Digital Operational Resilience Act
The Trust Challenge

Key obligations and consequences

The DORA prescribed some stricter requirements compared to the existing state privacy laws. In particular, it requires the following:

Entities must implement and maintain an effective and comprehensive ICT risk management framework, including policies, procedures and measures to identify, protect, detect, respond and recover from ICT-related incidents.

Financial entities are required to establish and maintain mechanisms for the timely detection and reporting of significant ICT-related incidents to relevant authorities.

Financial entities must regularly test their digital resilience capabilities through various means, including threat-led penetration testing, to identify vulnerabilities and address them proactively.

Entities must manage and monitor the ICT risks stemming from their reliance on third-party service providers, including cloud computing services, ensuring that these relationships do not undermine their digital operational resilience.

The framework encourages financial entities to share information related to cyber threats and vulnerabilities to enhance collective defense mechanisms and resilience across the financial sector.

DORA introduces a framework for the oversight of critical ICT third-party service providers to the financial sector, aiming to mitigate systemic risk and ensure the stability of the financial system.

DORA establishes mechanisms for supervisory oversight, compliance and enforcement, including the potential for sanctions in cases of non-compliance with the regulation’s requirements.

The Trust Challenge

Key Challenges in brief:

  • The existing regulatory environment for banks includes requirements such as the European Banking Authority guidelines on outsourcing, ICT and security risk management. Additionally the European Securities and Markets Authority guidelines on outsourcing to cloud service providers.
  • As far as insurance companies are concerned, several texts mirror those impacting banks, with, for example, the European Insurance and Occupational.
  • Pensions Authority guidelines on outsourcing to cloud service providers. So many topics related to risk management and digital operational.

Another significant challenge lies in enhancing third-party risk management. Many large financial institutions rely on numerous third-party providers, making it crucial to priorities and focus on the most critical ones. While current practices may already integrate some requirements, DORA regulation demands a more comprehensive approach. Financial services must ensure that their suppliers comply with the regulation’s operational resilience requirements. This includes working on potential exit strategies and conducting joint testing when relevant. Embracing this shift in approach may redefine how businesses interact with their suppliers, demanding a proactive operational resilience risk management strategy from all involved parties.

Testing is a crucial aspect of DORA compliance. Organizations need to structure and regularly test their resilience strategies to assess risks and the effectiveness of their resilience measures. Developing a strategic vision for testing is essential, as current tests are often managed in silos, focusing on specific areas such as vulnerability, penetration, or business continuity. To meet DORA requirements, organizations must ensure proper coverage of critical functions over the years within their testing approach. Moreover, DORA regulation mandates conducting threat-led penetration tests in live production at least once every three years, including with ICT third-party providers.

One of the core pillars of DORA is the establishment of robust risk management frameworks. Financial institutions must identify, assess, and mitigate operational risks effectively. This includes integrating cybersecurity measures, developing incident response plans, and regularly testing resilience strategies. While some organizations may already have existing risk management frameworks in place, aligning them with DORA’s requirements and ensuring consistency across the organization may pose a challenge. It is crucial to review and enhance existing frameworks to meet the specific demands of DORA.

DORA mandates timely and transparent reporting of significant incidents to the relevant authorities. This reporting approach is vital for maintaining transparency, facilitating coordinated responses, and allowing for swift intervention in potential crises. Financial institutions must establish robust reporting mechanisms and processes to ensure compliance with the regulation’s requirements. This involves the development of clear incident reporting procedures and the implementation of systems that enable accurate and timely reporting.

DORA emphasizes the importance of collaboration and information sharing within the financial sector. Financial institutions are encouraged to collaborate with industry peers, industry associations, forums, and other relevant stakeholders. By sharing insights, best practices, and lessons learned, organizations can collectively navigate the challenges of DORA compliance. This collaboration also helps advocate for responsible and effective implementation of DORA, fostering a unified and resilient European financial landscape.

To ensure a smooth and successful DORA compliance journey, organizations must develop a detailed compliance roadmap. This roadmap should outline the necessary steps, timelines, responsibilities, and milestones for achieving compliance. By clearly defining these aspects, organizations can track progress effectively and mitigate any potential compliance gaps. The compliance roadmap serves as a guiding document for the entire organization, ensuring a systematic and structured approach to DORA compliance.

