WIXLIB

The Inside Track: GDPR & Cyber SecurityALEX FLEMINGCountry Head and President of Staffing & SolutionsThe Adecco Group UK&IAdecco

The Inside Track: GDPR & Cyber SecurityAGENDA09:15 - 09:35GDPR – The Essential GuidePat Moran, Cyber Security & Data Privacy Leader, PwC Ireland9:35 – 09:50GDPR: An Adecco Group UK&I PerspectiveGavin Tagg, General Counsel and Head of Compliance, The Adecco Group UK&I09:50 – 10:10Cyber Security: Staying Safe from Cyber CrimePat Moran, Cyber Security & Data Privacy Leader, PwC Ireland10:10 onwardsQ&A#theinsidetrackAdecco

The Inside Track: GDPR & Cyber SecurityOur Aims: To give you an essential understanding of the key regulations, Cyber Security and its potentialimpact To give you high level pointers; but not to advise on your specific company policies or how toapproach implementation according to the regulations To provide you with the insight and relevant agenda items to help you make informeddecisions Chatham House rules applyAdecco

The Inside Track: GDPR & Cyber SecurityPat MoranCyber Security & Data Privacy LeaderPwC IrelandAdecco

AGENDA Data protection – Why do we need it ? Data breaches today GDPR pillars The essential guidePwC

Data Protection – Why do we now need it ? The increasing sophistication of IT. New developments in medical research and care, telecommunications, advancedtransportation systems and financial transfers have dramatically increased the level ofinformation generated by each individual. Key Questions for Privacy Concerns as a citizen / consumer : What information of mine is being collected? What are you using my information for? Where is my information being stored? Who has access to my information? Who is my information being shared with?PwC

Privacy Breach Examples Numerous cases have come to light recently of privacy rights violations, resulting in civil litigation consequences: Facebook : 87m users Tesco : 20,000 customers Equifax : 143M usersPwC

GDPR PillarsPwC

The GDPR’s Biggest Pain PointsBusinesses are seeing FIVE GDPR requirements in particular cause the biggest impact on their future business plans: Mandatory data inventorying and record keeping of all internal and third-party processing of European personal data Mandatory data-breach notification to regulators and individuals whose information is compromised following informationsecurity failures Comprehensive individual rights to access, correct, port, erase, and object to the processing of their data Routine data-protection impact assessments for technology and business change Mandatory data protection officers and an overall rethinking of privacy strategy, governance, and risk management.GDPR PillarsA new ‘Transparencyframework’PwCA new ‘ComplianceJourney’A new ‘PunishmentRegime’

Building a GDPR Compliance Roadmap7 November 2015PwC

The GDPR EssentialsGovernance& entoriesGDPRInformationSecurityData SubjectRightsDataRetentionPwCPrivacyNotices &Consents

GDPR Compliance RoadmapPwC

The Inside Track: GDPR & Cyber SecurityGAVIN TAGGGeneral Counsel and Head of ComplianceThe Adecco Group UK&IAdecco

Data Protection Programme – why are we doing it?MaturityBe a caringand trustedpartnerComplywith GDPRAdecco ishereApril 2017Adeccofollowing riskbased approachMay 2018Data Protection andPrivacy is a marketdifferentiator. It isembedded in ourbusiness2019 on .Year

Privacy Programme: Compliance, Position and Operating ModelHow compliant we want to be:What our position in privacy is:Triaged approach(in 2018)95% compliance(in 2020/2021)Cover the most materialrisks in line with industrypractice, whilst seeking toaddress the remaining assoon as practicable, butnot necessarily beforeMay 2018, using a riskbased approach.Positive affirmations ofcompliance, covering allareas of the new law for allcategories of Adeccopersonal data.Position reflects the mostcautious guidance in themarket.Privacy moving towardsexcellence in compliance(in 2018)Achieving excellence incompliance globally( 2020/2021)- Using privacy to “sell” Adecco toclients and candidates. Be andbehave as a trusted partner –linked to OGSM.- Senior management recognitionand buy-in on the importance ofprivacy, and support throughresources and finances.- Proactive interaction withregulators and forums –connected with ThoughtLeadership.- Significant candidate andclient awareness activitiesand significant eminenceactivities, includingsponsorship of events,articles and thought pieces.- Development and inputseals.- Maximizing and utilizingAdecco's data givingcandidates an “informationdashboard” to control thetypes of companies that cansee their information andupdate details in real-time.Centralized Privacy Operating ModelOne view of privacy compliance pushed to entire organization giving single direction of travelAdeccoPRIVILEGED & CONFIDENTIAL

Target Operating Model (TOM) – Framework OverviewIntroductionThe target operating model is the implementation of our strategy and will define the target structure of ourprivacy functions.The model will define what will be delivered in the future; how they will be delivered; who will be responsibleand/or interact with what is delivered; and how this will be governed.VisionWhat is the risk appetite? What is the scope? What is the culture/philosophy?As-IsVisionAs-IsOrder of approachDeep dive of the current state: who does what?Organisational PrinciplesOrganisational PrinciplesSet the overarching remit and understand constraints for the TOM.To-BeTo-Be: Service Catalogue, Key Processes, Governance Model- Define the teams, reporting lines and key roles Service catalogue: the detailed services and activities required; Key processes: required to manage privacy within the business; Governance: defining the forums/committees needed.Service CatalogueKey ProcessesGovernanceTransition PlanTransition PlanNext steps: roadmap of implementation.Adecco

