SlideShare a Scribd company logo

GDPR - no beginning no end

Exove
Exove

GDPR - no beginning no end by Tobias Bräutigam, Bird & Bird Seminar 26th April 2018: GDPR tulee - mitä tapahtuu h-hetken jälkeen

Business
1 of 20
Download to read offline
GDPR – no beginning no end Tobias Bräutigam, head of data protection group, Bird & Bird Helsinki 26.04.2018
Compliance is a journey, not a point in time.
GDPR applicable 25th May. There wont' be a fire work.
Typical Privacy Program Products • Privacy policies (HR, Recruitment, Customers) • Cookie policy (?) • Data Protection Annex – role: Controller • Data Protection Annex – role: Processor • Article 30 documentation template • Data Protection Impact Assessment/Threshold assessment form  Those need to be updated, but there will be relatively little change This should not be news. Slide 4
What is needed the day after?
Just a footnote (not our topic today) 1 More is coming: NIS, ePrivacy Regulation Slide 6
Introducing: Privacy Perpetuum Mobile Slide 7
Why is it needed? Slide 8
Slide 9 You will have to make decisions Accountability Risk-based approach Governance is key
Slide 10 ... and implement decisions on a system level Legal Engineering Privacy Engineering is the answer
Slide 11 ... and make sure everyone does Vendor management is key Costs (for audits etc) Accountability
How to build a post-GDPR privacy program? Slide 12
Another footnote (as the following might be overwhelming) 1 The following thoughts are meant to give direction Slide 13
Elements of your future privacy program 1. Governance structure 1. Risk-management 2. Definition of roles 3. Measure success 2. Privacy engineering: 1. Implement privacy early on 2. Change system v. Change policy describing the system 3. Vendor management 1. Mapping and classification 2. Audits Aka the PPM Slide 14
1. Governance Structure 1. Risk-management • Who (which level) decides? • How documented? • A lot of awareness needed 2. Definition of roles • RACI • Centralized/decentralized model 3. Measure and report • Define metrics (e.g. 95% of our high volume vendors have signed our DPA by 1.6.) • Improve metrics (examples) All this could be defined in a privacy governance policy Slide 15 Obstacles: Admitting status; internal politics
2. Privacy Engineering "Privacy engineering is a specialty discipline of systems engineering focused on removing conditions that can create problems for people when system operations process their information." https://www.nist.gov/itl/applied-cybersecurity/privacy- engineering/about According to NIST Slide 16
Privacy Engineering (2) Privacy (by) Design DPIA Engineering requirements Risk mangement UX Design Data flow modelling Data management Elements of privacy engineering Slide 17 Obstacles: Skills, time
Vendor management Breaches often occur at vendor level Slide 18 Know • Start with mapping vendors (re: personal data) • Set up a vendor management system Classify • Risk-based approach (sensitivity, volume, lifecycle) • 3 classes: low risk – medium risk – high risk Manage • DPA • Audits Learn and improve • Discuss IT security and privacy • Up or out (where alternatives are possible) Obstacles: Resources,
Looking at this from a product perspective Governance Privacy Governance Policy Metrics documents Privacy engineering Privacy Requirement document Privacy assessment process (30 => threshold => DPIA) Control framework Vendor management Vendor requirements/DPAs Vendor classification system For most of those tasks, both legal and technical skills are needed Slide 19
twobirds.com Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. Thank you Tobias Bräutigam, OTT +358 50 482 3424 tobias.brautigam@twobirds.com https://commons.wikimedia.org/w/index.php?curid=23564695

Recommended

Sect r35 b
Sect r35 bSect r35 b
Sect r35 b
SelectedPresentations
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
HP Security
HP SecurityHP Security
HP Security
Neha Rastogi
 
Municipal Government Business Continuity Planning for Critical Data 2004
Municipal Government Business Continuity Planning for Critical Data 2004Municipal Government Business Continuity Planning for Critical Data 2004
Municipal Government Business Continuity Planning for Critical Data 2004
Donald E. Hester
 
LuminrDRPresentation_AITP_October2014.pptx
LuminrDRPresentation_AITP_October2014.pptxLuminrDRPresentation_AITP_October2014.pptx
LuminrDRPresentation_AITP_October2014.pptx
Timothy Krupinski
 
Itir oct0714-network security-en
Itir oct0714-network security-enItir oct0714-network security-en
Itir oct0714-network security-en
KBIZEAU
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 

Recommended

Sect r35 b
Sect r35 bSect r35 b
Sect r35 b
SelectedPresentations
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
PECB
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
HP Security
HP SecurityHP Security
HP Security
Neha Rastogi
 
Municipal Government Business Continuity Planning for Critical Data 2004
Municipal Government Business Continuity Planning for Critical Data 2004Municipal Government Business Continuity Planning for Critical Data 2004
Municipal Government Business Continuity Planning for Critical Data 2004
Donald E. Hester
 
