SlideShare une entreprise Scribd logo

A successful GDPR Program

Alberto Canadè
Alberto Canadè

By May 25 2018 you should have put in place a Privacy Management System to be compliant with GDPR and be able to show it The complexity of the many requirements, the wide scope of application (data and applications), and the limited timeframe and resources available imply that a sound Program Management is a key success factor B y May 2018 you will have likely implemented most part of the framework, and started checking it. No matter why and how, what you should focus on is keeping it going as a rolling overall process which is improving over time and producing all the accountability trails required by the GDPR. It is not a 14 months exercise, it is a new regime of data protection looming on EU and beyond.

Droit
1  sur  15
Télécharger pour lire hors ligne
PART 1 • Do not call it a project! • Top-5 priorities for getting ready • Different points of view? • 7 don’ts you should know • Get the Board involved 2© CLUSIT 2017 – Praticamente GDPR Agenda Praticamente GDPR – Spike Reply
 By May 25 2018 you should have put in place a Privacy Management System to be compliant with GDPR and be able to show it  The complexity of the many requirements, the wide scope of application (data and applications), and the limited timeframe and resources available imply that a sound Program Management is a key success factor 3© CLUSIT 2017 – Praticamente GDPR Do not call it a project! Processes Data Breach Notification, Privacy Impact Assessment, Information request handling, Privacy Audit, Privacy Training, Privacy by Design: these will be rolling activities whose effectiveness should be measurable to assess the effectiveness of the whole Management System Policies and Controls Governance Framework, from guidelines to procedures to records to audit trails to organizational and technological measures People Beyond the DPO, where required, further roles are necessary in a company to distribute responsibilities: there is no one-model-fit-all, each company should evaluate the most appropriate privacy organizational model.
 A challenge is posed by the cultural change most companies will face during the set- up of the Privacy Management System, due to a common perception of privacy and data protection as a bureaucracy cost, which will hinder the implementation of the GDPR Program. 4© CLUSIT 2017 – Praticamente GDPR Do not call it a project! cont’d 4 «The will to succeed is important, but what’s more important is the will to prepare.» Bobby Knight, American basketball coach
Define your priorities answering the following questions 1. Do I know my role – as Controller or Processor – for all the processing activities? 2. Does my current privacy organizational model fit the GDPR? 3. Can I show accountability in all processing activities? 4. Am I ready to face data subjects requests exercising their rights and to respond to data breach? 5. Are all my cross-border data flows compliant with GDPR? 5© CLUSIT 2017 – Praticamente GDPR Top-5 priorities for getting ready 1. YOUR ROLE 2. DPO & MODEL 3. ACCOUNTA- BILITY 4. CUSTOMER DATA RIGHTS AND DATA BREACH 5. CROSS- BORDER DATA FLOW COMMUNICATE WITH STAKEHOLDERS
Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you show evidences of effectiveness? Is a remediation plan defined for breaches? Data Protection Authority Can you delete my data? Why are you contacting me without consent? Why did you disclose my data I erased some time ago? Who are the third parties processing my data, and where? Customers Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you show evidences of effectiveness? Is a remediation plan defined for breaches? Data Protection Authority Can you delete my data? Why are you contacting me without consent? Why did you disclose my data I erased some time ago? Who are the third parties processing my data, and where? Customers 6© CLUSIT 2017 – Praticamente GDPR Different points of view? Are task-ownerships assigned? Are task dependencies clear? Are goals achievable? Is the Program endorsed adequately? Is the working team skilled? Are criticalities addressed? GDPR Program Manager Are privacy risks assessed? Are employees aware of their duties and responsibilities? Are company practices on data compliant with policies and notices? How long data are retained? Privacy Officers, Legal , Compliance Do applications store audit trails to enforce breach prevention and management? Are user access rights and profiles validated? Is data protected adequately from collection to erasure? CTO, CDO CSO, CISO Or converging needs for the Program?
7© CLUSIT 2017 – Praticamente GDPR 7 don’ts you should know Delay the awareness to the Board Don’t review your organizational model Use a sledge hammer to crack a walnut Focus on privacy, postponing security Assess and test the processing activities customer-faced Underestimate the importance of a skilled team Run separate initiatives
8© CLUSIT 2017 – Praticamente GDPR Get the Board involved With privacy and data protection business cases Privacy for Mktg and CC • Is consent documented for all processing activities? • What we risk if we keep processing data of old customers w/o consent? • Are our profiling activities with big data analytics legitimate? • Should I erase or de-identify data of old clients? Privacy for Workplace • Do we respect employees rights during hiring, performance management, whistleblowing, surveillance? • Are employees aware of their duties and trained on the governance framework (data retention, data breach, privacy and security by design, customer requests, data classification and protection, …)? Privacy for Supply Chain • Do contracts include adequate privacy and data protection clauses? • Do we assess the privacy risks for third parties? • Do we outsource offshore? • Do we assess cloud-based services and external system admistrators? Privacy for ICT • Are user access rights and profiles validated? • Are logging and monitoring set-up for all relevant systems and applications? • Are backup and restore procedure tested regularly? Are ICT vulnerabilities assessed and adressed? Each business case pinpoints possible gaps and exposure of the Board. Use this leverage to budget remediation activities. B usiness cases can be built for most company areas and data categories. Start from GDPR requirements and highlight gaps known and consequences of violations for the Board. Assess the cost of remediation activities and propose a prioritized remediation plan orchestrating all needs. Benefit from these cases also for self- assessment tools and for training, throughout the Program lifetime.