Grey colouring refers toan organisational teamTo-Be:Group Structure and GovernanceBoard of Directors Meet periodically upon requestExecutive Committee Meet periodically upon requestPrivacy Steering Committee Meet on a monthly basis Called as required: CIO, CFO, CHRO, Chief AuditOfficer, and other functions as required, RegionalLeadsGreen colouringrefers to acommittee/forumData Breach Committee Meet ad-hocBoard of DirectorsPrivacy Steering CommitteeCEO, DPO, GCAs required: CIO, CFO, CHRO, Chief Audit Officer,other functions as required, Regional LeadsPeriodicinvites toexecutive/boardmeetingsExecutive CommitteeData BreachCommitteeIT SecurityGroupInternalAuditComplianceGroup Statutory DPOGlobal Head of ITSecurityPrivacy Championsin GlobalFunctions[Interact into LocalPrivacy Working Group(local version of GroupPrivacy Office) asrequired]AdeccoGroup Privacy Office**(i) The Group Privacy Office deals with IT and data protection matters;(ii) The Group Privacy Office provide a service for Group Functions (e.g.HR, Finance, Digital, etc.)DPO, CEO, CFO,CMO, CIO, Group ITSecurityand TeamCountry/Region/Global Business Line Local Privacy Lead****Local Privacy Lead reports solid line to Group Statutory DPO.

To Be:Local Country Governance StructureLocal Privacy Working GroupsGroup PrivacyOfficeLocal PrivacyLeadLocal Legal HeadPrivacy ChampionsGroup DPORep/Liaison(add definition)Periodic attendanceor as neededCountry/ Region/Business Executive*[Interact into LocalPrivacy Working Group(local version of GroupPrivacy Office) asrequired]Periodic invites to appropriateboards/ committees to provideData Privacy update, the locallegl head and other localfuncitons as required.Local Data BreachCommittee tted line: periodic engagement by invitation or whenurgent matters ariseSolid line: consistent engagementAdecco*The particular local committee/forum (e.g. Risk Co./Audit Co./ Exec Co.) is to be defined by the individualcountry/region/business leadLocalBusinessLinesPink colouringrefers functionalor businessrepresentativesGrey colouringrefers to anorganisationalteamGreencolouringrefers to acommittee/forum

Service Catalogue (15/16)Responsibility, Accountability, Consulted, Informed (RACI) MatrixCapability Area: Training and Awareness SDPFISCO12. TrainingandAwareness-12.1 Define minimumprivacy training materialsand computer basedtrainings per employeetype1000--------12.2 Deliver privacytraining materials andcomputer based trainings0100IIIIIIII12.3 Define and delivertailored trainings to specificfunctions processingpersonal data2080IIIIIIII12.4 Track trainingcompletion KPIs againstdefined target5050IIIIIIII12.5 Develop privacyawareness campaigns1000IIIIIIII12.6 Deliver privacyawareness campaigns0100IIIIIIIIStakeholder Abbr.ExplanationStakeholder Abbr.ExplanationAbbr.ExplanationGPOGroup Privacy OfficePProcurementRResponsible – Owns the activity and its completionLPLLocal Privacy LeadFFinanceAAccountable – Must sign off or approve the work before it is effectiveHRHuman ResourcesISIT SecurityCConsulted – Has information needed to complete the workSSalesCComplianceIInformed – Must be notified, but not consultedDDigitalOOther

Communication and Awareness GDPR Quiz viaTalking Point FAQs forConsultants (lateFeb)Desire Communicationsfrom Brand leadersPre-NOV Talking Point / Ourspace updates to create base-level awareness and ongoing sources oftruth/referenceAwareness Brand Representatives engage with project and cascade to their teamsAdeccoGDPR integration into PERFORM andConnect Implementation & legacysystems (pre-Connect)KnowledgeNOV/DEC Posteravailable onOurspaceclients availableon Ourspace5S Sustainability Camps &implementationAbility Updates toSMTs anddepartmentsJANReinforcement Connect GSCompliance MODIS: 5S(Q318)Sustainability Roevin: 5SCamps (Apr/May) Connect PSSustainabilityAPR/Camps (Mar)MAY compliance(H218)MAR Webinars / Drop-in Adecco: 5SFEBsurgeries (lateSustainability Camps(21-27 Jan) GDPR Flyer for Feb/Mar)Connect Immersion Days, Brandrepresentative engagement, SMTpresentation and updatesTalking Point, Our Space, HoldingStatement, FAQ’s, Quiz andCommunication

Key MessagesGET MAPPING NOW!KNOW YOUR DATASORT YOUR DATABE ACCOUNTABLEBE TRANSPARENTAdecco

The Inside Track: GDPR & Cyber SecurityPat MoranCyber Security & Data Privacy LeaderPwC IrelandAdecco

Cyber Security Overview Criminals are now focussing on technology rather than AK47s Technology is such an integral part of business that crimes committed through digital channels are creating fundamentalproblems, requiring specialist cybersecurity services to mitigate them. Cybercrimes such as the distribution of viruses, illegal downloads, phishing and theft of personal information are becomingincreasingly common. All cause economic loss and reputational damage. A cyber crisis can be one of the most challenging and complicated problems that any organisation will face. Companies need investigation and communication strategies, as well as forensic and analytical capabilities. A company’sreadiness to handle a cyber crisis can be a marker of its competitive advantage and ensure its survival.PwC

Threats, Hacking, Malware and Other Risks There has been an exponential increase in cyber attacks worldwide, forcing clients to address persistent attacks on their businessand customers. The threat landscape has changed over the years. With more sophisticated defences have come more sophisticated offences.The evolving threats are fuelled by:PwC Hackers and their motivations Hackers and their resources Hackers and their collaborations Hackers and their commitments

The Evolving ThreatPwC

Example of a Cyber Attack Ashley Madison Hack NSA Equation Group Hack by the ShadowBrokers Equifax Stuxnet WannaCry Randsomeware Petya Randsomeware Bad Rabbit US 2016 Presidential ElectionsPwC

Key Trends- GISS 2018PwC