SlideShare a Scribd company logo

Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti Stefano

Download as PPTX, PDF
Andrea Leonardi
Andrea Leonardi

The LFF – Lantern Fund Forum is the seventh edition of one of the most important event focused on Asset Management, Investment Tools and Fundamental Analysis, organized in Switzerland.

Economy & Finance
1 of 30
Lugano (CH), 20 and 21 November 2017 GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION Andrea LEONARDI - Stefano MICHELOTTI 1 A partner of Minerva Group Service
Stefano MICHELOTTI is Co-Founder and Chairman of Minerva Group Service s.c.c.p.a , a cooperative joint stock consortium company that is the hub of a network of companies (consortium companies). Minerva Group Service is strongly committed to providing professional and business services (e.g. GRC, GDPR, ISO Management System, Cybersecurity, Project Management, etc.). He is advisor, trainer and auditor for GDPR, Risk Management (ISO 31000) and Compliance Management (ISO 19600). LEONARDI, Andrea (CONSULTANT, TRAINER, AUDITOR – MINERVA GROUP SERVICE) MICHELOTTI, Stefano (CHAIRMAN– MINERVA GROUP SERVICE) Graduating from Bocconi University with over 20 years experience in several industries, functions and projects, Andrea LEONARDI is Co-Founder and Vice President of Minerva Gorup Service s.c.c.pa, a company focused in providing advisory, training and audit services. He is advisor , trainer and auditor for GDPR and related ISO standards (e.g. ISO27001 Information Security Management System, ISO 20000-1 IT Service Management System, ISO 22301 Business Continuity Management System). http://www.linkedin.com/pub/andrea- leonardi/18/2a3/442 @AndreaLeonardix https://www.linkedin.com/in/stefano-michelotti- 49a30418/ @StefanoArchisto SPEAKERS 2 www.minervagroupservice.it
GDPR IS LANDING ON YOUR PLANET …ARE YOU READY? GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) What and When? EU Data Subjects Who and Where? Processing (automated means or other) 25 May 2018 Tempus fugit …. Personal data Controller Personal data Why? “information relating to an identified or identifiable natural person (‘data subject’)“ No GDPR (compliance) ?! No (Business ) Party …GDPR How? € Controller ….and huge administrative fines ! Supervisory Authority …up to 4 % of the total worldwide annual turnover Fines Compliance Governance Risk Management A GRC road map to GDPR… …following ISO Management Systems! 3
What? CHAPTER II Principles Section 1 Transparency and modalities Section 2 Information and access to personal data Section 3 Rectification and erasure Section 4 Right to object and automated individual decision-making Section 5 Restrictions CHAPTER III Rights of the data subject CHAPTER I General provisions Foreword (173 items) GDPR GDPR 4
CHAPTER IV Controller and processor Section 1 General obligations Section 2 Security of personal data Section 3 Data protection impact assessment and prior consultation Section 4 Data protection officer Section 5 Codes of conduct and certification What?GDPR 5
CHAPTER V Transfers of personal data to third countries or international organisations CHAPTER VI Independent supervisory authorities Section 1 Independent status Section 2 Competence, tasks and powers CHAPTER VII Cooperation and consistency CHAPTER VIII Remedies, liability and penalties CHAPTER IX Provisions relating to specific processing situations CHAPTER X Delegated acts and implementing acts What?GDPR 6
DATA SUBJECT GDPR Applies Who? CHAPTER I General provisions “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system “ PROCESSING PERSONAL DATA FILING SYSTEM GDPR 7
PERSONAL DATA CHAPTER I General provisions genetic data biometric data’ data concerning health “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Who?GDPR 8
PROCESSING CHAPTER I General provisions profiling any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction PERSONAL DATA pseudonymisat ion’ any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person Who?GDPR 9
