How to Get Data Protection Right

1. How to Get Data Protection Right
John Ghent
CEO, Sytorus

2. Agenda
• General Data Protection Regulation (GDPR)
• What is it?
• How it effects you?
• The plan
• What do I need to do?
• How do I prepare?

3. Data is the new oil

4. 1956

6. What’s next?

7. It’s not going to slow down...

9. GDPR

10. 1. Acquire
2. Purpose
3. Minimise
4. Quality
5. Retention

11. 1. Acquire
2. Purpose
3. Minimise
4. Quality
5. Retention
6. Secure

12. 1. Acquire
2. Purpose
3. Minimise
4. Quality
5. Retention
6. Secure
7. Accountable

14. Demonstrate
compliance
Mandatory
logs
Privacy by
design
Privacy by
default
Privacy Impact
Assessment
Data
Protection
Officer

16. 16
© Sytorus Ltd.
Components of a plan

17. What does a good plan look like
▪ Company structure
▪ DPO
▪ DP Champions
▪ Tools
▪ Platform
▪ Demonstrate compliance
▪ Establish a baseline
▪ What are my risks?
▪ Training
▪ DPO
▪ Onsite
▪ Online
17
© Sytorus Ltd.

18. Logging of Processing Activities
(Article 30)
18
© Sytorus Ltd.
That record should contain, for
example,
▪ The name and contact
details of the Controller
▪ The purposes of the
processing
▪ A description of the
categories of Data Subjects
▪ The categories of recipients
▪ Transfers of personal data to
a third

19. Risk Rating
19
© Sytorus Ltd.
Score Likelihood Impact
1 Never happened
and unlikely to ever
happen
Low to no DP related impact (brand, operational,
commercial)
2 Has happened but
very rarely
Minor Impact, easily resolved
3 Happens from time
to time
Significant impact to company brand and could trigger a
user complaint or investigation.
4 Happens frequently
but not
continuously
May trigger a breach notification process and damaging to
company brand, could result in penalties and likely an
investigation
5 Happening
continuously
Should trigger a breach notification process and severely
damaging to company brand. Will trigger an investigation
from the and likely fines.

20. Demonstrate Compliance
20
© Sytorus Ltd.
▪ Processing Activity Log
▪ Risk Log & proof of mitigation (for example, training)
▪ Incident log
▪ Breach log
▪ Privacy Impact Assessment
▪ Subject Access Request Log

21. Thanks You
Questions?
21
© Sytorus Ltd.

22. Appendix - Fines – Article 83
Category A
Administrative fines of up to €10 million, or up to
2% of the total worldwide annual turnover of the
preceding financial year (whichever is higher) for
infringements relating to:
Article 8 - Conditions applicable to child's consent in
relation to information society services
Article 11 - Processing not requiring identification
Article 25 - Data protection by design and by default
Article 26 - Joint controllers
Article 27 - Representatives of controllers not established
in the Union
Article 28 - Failure to have a Processor contract in place
Article 29 - Processing under the authority of the
controller and processor
Article 30 - Failure to log data processing activities
22
© Sytorus Ltd.
Article 31 - Failure to co-operate with the supervisory
authority
Article 32 - Failure to ensure the security of processing
or integrity of the personal data
Article 33 - Failure to notify a personal data breach to the
Supervisory Authority
Article 34 - Communication of a personal data breach to the data
subject
Article 35 - Failure to conduct an impact assessment
Article 36 - Failure to conduct prior consultation with the
supervisory authority
Article 37 - Failure to designate a data protection officer if
required to do so
Article 38 - Position of the data protection officer
Article 39 - Tasks of the data protection officer
Article 42 - Failure to abide by standards relevant to formal
Certification
Article 43 - Failure to abide by requirements of approved
Certification bodies

23. Appendix - Fines – Article 83
Category B
Administrative Fines of up to €20 million, or up to 4%
of the total worldwide annual turnover of the
preceding financial year (whichever is higher) for
infringements relating to:
Article 5 - Principles relating to the processing of personal data
Article 6 - Lawfulness of processing
Article 7 - Conditions for consent
Article 9 - Processing of special categories of personal data
Article 12 - Transparent information, communication and
modalities for exercising the rights of the data subject
Article 13 - Information to be provided where personal data are
collected from the data subject
Article 14 - Information to be provided where personal data
have not been obtained from the data subject
Article 15 - Right of access by the data subject
Article 16 - Right to rectification
Article 17 - Right to erasure (‘right to be forgotten’)
Article 18 - Right to restriction of processing
23
© Sytorus Ltd.
Article 19 - Notification obligation regarding rectification
or erasure of personal data or restriction of processing
Article 20 - Right to data portability
Article 21 - Right to object
Article 22 - Automated individual decision making,
including profiling
Article 44 - General principle for transfers
Article 45 - Transfers on the basis of an adequacy decision
Article 46 - Transfers subject to appropriate safeguards
Article 47 - Binding corporate rules
Article 48 - Transfers or disclosures not authorised by
Union law
Article 49 - Derogations for specific situations
Article 85 - Processing and freedom of expression and
information
Article 86 - Processing and public access to official
documents
Article 87 - Processing of the national identification
number
Article 88 - Processing in the context of employment
Article 89 - Safeguards and derogations relating to
processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical
purposes
Article 90 - Obligations of secrecy
Article 91 - Existing data protection rules of churches and
religious associations