Big Data Analytics in Accounting and Finance

Assignment 3

2301949040
Javier Noel Claudio
LB53 – LEC
Dewan Pelawi, S.Kom.,MMSI.
D2318
1. What measures are you taking to protect personally identifiable information (PII) within your
systems, including protection against linkage attacks?
Make sure you are compliant with regional laws in this area and are not putting your reputation at risk
from privacy infringement, even if legal.
Personally Identifiable Information is any type of information from which a specific individual
may be identified. That includes things like names, social security numbers, passport numbers,
or physical addresses. It also includes less obvious things like emails and phone numbers. To
protect PII:

1) Identify What PII You Collect and Where It Is Stored

Begin by performing an inventory of what PII you’re collecting and where it’s being stored.
You’ll need to examine whether you’re collecting data correctly and if the storage method
contains adequate security measures.

2) Identify What Compliance Regulations You Must Follow

Depending on your industry, you may be subject to legal compliance requirements. These
are laws that govern how you collect, handle, store, and transmit certain types of sensitive
information. These may vary based on where or who your customers are, rather than your
industry or business location.
The most common compliance mandates include:
 Health Insurance Portability and Accountability Act (HIPAA)
 General Data Protection Regulation (GDPR)
 California Consumer Privacy Act (CCPA)
 Personal Information Protection and Electronic Documents Act (PIPEDA)

3) Perform a PII Risk Assessment

A risk assessment will help you identify possible vulnerabilities or weak points in your
security strategy before criminals do. You should identify:
 What PII is regulated and what actions you’re taking to ensure compliance.
 What unregulated PII poses risks to reputation, competition, security, etc.
 Possible sources of threats from most to least likely.
 Possible risk management strategies, including control procedures and safeguards that
you can implement.

4) Securely Delete PII That’s Not Necessary to Business

Are you holding onto PII that you no longer need? While you might think it’s best to hoard as
much data as you can, PII can be a security risk when it hangs around forgotten. Comb
through your organization and identify information that can be deleted. This includes:
 Customers who have moved away, died, or ended the relationship.
 Records of employees who left the company more than a year ago.
 PII located on disused devices or in abandoned accounts.
 Instances where individuals have requested that you delete their information.
 PII accumulates over time, so “cleaning house” can reduce your storage costs as well as
your risk.

5) Classify PII by Confidentiality and Privacy Impacts

Not all PII is of the same level of sensitivity. For example, email lists must still be protected,
but they have a much lower level of confidentiality than customer records containing credit
 card numbers. By classifying data according to confidentiality and impact if their privacy is
compromised, you can gain a sense of what your security program needs.

6) Review and Update Safeguards That Protect PII

Review your overall security program to see what safeguards you need to update. Likewise,
make sure you’re using up-to-date tools and solutions to protect PII. This includes your:
 Email service
 Antivirus and malware
 Customer management tools
 Information security management software

7) Update Your Security Policies

With the rollout of enhanced data privacy laws, your policies may need a review. Take a
moment to review the foundation for protecting PII: your internal security policies. Policies
that include best-practice security controls, from trusted frameworks like SOC 2 or CIS, help
ensure that the information you store, and process stays say.
These policies also create a structure for your employee awareness training around the
collection, storage, encryption, de-identification, and deletion of PII.

2. If you have customers in Europe, what additional steps will you need to take to become
compliant with GDPR?
Remember that GDPR fines reach 4 per cent of global revenue.
11 things you must do now for GDPR compliance
1) Raise awareness across your business
The ICO urges businesses to start planning for GDPR as soon as possible, so you have time to
address budgetary, IT, personnel, governance and communications implications.
Key people and decision-makers need to be aware of the new legislation, so they can
understand the potential impact and identify areas that require attention for compliance.
Start by looking at your risk register, if you have.

2) Audit all personal data

Document what personal data you hold, where it came from and who you share it with.
The GDPR updates rights for a networked world. It makes organizations responsible for
proving they comply with the data protection principles, for example by having effective
policies and procedures in place.
For example, if you become aware that you’ve shared inaccurate personal data with other
organizations, it is your responsibility to inform the other organization about this inaccuracy
so it, too, can correct its own records.

3) Update your privacy notice

When you collect personal data, you probably use a privacy note containing DPA compliant
information such as your identity and how you intend to use their information. Under the
new regulations, you’ll have to tell people some additional things compared to the DPA. For
example, you’ll need to explain:
your legal basis for processing the data & data retention periods their right to complain to
the ICO if they think there’s a problem with how you’re handling their data
So, you’ll need to review your current privacy notices and put a plan in place to make any
necessary changes by May 2015.
4) Review your procedures supporting individuals’ rights
The new legislation covers the same principles as the DPA, but with significant
enhancements. The key thing here is to make sure you have the procedures in place so you
can comply with, for example, an individual’s request to provide them with the data you
have on them electronically and in a commonly used format.