Where? CONTROLLER PROCESSOR OFFERING Goods services PROCESSING EU EXTRA EU DATA SUBJECT Established in EU UEMonitoring of behavioring CHAPTER I General provisions “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 4.5.2016 L 119/32 Official Journal of the European Union EN “ “….This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. “ GDPR CONTROLLER PROCESSOR NOT established in EU PROCESSING 10
Why? SUPERVISORY AUTHORITY effective, proportionate and dissuasive. CHAPTER VIII Remedies, liability and penalties administrative fines imposition GDPR 11 e.g. for Italy
€ COMPANY Art. 8 CONTROLLER PROCESSOR obligations of the controller and the processor Art. 11 Art. 2539 Art. 4243 up to2 % of the total worldwide annual turnover of the preceding financial year administrative fines up to 10 000 000 EUR Infringements of the following provisions obligations of the controller and the processor CHAPTER II Principles obligations of the controller and the processor CHAPTER IV Controller and processor Why?GDPR 12
€ up to 20 000 000 EUR COMPANY PROCESSING basic principles for processing Art.5 Art.6 Art.7 Art.9 DATA SUBJECT Infringements of the following provisions Art. 1222 up to 4 % of the total worldwide annual turnover of the preceding financial year administrative fines CHAPTER III Rights of the data subject Infringements of the following provisions CHAPTER II Principles Why?GDPR 13
RISK MANAGEMENT GOVERNANCE COMPLIANCE ISO 31000 ISO 19600 GDPR ISO 29100 PRIVACY Governance, Risk Management, Compliance for Data Protection How?GDPR ISO 29134 ISO 19011 GDPR GRC 14
ISO 29100 Standard ISO 29100:2011 «information technology – security techniques – privacy framework» Standard ISO 31000:2009 “Risk management — Principles and guidelines”ISO 31000 Standard ISO 19600:2014 «Compliance management systems — Guidelines»ISO 19600 How?GDPR ISO 29134 ISO/IEC 29134 Information technology — Security techniques — Guidelines for privacy impact assessment ISO 19011 Standard ISO 19011:20111 “Guidelines for auditing management Systems” 15
How?GDPR ISO 29100 CONTROLLER PROCESSOR PROCESSINGPII Mapping Roles, responsibilities and interactions Principles COMPLIANCEPolicies CONTROLS “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” GDPR GDPR “…natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;..” GDPR “…appropriate technical and organisational measures” GDPR Principles GDPR “…records of processing activities” PRIVACY FRAMEWOK 16
How?GDPR DATA PROTECTION OFFICER “..to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; ..” GDPR “…to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; …” “…to cooperate with the supervisory authority..” “…to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. “ ISO 19600 ISO 19011 ISO 19600 ISO 29134 ISO 27001 17
How?GDPR ISO 31000 Establishing the external context Establishing the internal context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Establishing the context Risk Management GDPR “…appropriate technical and organisational measures” GDPR “…Taking into account the nature, scope, context and purposes of processing…” GDPR RISK MANAGEMENT FRAMEWOK “…the risks of varying likelihood and severity for the rights and freedoms of natural persons..” 18
How?GDPR ISO 29134 19 Preparing the grounds for PIA process for conducting a PIA General Determine whether a PIA is necessary (threshold analysis) Preparation of the PIA Perform the PIA Follow the PIA Report structure PIA Report General Scope of PIA Risk Assessment Risk Treatment Plan Conclusions and Decisions PIA Public Summary Annex A (informative) Scale criteria on the level of impact and on the likelihood
How?GDPR COMPLIANCE FRAMEWOK ISO 19600 GDPR Compliance SUPERVISORY AUTHORITY Privacy Shield Code of Conduct Certificati on Legal, contractual, regulatory , technical Requirements COMPLIANCE MANAGEMENT FRAMEWOK 20 Standa rds
How?GDPR IT SERVICE INFORMATION SECURITY BUSINESS CONTINUITY ISO 20000-1 ISO 22301 GDPR GRC ISO 27001 GDPR GRC “…appropriate technical and organisational measures” 21