Part 2 • Sample roadmap • Sample macro-plan • Sample team • Privacy Program after May 2018 9 Agenda Praticamente GDPR - Spike Reply © CLUSIT 2017 – Praticamente GDPR
10© CLUSIT 2017 – Praticamente GDPR Sample roadmap illustrative Board consensus, Plan defined, Working Team operative <3 months Most ICT assessment and ad-hoc PIA in progress 10 months Employees trained, most ICT assessments achieved and remediation plan implementation launched <16 months Global Privacy Governance Framework approved 9 months Framework applied in all Countries and legal entities of the group 15 months 15-3-17 15-10-17 25-5-1815-9-17 15-3-17Dec 2016 14 months left to have it done Preliminary Analysis and Assessment in 2016 Early Awareness to Stakeholders Remark: if you didn’t do it hurry up! A few remediation plan implementati on will likely be still in progress 15-4-17 GDPR-readiness: Privacy Management System auditable <18 months The roadmap is illustrative, actual roadmap widely depends on the initial scenario, strategy and resources available to implement the Program TODAY
Sample roadmap cont’d  Compliance in US, the review of the privacy governance framework is temporarily on hold, late as the current framework is incomplete  ICT is leading an IT assessment and is updating the company IT asset inventory with privacy metadata; privacy by design already in place, no data breach mgt in use yet  More than 30 countries, still lack of endorsement from the Board global manufacturer, market-leader  Privacy function led an early self-assessment in 4 continents to assess privacy gaps in minor countries  Early awareness to the Board, strong culture of IT risk & audit, global framework under review, model organization under review, scouting of GRC tools in progress global large manufacturer  Early program management exercise to identify priorities  Early awareness to the Board  Governance framework under review  IT assessment postponed, Internal Audit in the working team, no DPO appointed yet mid-size online bank  Late start, IT is leading an initial assessment with the support of compliance  Limited initial budget, and sharp focus on critical data processing areas  Organizational model to review, no DPO appointed yet italian pharmaceutical service provider  Group with more than 90 operative companies in 3 continents, half of which IT service provider in different industries: telco, media, healthcare, public administration…  Strong endorsement from the Board, structured communication plan  Data mapping in progress, global framework and organizational model under review (local DPO)  Legal tracking activities in progress, IT assessment of central services under planning global ICT consulting and service provider
Sample macro-plan illustrative Hypotetical Launch in January 2017 Program Master Plan Program Tasks in 3 phases * 2017 2018 Jan-17 Mar-17 Jun-17 Sep-17 Dec-17 Jan-18 Mar-18 May-18 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Kick-Off of the GDPR Program Set Vision, Strategy, Team and Plan Consensus of the Board, Comm. Plan Develop the global Governance Framework and the Organizational Model Local Legal Tracking, ICT Assessment Ad-Hoc PIA, Remediation Plan Implement the global Framework locally Train management and employees Test activities customer-faced Audit Framework, Implement changes GDPR Program implemented PlannedBaseline Major MilestoneMilestone Privacy Management System auditable Plan approved, Team operative Launch Program Timeline Count-down Board aware, Communication Plan Global Model, Guidelines, Standards, Procedures Major Remediation Plans Controls Implemented Employees trained Framework in all Countries 25 May 2018 * Illustrative macro-plan, a detailed plan is largely dependent on the company Context, Strategy and Team End TODAY
People * Role * Program Coordination and Quality Assurance Program Auditing and Approval Program Implementation Steering Committee and Sponsors ‒ Chief Privacy Officer ‒ Privacy and Security Practitioners ‒ Company Areas Privacy Champions ‒ Specialized 3 Parties and consultants ‒ Data Protection Office(r) ‒ Internal Audit ‒ Specialized 3 Parties and consultants ‒ GDPR Program Manager ‒ Board, Heads of Departments and other Stakeholders (e.g. Mktg, HR, Compliance, Legal, ICT, Ops.) ‒ Coordination, communications, escalation management ‒ Interface towards Stakeholders and the Working Team ‒ Support the DPO for Program quality assurance ‒ DPO: check and approval of intermediate/final deliverables ‒ IA, 3Ps: if present, support DPO for ensuring the auditability of the Privacy Management System ‒ Vision, Strategy and Goals Setting ‒ Endorsment and Program Visibility ‒ CPO: lead and coordinate and supervise the working team, interface with DPO and Program Manager ‒ Practitioners, i.e. working team: develop the framework documentation, perform the info gathering (interviews, workshops), deliver assessments and remediation plans ‒ Areas Champions: support the working team, sharing and preliminary validation of partial outcomes ‒ 3Ps, Consultants: support the working team Sample team illustrative * Illustrative team for a large company, in smaller companies roles and responsibilities could be aggregated
PLAN, DO 14© CLUSIT 2017 – Praticamente GDPR Program after May ‘18 1. Strategic Management 2. Develop and Implement 3. Performance Measurement 4. Assess 5. Protect 6. Sustain 7. Respond CHECK ACTVision, Mission, Strategy, Team Framework, Policies, Standards, Guidelines Metric Lifecycle Assessment Models, Assess Key Areas (Data, Systems. Process) Data Lifecycle Management Information Security Practices Privacy by Design Conduct analysis and assessment Monitor, Audit, Communicate Information Request, Legal Compliance, Incident Planning, Incident Handling B y May 2018 you will have likely implemented most part of the framework, and started checking it. No matter why and how, what you should focus on is keeping it going as a rolling overall process which is improving over time and producing all the accountability trails required by the GDPR. It is not a 14 months exercise, it is a new regime of data protection looming on EU and beyond. PRIVACY AND DATA PROTECTION MANAGEMENT SYSTEM
Thank you Our GDPR Journey

