Poonam Gangawane: Operational Risk Consultant in Waldwick, NJ

to ensure CCPA and GDPR compliance standards are met across the organization • Worked on processing GDPR and CCPA consumer requests • Worked with the procurement team, Vendor Management and Compliance departments to ensure that third-party suppliers' contracts and operating-level agreements meet domestic and international privacy requirements • Established data standards and processes/workflows, provided recommendations for privacy and data governance programs, processes, and controls and supported data governance playbook development • Enhanced organization's privacy program by reviewing organization's policies, standards, and procedures (DPIA, ROPA, Data Collection, Retention and Erasure, Privacy Vendor Risk Management, DSAR, Privacy by Design and Default, Personal Data Breach) documents and updating them by incorporating changes • Assisted with design and implementation of privacy and data governance program, processes, and controls • Executed DPIA process and workflow for new business processes, new or updated software projects, including supporting business partners to complete the pre-questionnaire and the DPIA itself, analyzed responses and took appropriate actions to ensure appropriate documentation is completed

worked on Privacy by Design (PbD) implementation project. • Supported the privacy team in building and maintaining the Privacy by Design (PbD) program throughout BMS • Analyzed business initiatives, including new products, processes, and vendor relationships using Data Protection Impact Assessments and other tools to determine whether they create privacy risk and comply with privacy policies and processes • Aligned products and solutions with PbD principles from the first stages of development and ensure that the data use meets established regulatory compliance needs • Exercised sound judgment to effectively assess and balance risk in the provision of advice to the business

assisted to implement, maintain and monitor the Privacy Management Program that covered all countries in which the enterprise operates. • Reviewed and updated policies and procedures for customers, employees and vendors ensuring alignment with the implementation of personal data processing activities • Maintained an inventory of all personal data stored and data processing activities, including how and why the company collects, shares and uses personal data • Worked with the Contracts, Vendor Management and Compliance departments to ensure that third-party suppliers' contracts and operating-level agreements meet international privacy requirements • Provided support for communications with regulatory authorities and the public concerning privacy issues, including processing data subjects' requests and determined the enterprise's specific privacy-related requirements and potential vulnerabilities • Managed the privacy impact assessment process, in close collaboration with business stakeholders. Conducted regular privacy policy compliance assessments to ensure that business units, technology teams and third-party service providers adhere to the program requirements, and address privacy concerns • Collaborated with business units and technology areas to develop corrective action plans for identified privacy compliance issues

led business initiatives to reduced California Consumer Privacy Act (CCPA) risk by identifying and documenting privacy gaps, presenting them to senior management and leading remediation efforts. • Identified privacy gaps by creating risk assessment questionnaire, gathering information via interviews and reviewing all business processes and applications for Financial Information Systems group • Performed privacy reviews and created data maps for high priority processes and ensured compliance to internal procedures and CCPA risk recommendations • Presented review findings and recommendations to senior leadership and gained funding/approval for remediation • Led business efforts in vendor selection for Data mapping tool and Data Subject Request tool • Developed and maintained relationships with stakeholders of the privacy review process (e.g. attorneys, product owners, engineers), ensuring necessary information is provided and reviews are conducted on a timely basis

reduced privacy risk by conducting risk assessment, testing existing controls and making recommendations to improve privacy framework. • Reviewed third party contracts and privacy addendums to ensure compliance to internal policies and prevailing privacy regulations • Created data inventory, performed data mapping and gap analysis on business processes and applications • Maintained and updated enterprise-wide data mapping of personal information as needed • Facilitated global privacy reviews at scale by analyzing data operations in all parts of the company by creating new or using existing data flow diagrams to ensure a thorough understanding of all parties involved in the process as to how data flows • Reduced remediation cost by implementing privacy-by-design principles and by working closely with new product development team to create privacy awareness

led multiple initiatives to enhance KPMG's global privacy program by conducting privacy risk assessments, privacy trainings and collaborating with National Information Technology and Security Officers (NITSOs) on privacy best practices and trends globally. • Conducted PIAs (Privacy Impact Assessments) and DPIAs (Data Protection Impact Assessments) to identify privacy risk in compliance with organization's internal policies and prevailing privacy regulations • Enhanced KPMG privacy program and risk mitigation strategy by providing SME support on topics like confidentiality, cross border data flows and protecting intellectual capital • Enhanced privacy knowledge across KPMG National Information Technology and Security Officers (NITSOs) globally by hosting monthly privacy call on key risks, trends, and best practices • Ensured compliance to policy and procedures by conducting privacy trainings, performing content management, and tracking monthly completions • Liaised with IT, Security, Product, Operations and Data teams to identify, track and provide remediation guidance on new and outstanding issues

worked on GDPR implementation project to perform business process assessments and application assessments. Partnered with the business to support their efforts in defining, designing, developing, and implementing GDPR project. • Conducted privacy risk assessments by coordinated with multiple participants globally including business leadership/stakeholders, attorneys, subject matter experts, 3rd party vendors, IT project managers, IT application owners, technical/development leads to understand business processes and creating privacy risk awareness • Performed data analysis and data validation by creating SQL queries and pivot tables. • Created test cases for manual and automated testing, validating business rules and obtain user approval/sign-off.

led business efforts to synthesize complex information and worked closely with partners in Information Technology, Acquisition, Risk, Legal, Compliance and Technology to support business growth while enhancing organization's privacy program. • Led Project Management Office (PMO) in agile environment to develop project plans and execution strategy for information management projects resulting in improved compliance to privacy regulations, internal policies and contractual requirements • Developed and managed detailed project plans to include resources, tasks, requirements, milestones, and review points. Created Project kick-off presentations and conducted JAD sessions periodically with various Subject Matter Experts at various phases of the Development Life Cycle to discuss and resolve open issues • Formulated and defined system scope and objectives by thoroughly understanding business processes

led execution of key Privacy initiatives like Data Retention and Online Privacy Statement update to improve compliance and adherence to privacy policies and regulations. • Liaised with multidisciplinary teams such as Data Privacy Operations, Privacy Office, GCO (General Counsel Office), CA&C (Corporate Affairs & Communications), Technology and Market Compliance Office (MCO) to identify and escalate emerging regulatory risk and develop mitigating controls • Led PMO (Project Management Office) for Network Information Controls and Privacy group to coordinate with privacy teams across organization on managing the execution of key initiatives and developing a governance structure • Prepared and analyzed AS IS and TO BE in the existing architecture and performed Gap Analysis and created workflow scenarios, designed new process flows and documented the Business Process and various Business Scenarios and activities of the business from the conceptual to procedural level • Maintained and scaled documentation of privacy reviews, including data flow diagrams, assessment notes and outcomes, and inventory of systems • Conducted walkthroughs for High level requirements and Use Case Walk Through to discuss line areas on data, technology and application integration issues with the Business team, Architecture, Design team and development team