LuminrDRPresentation_AITP_October2014.pptx
LuminrDRPresentation_AITP_October2014.pptxLuminrDRPresentation_AITP_October2014.pptx
LuminrDRPresentation_AITP_October2014.pptx
Timothy Krupinski
 
Itir oct0714-network security-en
Itir oct0714-network security-enItir oct0714-network security-en
Itir oct0714-network security-en
KBIZEAU
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
MLG College of Learning, Inc
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
Corserva
 
Asi Chap002
Asi Chap002Asi Chap002
Asi Chap002
Putra Tidore
 
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’s
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’sTop 6 Technical and Business Benefits of Cloud Hosting for SMB’s
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’s
Smith Roy
 
Centralized Rights Management - the Licensing Module
Centralized Rights Management - the Licensing ModuleCentralized Rights Management - the Licensing Module
Centralized Rights Management - the Licensing Module
Axiell ALM
 
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
TokenEx
 
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
Tim Willoughby
 
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
crmcg2007
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"
Sean Bradley
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
Sam Bowne
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
Lumension
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
StevenSegaert
 

More Related Content

What's hot

What's hot (14)

Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
 
Asi Chap002
Asi Chap002Asi Chap002
Asi Chap002
 
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’s
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’sTop 6 Technical and Business Benefits of Cloud Hosting for SMB’s
Top 6 Technical and Business Benefits of Cloud Hosting for SMB’s
 
Centralized Rights Management - the Licensing Module
Centralized Rights Management - the Licensing ModuleCentralized Rights Management - the Licensing Module
Centralized Rights Management - the Licensing Module
 
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
Security Beyond Compliance: Using Tokenisation for Data Protection by Design ...
 
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
Tim Willoughby - Ideas and Ideals on an ICT Strategy for Local Government
 
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
Protecting Critical Infrastructure in the Design-Build Framework...A Focus on...
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
 
Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"Erik Nachbahr "Dealership Technology"
Erik Nachbahr "Dealership Technology"
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)CNIT 160 Ch 4c: Security Program Development (Part 3)
CNIT 160 Ch 4c: Security Program Development (Part 3)
 

Similar to GDPR - no beginning no end

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
Lumension
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
StevenSegaert
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
Brussels Legal Hackers
 
How to minimize scope for gdpr data protection compliance when using cloud se...
How to minimize scope for gdpr data protection compliance when using cloud se...How to minimize scope for gdpr data protection compliance when using cloud se...
How to minimize scope for gdpr data protection compliance when using cloud se...
Dirk Rünagel
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017
Joseph John
 

Similar to GDPR - no beginning no end (20)

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?2013 Data Protection Maturity Trends: How Do You Compare?
2013 Data Protection Maturity Trends: How Do You Compare?
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Secure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech ApplicationsSecure and Compliant Data Management in FinTech Applications
Secure and Compliant Data Management in FinTech Applications
 
DPO Circle 2018
DPO Circle 2018 DPO Circle 2018
DPO Circle 2018
 
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
 
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) planCWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
CWIN17 san francisco-geert vanderlinden-don't be stranded without a (gdpr) plan
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016
 
How to minimize scope for gdpr data protection compliance when using cloud se...
How to minimize scope for gdpr data protection compliance when using cloud se...How to minimize scope for gdpr data protection compliance when using cloud se...
How to minimize scope for gdpr data protection compliance when using cloud se...
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017
 

More from Exove

Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
Exove
 

More from Exove (20)

Data security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problemsData security in the age of GDPR – most common data security problems
Data security in the age of GDPR – most common data security problems
 
Provisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – ExoveProvisioning infrastructure to AWS using Terraform – Exove
Provisioning infrastructure to AWS using Terraform – Exove
 
Advanced custom fields in Wordpress
Advanced custom fields in WordpressAdvanced custom fields in Wordpress
Advanced custom fields in Wordpress
 
Introduction to Robot Framework – Exove
Introduction to Robot Framework – ExoveIntroduction to Robot Framework – Exove
Introduction to Robot Framework – Exove
 
Jenkins and visual regression – Exove
Jenkins and visual regression – ExoveJenkins and visual regression – Exove
Jenkins and visual regression – Exove
 
Server-side React with Headless CMS – Exove
Server-side React with Headless CMS – ExoveServer-side React with Headless CMS – Exove
Server-side React with Headless CMS – Exove
 
WebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – ExoveWebSockets in Bravo Dashboard – Exove
WebSockets in Bravo Dashboard – Exove
 
Diversity in recruitment
Diversity in recruitmentDiversity in recruitment
Diversity in recruitment
 
Saavutettavuus liiketoimintana
Saavutettavuus liiketoimintanaSaavutettavuus liiketoimintana
Saavutettavuus liiketoimintana
 
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistustaSaavutettavuus osana Eläkeliiton verkkosivu-uudistusta
Saavutettavuus osana Eläkeliiton verkkosivu-uudistusta
 
Mitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisälläänMitä saavutettavuusdirektiivi pitää sisällään
Mitä saavutettavuusdirektiivi pitää sisällään
 
Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8Creating Landing Pages for Drupal 8
Creating Landing Pages for Drupal 8
 
GDPR for developers
GDPR for developersGDPR for developers
GDPR for developers
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
 
Life with digital services after GDPR
Life with digital services after GDPRLife with digital services after GDPR
Life with digital services after GDPR
 
Developing truly personalised experiences
Developing truly personalised experiencesDeveloping truly personalised experiences
Developing truly personalised experiences
 
Customer Experience and Personalisation
Customer Experience and PersonalisationCustomer Experience and Personalisation
Customer Experience and Personalisation
 
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...Adventures In Programmatic Branding – How To Design With Algorithms And How T...
Adventures In Programmatic Branding – How To Design With Algorithms And How T...
 
Dataohjattu asiakaskokemus
Dataohjattu asiakaskokemusDataohjattu asiakaskokemus
Dataohjattu asiakaskokemus
 
DrupalCamp Baltics: You Need to Grow to Stay Alive
DrupalCamp Baltics: You Need to Grow to Stay AliveDrupalCamp Baltics: You Need to Grow to Stay Alive
DrupalCamp Baltics: You Need to Grow to Stay Alive
 

Recently uploaded

GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
vineshkumarsajnani12
 

Recently uploaded (20)

Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 

GDPR - no beginning no end

  • 1. GDPR – no beginning no end Tobias Bräutigam, head of data protection group, Bird & Bird Helsinki 26.04.2018
  • 2. Compliance is a journey, not a point in time.
  • 3. GDPR applicable 25th May. There wont' be a fire work.
  • 4. Typical Privacy Program Products • Privacy policies (HR, Recruitment, Customers) • Cookie policy (?) • Data Protection Annex – role: Controller • Data Protection Annex – role: Processor • Article 30 documentation template • Data Protection Impact Assessment/Threshold assessment form  Those need to be updated, but there will be relatively little change This should not be news. Slide 4
  • 5. What is needed the day after?
  • 6. Just a footnote (not our topic today) 1 More is coming: NIS, ePrivacy Regulation Slide 6
  • 8. Why is it needed? Slide 8
  • 9. Slide 9 You will have to make decisions Accountability Risk-based approach Governance is key
  • 10. Slide 10 ... and implement decisions on a system level Legal Engineering Privacy Engineering is the answer
  • 11. Slide 11 ... and make sure everyone does Vendor management is key Costs (for audits etc) Accountability
  • 12. How to build a post-GDPR privacy program? Slide 12
  • 13. Another footnote (as the following might be overwhelming) 1 The following thoughts are meant to give direction Slide 13
  • 14. Elements of your future privacy program 1. Governance structure 1. Risk-management 2. Definition of roles 3. Measure success 2. Privacy engineering: 1. Implement privacy early on 2. Change system v. Change policy describing the system 3. Vendor management 1. Mapping and classification 2. Audits Aka the PPM Slide 14
  • 15. 1. Governance Structure 1. Risk-management • Who (which level) decides? • How documented? • A lot of awareness needed 2. Definition of roles • RACI • Centralized/decentralized model 3. Measure and report • Define metrics (e.g. 95% of our high volume vendors have signed our DPA by 1.6.) • Improve metrics (examples) All this could be defined in a privacy governance policy Slide 15 Obstacles: Admitting status; internal politics
  • 16. 2. Privacy Engineering "Privacy engineering is a specialty discipline of systems engineering focused on removing conditions that can create problems for people when system operations process their information." https://www.nist.gov/itl/applied-cybersecurity/privacy- engineering/about According to NIST Slide 16
  • 17. Privacy Engineering (2) Privacy (by) Design DPIA Engineering requirements Risk mangement UX Design Data flow modelling Data management Elements of privacy engineering Slide 17 Obstacles: Skills, time
  • 18. Vendor management Breaches often occur at vendor level Slide 18 Know • Start with mapping vendors (re: personal data) • Set up a vendor management system Classify • Risk-based approach (sensitivity, volume, lifecycle) • 3 classes: low risk – medium risk – high risk Manage • DPA • Audits Learn and improve • Discuss IT security and privacy • Up or out (where alternatives are possible) Obstacles: Resources,
  • 19. Looking at this from a product perspective Governance Privacy Governance Policy Metrics documents Privacy engineering Privacy Requirement document Privacy assessment process (30 => threshold => DPIA) Control framework Vendor management Vendor requirements/DPAs Vendor classification system For most of those tasks, both legal and technical skills are needed Slide 19
  • 20. twobirds.com Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. Thank you Tobias Bräutigam, OTT +358 50 482 3424 tobias.brautigam@twobirds.com https://commons.wikimedia.org/w/index.php?curid=23564695