Recommandé

IG-101
IG-101IG-101
IG-101Nicholas Lough
 
Whos role is it anyway
Whos role is it anywayWhos role is it anyway
Whos role is it anywayIRIS
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise information flow and data management
Enterprise information flow and data managementEnterprise information flow and data management
Enterprise information flow and data managementKaye Homam
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
Comprehensive Data Governance Program
Comprehensive Data Governance ProgramComprehensive Data Governance Program
Comprehensive Data Governance ProgramSteve Sugulas
 

Recommandé

IG-101
IG-101IG-101
IG-101Nicholas Lough
 
Whos role is it anyway
Whos role is it anywayWhos role is it anyway
Whos role is it anywayIRIS
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise information flow and data management
Enterprise information flow and data managementEnterprise information flow and data management
Enterprise information flow and data managementKaye Homam
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
Comprehensive Data Governance Program
Comprehensive Data Governance ProgramComprehensive Data Governance Program
Comprehensive Data Governance ProgramSteve Sugulas
 
BI_StrategyDM2
BI_StrategyDM2BI_StrategyDM2
BI_StrategyDM2Dan McDonald
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Building an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating ModelBuilding an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating ModelCognizant
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...DVV Solutions Third Party Risk Management
 
IT6701-Information Management Unit 5
IT6701-Information Management Unit 5IT6701-Information Management Unit 5
IT6701-Information Management Unit 5SIMONTHOMAS S
 
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementBeyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementHarley Capewell
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019DVV Solutions Third Party Risk Management
 
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...DataWorks Summit
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
13 Major Initiatives For The Va
13 Major Initiatives For The Va13 Major Initiatives For The Va
13 Major Initiatives For The Vajbreeling
 
