4. Typical Privacy Program Products
• Privacy policies (HR, Recruitment, Customers)
• Cookie policy (?)
• Data Protection Annex – role: Controller
• Data Protection Annex – role: Processor
• Article 30 documentation template
• Data Protection Impact Assessment/Threshold assessment
form
Those need to be updated, but there will be relatively little change
This should not be news.
Slide 4
9. Slide 9
You will have to make decisions
Accountability
Risk-based
approach
Governance is key
10. Slide 10
... and implement decisions on a system level
Legal Engineering
Privacy Engineering is the answer
11. Slide 11
... and make sure everyone does
Vendor management is key
Costs (for
audits etc)
Accountability
12. How to build a post-GDPR
privacy program?
Slide 12
13. Another footnote (as the following might be
overwhelming)
1 The following thoughts are
meant to give direction
Slide 13
14. Elements of your future privacy program
1. Governance structure
1. Risk-management
2. Definition of roles
3. Measure success
2. Privacy engineering:
1. Implement privacy early on
2. Change system v. Change policy describing the system
3. Vendor management
1. Mapping and classification
2. Audits
Aka the PPM
Slide 14
15. 1. Governance Structure
1. Risk-management
• Who (which level) decides?
• How documented?
• A lot of awareness needed
2. Definition of roles
• RACI
• Centralized/decentralized model
3. Measure and report
• Define metrics (e.g. 95% of our high volume vendors have signed our DPA by 1.6.)
• Improve metrics (examples)
All this could be defined in a privacy governance policy
Slide 15
Obstacles: Admitting status; internal politics
16. 2. Privacy Engineering
"Privacy engineering is a specialty discipline of systems
engineering focused on removing conditions that can create
problems for people when system operations process their
information."
https://www.nist.gov/itl/applied-cybersecurity/privacy-
engineering/about
According to NIST
Slide 16
17. Privacy Engineering (2)
Privacy (by) Design
DPIA
Engineering requirements
Risk mangement
UX Design
Data flow modelling
Data management
Elements of privacy engineering
Slide 17
Obstacles: Skills, time
18. Vendor management
Breaches often occur at vendor level
Slide 18
Know
• Start with mapping vendors (re: personal data)
• Set up a vendor management system
Classify
• Risk-based approach (sensitivity, volume, lifecycle)
• 3 classes: low risk – medium risk – high risk
Manage
• DPA
• Audits
Learn and improve
• Discuss IT security and privacy
• Up or out (where alternatives are possible)
Obstacles: Resources,
19. Looking at this from a product perspective
Governance Privacy Governance Policy
Metrics documents
Privacy
engineering
Privacy Requirement document
Privacy assessment process (30 => threshold => DPIA)
Control framework
Vendor
management
Vendor requirements/DPAs
Vendor classification system
For most of those tasks, both legal and technical skills are needed
Slide 19
20. twobirds.com
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses.
Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and
regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A
list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is
open to inspection at that address.
Thank you
Tobias Bräutigam, OTT
+358 50 482 3424 tobias.brautigam@twobirds.com
https://commons.wikimedia.org/w/index.php?curid=23564695