The main rights for individuals under the GDPR are to:
 allow subject access
 have inaccuracies corrected
 have information erased
 prevent direct marketing
 prevent automated decision-making and profiling
 allow data portability (as per the paragraph above)

5) Review your procedures supporting subject access requests

Depending on the type and size of organizations, subject access requests could generate a
logistical/administrative headache for many businesses.
Under the new rules, you are unlikely to be able to charge for complying with requests, and
will have just a month to comply, rather than the current 40 days. There are also different
grounds for refusing to comply with a subject access request, and if you refuse a request you
need to have policies and procedures in place to demonstrate why the request meets these
criteria.
You may want to consider conducting a cost/benefit analysis for providing online access to
individuals.

6) Identify and document your legal basis for processing personal data
Under the GDPR, some individuals’ rights will be modified, depending on your legal basis for
processing their personal data. For example, they could have their data deleted where you
use consent as your legal basis for processing. So you need to understand the various types
of data processing you carry out, identify your legal basis for carrying it out and document it.

7) Review how you seek, obtain and record consent

If you rely on individuals’ consent to process their data, make sure it meets the standards
required by the GDPR. If not, alter your consent mechanisms or find an alternative to
consent. The GDPR is clear that data controllers must be able to demonstrate that consent
was given. So you may need to review the systems you have for recording consent and
ensure you have an effective audit trail.

8) Review the data you hold on to children

For the first time, the GDPR will bring in special protection for children’s personal data. So, if
your organization collects information about children under the age of 13, you will need
parental/guardian consent to process their data lawfully.

9) Establish procedures to detect, report and investigate a personal data breach

The GDPR requires that all organizations notify the ICO of all data breaches where the
individual is likely to suffer some form of damage, such as through identity theft or a
 confidentiality breach. So, you need to set up processes to detect, report and investigate
breaches.
Note that failure to report a breach could result in a fine, as well as a fine for the breach
itself.

10) Review your processes around Data Privacy Impact Assessments (DPIAs)
You may be required to carry out a privacy impact assessment (PIA) in a high-risk situation
such as a new technology deployment, or where operations are likely to significantly affect
individuals.
To prepare for such an eventuality, the ICO recommends you familiarize yourself with their
PIA Code of Practice so you can work out how best to implement DPIAs in your organization.
Think about where it might be necessary to conduct a DPIA in your organization. Who will do
it? Who else needs to be involved? Should the process be run centrally or locally?

11) Appoint a Data Protection Office (DPO)

If your organization employees 250 or more people, is a public authority or is involved in the
regular and systematic monitoring of data subjects on a large scale, you should appoint a
data protection officer. The DPO should take proper responsibility for data protection
compliance and have the knowledge, support, and authority to do so effectively.

3. If your organization does not have a privacy officer, whom can you consult for questions
related to privacy and data protection laws?
There are global firms that can provide advice spanning multiple jurisdictions.
If my organization does not have a Privacy Officer, then I can consult the privacy and data
protection laws related questions to the Data Protection Officer.
A data protection officer is responsible for managing and organizing the implementation of a
data protection strategy within a business. Their role is essential, as they ensure that an
organization complies with all GDPR requirements. As they create, update, and maintain a data
protection strategy, they protect both their company and its customers from privacy breaches,
fraud, and security threats.
Data protection officers report directly to senior management and should be granted full
independence to perform their tasks. They should be involved in all issues that relate to the
protection of personal data. It’s the responsibility of senior management to ensure that their
DPO is sufficiently resourced to perform all of their tasks in line with GDPR compliance.
Additionally, they should never be penalized for performing their duties.

4. When was the last time you reviewed an important internal report and realized the
terminology used was unclear or the data was inaccurate?
What steps did you take to address the problem?
Perhaps you want to initiate an internal reporting governance programme.
The following four key steps can point your company in the right direction.
 Admit you have a data quality problem.
Just like any twelve-step program, admitting the problem is key. From there, follow the next
three steps for data improvement.
 Focus on the data you expose to customers, regulators, and others outside your
organization.
Take a careful look at your system of controls. Is it up-to-snuff? Make sure — not only that
the right controls are in place, but that you’re actually using them. Every time.
 Define and implement an advanced data quality program.
 Making sure data leaves the door correctly may be a viable short-term alternative, but there
is already too much data, and the quantities are growing. Just as manufacturers found that
they had to “prevent errors at their sources,” so too with data. You need a quality program
that does so.
 Take a hard look at the way you treat data more generally.
Almost everyone readily acknowledges that “data are among our most important assets.”
But they don’t manage them that way. Indeed, data are almost invisible. And the top person
responsible for data may be an architect buried deep in the bowels of IT. If this description
rings true, you need to get an aggressive data program, with real talent, budget, and teeth in
place.

References:
PPT BINUSMAYA

https://www.securicy.com/blog/seven-steps-to-protect-your-personally-identifiable-information/

https://www.clouddirect.net/11-things-you-must-do-now-for-gdpr-compliance/

https://cpdonline.co.uk/knowledge-base/business/what-is-a-dpo/#:~:text=A%20data%20protection
%20officer%20is%20responsible%20for%20managing,that%20an%20organisation%20complies
%20with%20all%20GDPR%20requirements.

https://hbr.org/2011/08/four-steps-to-fixing-your-bad-data