Data analytics for auditors Using the Analysis
Data analytics for auditors Using the AnalysisData analytics for auditors Using the Analysis
Data analytics for auditors Using the AnalysisJim Kaplan CIA CFE
 
2014 dqe handouts
2014 dqe handouts2014 dqe handouts
2014 dqe handoutsData Blueprint
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsPYA, P.C.
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500Ramiro Cid
 
Are you ready for the transformation
Are you ready for the transformationAre you ready for the transformation
Are you ready for the transformationHariharan V Ganesarethinam
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Business Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven JourneyBusiness Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven JourneyRob Williams
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 

Contenu connexe

Tendances

Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Building an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating ModelBuilding an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating ModelCognizant
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...DVV Solutions Third Party Risk Management
 
IT6701-Information Management Unit 5
IT6701-Information Management Unit 5IT6701-Information Management Unit 5
IT6701-Information Management Unit 5SIMONTHOMAS S
 
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementBeyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementHarley Capewell
 
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...DataWorks Summit
 
13 Major Initiatives For The Va
13 Major Initiatives For The Va13 Major Initiatives For The Va
13 Major Initiatives For The Vajbreeling
 
Data analytics for auditors Using the Analysis
Data analytics for auditors Using the AnalysisData analytics for auditors Using the Analysis
Data analytics for auditors Using the AnalysisJim Kaplan CIA CFE
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1Richard Willis
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsPYA, P.C.
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...PECB
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500Ramiro Cid
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Business Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven JourneyBusiness Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven JourneyRob Williams
 

Tendances (20)

BI_StrategyDM2
BI_StrategyDM2BI_StrategyDM2
BI_StrategyDM2
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Building an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating ModelBuilding an Effective & Extensible Data & Analytics Operating Model
Building an Effective & Extensible Data & Analytics Operating Model
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
 
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
Building the Business Case for TPRM - DVV Solutions Breakfast Briefing March ...
 
IT6701-Information Management Unit 5
IT6701-Information Management Unit 5IT6701-Information Management Unit 5
IT6701-Information Management Unit 5
 
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality ManagementBeyond Firefighting: A Leaders Guide to Proactive Data Quality Management
Beyond Firefighting: A Leaders Guide to Proactive Data Quality Management
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
 
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
Microsoft HDInsight as a Big Data and Interoperability Platform to Drive Poin...
 
It governance
It governanceIt governance
It governance
 
13 Major Initiatives For The Va
13 Major Initiatives For The Va13 Major Initiatives For The Va
13 Major Initiatives For The Va
 
Data analytics for auditors Using the Analysis
Data analytics for auditors Using the AnalysisData analytics for auditors Using the Analysis
Data analytics for auditors Using the Analysis
 
2014 dqe handouts
2014 dqe handouts2014 dqe handouts
2014 dqe handouts
 
IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1IT Governance Vs IT Management Presentation V0.1
IT Governance Vs IT Management Presentation V0.1
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'ts
 
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...Assessing the Impact of a Disruption: Building an Effective Business Impact A...
Assessing the Impact of a Disruption: Building an Effective Business Impact A...
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
Are you ready for the transformation
Are you ready for the transformationAre you ready for the transformation
Are you ready for the transformation
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
 
Business Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven JourneyBusiness Intelligence: Realizing the Benefits of a Data-Driven Journey
Business Intelligence: Realizing the Benefits of a Data-Driven Journey
 

Similaire à A successful GDPR Program

Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
PrivacyOps Framework
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps FrameworkFeroot
 
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DATUM LLC
 
MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017Match-Maker Ventures
 
ITIL CSI approach for PDPA Management
ITIL CSI approach for PDPA ManagementITIL CSI approach for PDPA Management
ITIL CSI approach for PDPA ManagementHeng Meng Tan
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS
 
Standing Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramStanding Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramRafael Moscatel CRM, IGP
 
Building a Strategy customers and Auditors Love
Building a Strategy customers and Auditors LoveBuilding a Strategy customers and Auditors Love
Building a Strategy customers and Auditors Lovejadams6
 
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...Nikki Chapple
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors
 
6 Steps to Transition Govt ICT effectiveness
6 Steps to Transition Govt ICT effectiveness6 Steps to Transition Govt ICT effectiveness
6 Steps to Transition Govt ICT effectivenessRavi Tirumalai
 