DORA compliance is not a one-time effort but an ongoing commitment. Organizations must implement a robust monitoring system to track ongoing compliance and performance. Regular assessments should be conducted to evaluate the effectiveness of DORA compliance efforts and identify areas for improvement. By continuously monitoring and improving compliance measures, organizations can ensure continued alignment with evolving regulatory requirements.

Win-Win Situation

Our Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

TurtleShield (Right to Erasure with Assured Deletion) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

The APRA prescribed some stricter requirements compared to the existing state privacy laws. In particular, it requires the following:

Pointer

Executive Accountability:

The ARPA requires a designated data privacy or security officer, but doesn’t need to be a standalone position or new hire.

Pointer

Data Transparency:

Privacy policies must encompass precise details, such as the types of data collected, processed, or stored; the objectives behind data processing; duration of data retention; security measures employed; enumeration of third parties involved; and disclosure of any data broker transactions. Additionally, these policies must elucidate procedures for consumers to assert their rights. Noteworthy alterations to the privacy policy necessitate prior notification and avenues for opting out.

Pointer

Data Minimization:

There's a strong focus on data minimization, limiting the collection and utilization of data to essential and restricted purposes, with particular attention and consent required for biometric and genetic information.

Pointer

Data Security & Protection

APRA requires organizations to establish data security standards that are appropriate for the company’s size, the nature and scope of data management, the volume and sensitivity of data, and the technologies used to safeguard data. Organizations must also mitigate risks and assess vulnerabilities to consumer data.

Pointer

Private Right of Action:

The APRA has introduced a private right of action. The private right of action will allow consumers to file lawsuits and seek compensation against companies that fulfill data privacy rights such as data deletion requests or use personal data without consent.

The Trust Challenge

Key Challenges in brief

The following are the issues created by APRA law that the majority of organizations face:

Pointer

Operational Challenges

  • Data Inventory and Mapping: Organizations must have a comprehensive understanding of what personal data they collect, how it is used, where it is stored, and with whom it is shared. This requires extensive data mapping and regular updates.
  • Policy and Procedure Development: Companies need to develop and implement new privacy policies and procedures to comply with APRA requirements. This includes updating employee handbooks, training materials, and internal documentation.
  • Employee Training: Effective training programs are necessary to ensure that employees understand APRA requirements and their responsibilities under the law. This includes both initial training and ongoing education.
Pointer

Technical Challenges

  • Data Security Measures: Enhancing data security measures to protect personal data from breaches and unauthorized access is critical. This includes implementing advanced encryption, secure access controls, and regular security audits.
  • Data Access and Portability: Ensuring that systems are in place to allow individuals to access their data and request its portability in a user-friendly manner.
  • Data Deletion and Retention: Establishing robust processes for data deletion and ensuring compliance with retention policies that meet APRA standards can be complex and resource-intensive.
Pointer

Legal Challenges

  • Compliance and Monitoring: Organizations need to continuously monitor their compliance with APRA, which involves staying up-to-date with any amendments or new interpretations of the law.
  • Cross-Border Data Transfers: Navigating the legal complexities of transferring personal data across borders, especially if international operations are involved, while ensuring compliance with both APRA and other jurisdictions’ privacy laws.
  • Handling Data Subject Requests: Efficiently managing and responding to data subject access requests (DSARs) within the mandated timeframes, and ensuring that responses are comprehensive and accurate.
Pointer

Strategic Challenges

  • Risk Management: Identifying and mitigating privacy risks is a strategic necessity. This involves regular risk assessments and the development of strategies to manage potential breaches or compliance failures.
  • Integration with Existing Frameworks: Ensuring that APRA compliance efforts are integrated with existing privacy frameworks, such as GDPR or CCPA, to avoid duplication of efforts and streamline processes.
  • Stakeholder Engagement: Engaging with various stakeholders, including customers, employees, regulators, and third-party vendors, to ensure transparency and foster trust in how personal data is managed.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News, Blogs

Ardent Privacy @ Infosecurity Europe 2024: Security for AI or AI for security?
The 7 principles of Privacy by Design
The Florida Digital Bill of Rights (FDBR): Navigating the New Frontier of Data Privacy

Be the first to catch our latest updates,
happenings and more.

Follow us