets can be created, routed, and fulfilled to complete the individual’s request for access, changes, and deletion of PII.

4Privacy risk management

— Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) can be completed by users to identify risks such that the privacy team can provide necessary guidance on controls to move forward.

5Privacy notice and consent management

— Privacy Notice and Consent Statements can be captured in a table within ServiceNow and managed through a review and approval workflow before being sent to individuals.

6Third party privacy management

— ServiceNow’s Vendor Risk Module can inventory vendors and push privacy related assessments, document requests, and issues to vendors as part of overall compliance to privacy requirements. Vendor can also be mapped to specific processing activities and monitored.

7Privacy incident management

— Security breaches can be tracked through ServiceNow’s Security Incident Response application and mapped to processing activities

8

Privacy oversight

Privacy governance

— ServiceNow’s GRC application can store privacy policies, standards, and various regulatory requirements.

— ServiceNow’s portal, dashboards, and reports can provide the ability to monitor progress against the company’s privacy strategy and management of privacy risks and requirements

9Regulatory management

— ServiceNow’s GRC application can hold an inventory of controls mapped to regulatory requirements and internal policies.

— Controls can be monitored and tested to determine compliance against regulations. Identified gaps can be managed in ServiceNow through an issue workflow

10 Organizational change — As part of ServiceNow implementation, organizational change activities are executed including

communications, end user training, and technical knowledge transfer.

11Objective validation

Objective validation assurance

— ServiceNow’s GRC application has Audit Management capabilities to enable audit engagement, audit tasks, and control tests as a way to provide objective validation against privacy controls


3Enabling your privacy program using ServiceNow

Contact usFor more information on how KPMG can help your organization, contact:

Mitch KenfieldPrincipalT: 404-222-3295 E: [email protected]

Prasanna GovindankuttyManaging Director, AdvisoryT: 212-954-2737 E: [email protected]

Orson LucasManaging Director, AdvisoryT: 813-301-2025 E: [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

gdpr compliance using servicenow · 2019-12-15 · kpmg’s belief that servicenow can be an...

Documents