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureEVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureMichele Collu
 
Partner enablement GDPR
Partner enablement GDPRPartner enablement GDPR
Partner enablement GDPRJuan Niekerk
 
1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptop1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptopRising Media, Inc.
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]TrustArc
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Delphix
 
Partner enablement GDPR
Partner enablement GDPRPartner enablement GDPR
Partner enablement GDPRJuan Niekerk
 

Similaire à A successful GDPR Program (20)

Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
 
PrivacyOps Framework
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps Framework
 
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017MMV Webinar 1. GDPR Perspectives. November 2017
MMV Webinar 1. GDPR Perspectives. November 2017
 
ITIL CSI approach for PDPA Management
ITIL CSI approach for PDPA ManagementITIL CSI approach for PDPA Management
ITIL CSI approach for PDPA Management
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
 
Standing Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramStanding Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance Program
 
Building a Strategy customers and Auditors Love
Building a Strategy customers and Auditors LoveBuilding a Strategy customers and Auditors Love
Building a Strategy customers and Auditors Love
 
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...
Cracking the Code- Expert Tips for Mastering GRC CollabDays Bletchley Sept 23...
 
GDPR How to get started?
GDPR How to get started?GDPR How to get started?
GDPR How to get started?
 
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdprSharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
Sharp Cookie Advisors legal_botar_ai_dataskydd_gdpr
 
6 Steps to Transition Govt ICT effectiveness
6 Steps to Transition Govt ICT effectiveness6 Steps to Transition Govt ICT effectiveness
6 Steps to Transition Govt ICT effectiveness
 
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance PostureEVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
EVERFI/SEI Webinar: Implementing a Competitive GDPR Compliance Posture
 
Partner enablement GDPR
Partner enablement GDPRPartner enablement GDPR
Partner enablement GDPR
 
1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptop1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptop
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
 
Partner enablement GDPR
Partner enablement GDPRPartner enablement GDPR
Partner enablement GDPR
 

Dernier

Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21vasanthakumarsk17
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Rich Bergeron
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxjennysansano2
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 

Dernier (20)

Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
 
Guide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docxGuide for Drug Education and Vice Control.docx
Guide for Drug Education and Vice Control.docx
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 

A successful GDPR Program

  • 1.
  • 2. PART 1 • Do not call it a project! • Top-5 priorities for getting ready • Different points of view? • 7 don’ts you should know • Get the Board involved 2© CLUSIT 2017 – Praticamente GDPR Agenda Praticamente GDPR – Spike Reply
  • 3.  By May 25 2018 you should have put in place a Privacy Management System to be compliant with GDPR and be able to show it  The complexity of the many requirements, the wide scope of application (data and applications), and the limited timeframe and resources available imply that a sound Program Management is a key success factor 3© CLUSIT 2017 – Praticamente GDPR Do not call it a project! Processes Data Breach Notification, Privacy Impact Assessment, Information request handling, Privacy Audit, Privacy Training, Privacy by Design: these will be rolling activities whose effectiveness should be measurable to assess the effectiveness of the whole Management System Policies and Controls Governance Framework, from guidelines to procedures to records to audit trails to organizational and technological measures People Beyond the DPO, where required, further roles are necessary in a company to distribute responsibilities: there is no one-model-fit-all, each company should evaluate the most appropriate privacy organizational model.
  • 4.  A challenge is posed by the cultural change most companies will face during the set- up of the Privacy Management System, due to a common perception of privacy and data protection as a bureaucracy cost, which will hinder the implementation of the GDPR Program. 4© CLUSIT 2017 – Praticamente GDPR Do not call it a project! cont’d 4 «The will to succeed is important, but what’s more important is the will to prepare.» Bobby Knight, American basketball coach
  • 5. Define your priorities answering the following questions 1. Do I know my role – as Controller or Processor – for all the processing activities? 2. Does my current privacy organizational model fit the GDPR? 3. Can I show accountability in all processing activities? 4. Am I ready to face data subjects requests exercising their rights and to respond to data breach? 5. Are all my cross-border data flows compliant with GDPR? 5© CLUSIT 2017 – Praticamente GDPR Top-5 priorities for getting ready 1. YOUR ROLE 2. DPO & MODEL 3. ACCOUNTA- BILITY 4. CUSTOMER DATA RIGHTS AND DATA BREACH 5. CROSS- BORDER DATA FLOW COMMUNICATE WITH STAKEHOLDERS
  • 6. Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you show evidences of effectiveness? Is a remediation plan defined for breaches? Data Protection Authority Can you delete my data? Why are you contacting me without consent? Why did you disclose my data I erased some time ago? Who are the third parties processing my data, and where? Customers Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you show evidences of effectiveness? Is a remediation plan defined for breaches? Data Protection Authority Can you delete my data? Why are you contacting me without consent? Why did you disclose my data I erased some time ago? Who are the third parties processing my data, and where? Customers 6© CLUSIT 2017 – Praticamente GDPR Different points of view? Are task-ownerships assigned? Are task dependencies clear? Are goals achievable? Is the Program endorsed adequately? Is the working team skilled? Are criticalities addressed? GDPR Program Manager Are privacy risks assessed? Are employees aware of their duties and responsibilities? Are company practices on data compliant with policies and notices? How long data are retained? Privacy Officers, Legal , Compliance Do applications store audit trails to enforce breach prevention and management? Are user access rights and profiles validated? Is data protected adequately from collection to erasure? CTO, CDO CSO, CISO Or converging needs for the Program?
  • 7. 7© CLUSIT 2017 – Praticamente GDPR 7 don’ts you should know Delay the awareness to the Board Don’t review your organizational model Use a sledge hammer to crack a walnut Focus on privacy, postponing security Assess and test the processing activities customer-faced Underestimate the importance of a skilled team Run separate initiatives
  • 8. 8© CLUSIT 2017 – Praticamente GDPR Get the Board involved With privacy and data protection business cases Privacy for Mktg and CC • Is consent documented for all processing activities? • What we risk if we keep processing data of old customers w/o consent? • Are our profiling activities with big data analytics legitimate? • Should I erase or de-identify data of old clients? Privacy for Workplace • Do we respect employees rights during hiring, performance management, whistleblowing, surveillance? • Are employees aware of their duties and trained on the governance framework (data retention, data breach, privacy and security by design, customer requests, data classification and protection, …)? Privacy for Supply Chain • Do contracts include adequate privacy and data protection clauses? • Do we assess the privacy risks for third parties? • Do we outsource offshore? • Do we assess cloud-based services and external system admistrators? Privacy for ICT • Are user access rights and profiles validated? • Are logging and monitoring set-up for all relevant systems and applications? • Are backup and restore procedure tested regularly? Are ICT vulnerabilities assessed and adressed? Each business case pinpoints possible gaps and exposure of the Board. Use this leverage to budget remediation activities. B usiness cases can be built for most company areas and data categories. Start from GDPR requirements and highlight gaps known and consequences of violations for the Board. Assess the cost of remediation activities and propose a prioritized remediation plan orchestrating all needs. Benefit from these cases also for self- assessment tools and for training, throughout the Program lifetime.
  • 9. Part 2 • Sample roadmap • Sample macro-plan • Sample team • Privacy Program after May 2018 9 Agenda Praticamente GDPR - Spike Reply © CLUSIT 2017 – Praticamente GDPR
  • 10. 10© CLUSIT 2017 – Praticamente GDPR Sample roadmap illustrative Board consensus, Plan defined, Working Team operative <3 months Most ICT assessment and ad-hoc PIA in progress 10 months Employees trained, most ICT assessments achieved and remediation plan implementation launched <16 months Global Privacy Governance Framework approved 9 months Framework applied in all Countries and legal entities of the group 15 months 15-3-17 15-10-17 25-5-1815-9-17 15-3-17Dec 2016 14 months left to have it done Preliminary Analysis and Assessment in 2016 Early Awareness to Stakeholders Remark: if you didn’t do it hurry up! A few remediation plan implementati on will likely be still in progress 15-4-17 GDPR-readiness: Privacy Management System auditable <18 months The roadmap is illustrative, actual roadmap widely depends on the initial scenario, strategy and resources available to implement the Program TODAY
  • 11. Sample roadmap cont’d  Compliance in US, the review of the privacy governance framework is temporarily on hold, late as the current framework is incomplete  ICT is leading an IT assessment and is updating the company IT asset inventory with privacy metadata; privacy by design already in place, no data breach mgt in use yet  More than 30 countries, still lack of endorsement from the Board global manufacturer, market-leader  Privacy function led an early self-assessment in 4 continents to assess privacy gaps in minor countries  Early awareness to the Board, strong culture of IT risk & audit, global framework under review, model organization under review, scouting of GRC tools in progress global large manufacturer  Early program management exercise to identify priorities  Early awareness to the Board  Governance framework under review  IT assessment postponed, Internal Audit in the working team, no DPO appointed yet mid-size online bank  Late start, IT is leading an initial assessment with the support of compliance  Limited initial budget, and sharp focus on critical data processing areas  Organizational model to review, no DPO appointed yet italian pharmaceutical service provider  Group with more than 90 operative companies in 3 continents, half of which IT service provider in different industries: telco, media, healthcare, public administration…  Strong endorsement from the Board, structured communication plan  Data mapping in progress, global framework and organizational model under review (local DPO)  Legal tracking activities in progress, IT assessment of central services under planning global ICT consulting and service provider
  • 12. Sample macro-plan illustrative Hypotetical Launch in January 2017 Program Master Plan Program Tasks in 3 phases * 2017 2018 Jan-17 Mar-17 Jun-17 Sep-17 Dec-17 Jan-18 Mar-18 May-18 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Kick-Off of the GDPR Program Set Vision, Strategy, Team and Plan Consensus of the Board, Comm. Plan Develop the global Governance Framework and the Organizational Model Local Legal Tracking, ICT Assessment Ad-Hoc PIA, Remediation Plan Implement the global Framework locally Train management and employees Test activities customer-faced Audit Framework, Implement changes GDPR Program implemented PlannedBaseline Major MilestoneMilestone Privacy Management System auditable Plan approved, Team operative Launch Program Timeline Count-down Board aware, Communication Plan Global Model, Guidelines, Standards, Procedures Major Remediation Plans Controls Implemented Employees trained Framework in all Countries 25 May 2018 * Illustrative macro-plan, a detailed plan is largely dependent on the company Context, Strategy and Team End TODAY
  • 13. People * Role * Program Coordination and Quality Assurance Program Auditing and Approval Program Implementation Steering Committee and Sponsors ‒ Chief Privacy Officer ‒ Privacy and Security Practitioners ‒ Company Areas Privacy Champions ‒ Specialized 3 Parties and consultants ‒ Data Protection Office(r) ‒ Internal Audit ‒ Specialized 3 Parties and consultants ‒ GDPR Program Manager ‒ Board, Heads of Departments and other Stakeholders (e.g. Mktg, HR, Compliance, Legal, ICT, Ops.) ‒ Coordination, communications, escalation management ‒ Interface towards Stakeholders and the Working Team ‒ Support the DPO for Program quality assurance ‒ DPO: check and approval of intermediate/final deliverables ‒ IA, 3Ps: if present, support DPO for ensuring the auditability of the Privacy Management System ‒ Vision, Strategy and Goals Setting ‒ Endorsment and Program Visibility ‒ CPO: lead and coordinate and supervise the working team, interface with DPO and Program Manager ‒ Practitioners, i.e. working team: develop the framework documentation, perform the info gathering (interviews, workshops), deliver assessments and remediation plans ‒ Areas Champions: support the working team, sharing and preliminary validation of partial outcomes ‒ 3Ps, Consultants: support the working team Sample team illustrative * Illustrative team for a large company, in smaller companies roles and responsibilities could be aggregated
  • 14. PLAN, DO 14© CLUSIT 2017 – Praticamente GDPR Program after May ‘18 1. Strategic Management 2. Develop and Implement 3. Performance Measurement 4. Assess 5. Protect 6. Sustain 7. Respond CHECK ACTVision, Mission, Strategy, Team Framework, Policies, Standards, Guidelines Metric Lifecycle Assessment Models, Assess Key Areas (Data, Systems. Process) Data Lifecycle Management Information Security Practices Privacy by Design Conduct analysis and assessment Monitor, Audit, Communicate Information Request, Legal Compliance, Incident Planning, Incident Handling B y May 2018 you will have likely implemented most part of the framework, and started checking it. No matter why and how, what you should focus on is keeping it going as a rolling overall process which is improving over time and producing all the accountability trails required by the GDPR. It is not a 14 months exercise, it is a new regime of data protection looming on EU and beyond. PRIVACY AND DATA PROTECTION MANAGEMENT SYSTEM