How?GDPR Standard ISO/IEC 20000-1:2011 « Information technology — Service management — Part 1: Service management system requirements» ISO 20000-1 ISO 27001 Standard ISO/IEC 27001:2013 «Information technology — Security Techniques – Information Security Management Systems – Requirements» ISO 222301 Standard ISO 22301:2012 “Societal security — Business continuity management systems — Requirements” 22
How?GDPR Design and transition of new or changed services SMS ISO 20000-1 PROCESS Control processes Configuration management Change management Release and deployment management Service delivery processes Capacity management Service continuity & availability management Service level management Information security Management Budgeting & accounting for services Service reporting Resolution processes Relationship processes Incident and service request management Problem management Business relationship management Supplier management SMS ISO 20000-1 and relationships with ISMS ISO 27001 and BCMS ISO 22301 A.17 ISO 27001, Annex A ISO 22301 ISO 27001 ISO 20000-1 23
How?GDPR Design and transition of new or changed services SMS ISO 20000-1 PROCESS Control processes Configuration management Change management Release and deployment management Service delivery processes Capacity management Service continuity & availability management Service level management Information security Management Budgeting & accounting for services Service reporting Resolution processes Relationship processes Incident and service request management Problem management Business relationship management Supplier management SMS ISO 20000-1 and main relationships with GDPR ISO 20000-1 GDPR Privacy by design Privacy by default GDPR Privacy breach GDPR GDPRRights of the data subject GDPR External processors and third parties 24 GDPRPrivacy Impact assessment
How?GDPR PERSONAL DATA INFORMATION SECURITY IT SECURITY «CYBERSECURITY» DOC IT ISO 27001 ISO 27032 GDPR ISO 27001 ISO 27018 cloud ISO 27032 ISO 27018 Standard ISO/IEC 27018: 2014 “Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” Standard ISO/IEC 27032 : 2012 «Information technology — Security techniques — Guidelines for cybersecurity» PHYSICAL SECURITY HR AND ORGANIZATIONAL SECURITY DATA PROTECTION 25
How?GDPR DATA Integrity, Availability, Confidentiality Information Security Objectives IT SW Threat Vulnerability Physical and Environmental security perimeter ISO 27001 Incident assetts Processing 26
How?GDPR ISO 27001 Annex A A.5 Information Security Policy A.6 Organization of Information Security A.7 Human Resource Security A.8 Assett Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.12 Operations Security A.13 Communication Security A.14 System Acquisition, development and maintenance A.15 Supplier relationships A.16 Information Security Incident Management A.17 Information Security aspects of business continuity A.18 Compliance GDPR “…appropriate technical and organisational measures” 27
How?GDPR A.18 Compliance A.18 A.18.1.4 privacy and protection of personal identifiables information (PII) A.18.1 compliance with legal and contractual requirements CLAUSE CONTROL OBJECTIVE CONTROL ISO 19600 ISO 27001 Annex A 28
How?GDPR ISO 22301 (BIA) BUSINESS IMPACT ANALYS PROCESSING DATA Incident RISK ASSESSMENT DISRUPTION DATA SUBJECT Impact Loss of Availability RESILIENCE BUSINESS CONTINUITY STRATEGY GDPR Privacy by design Privacy by default GDPR (PIA) Privacy Impact Assessment GDPR Privacy breach BUSINESS CONTINUITY PLANS TESTING AND EXERCISING GDPR ISO 31000 ISO 29134 29
GDPR: AN INFOGRAPHIC GDPR purposes of processing DATA PROCESSING operations on data data GOVERNANCE RISK MANAGEMENT COMPLIANCE data Information & Consent Storage Rights of the Data Subject Risk (confidentiality, integrity ,availability) Controller Processors & Data handlers DPO Perimeter and means in data processing GRC in data processing Resilience Privacy Impact Assessmen Personal data breach doc ORGANIZATION & HR PHYSICAL SITES INFORMATION TECHNOLOGY doc IT («privacy by default & privacy by design») cloud Transmission Dissemination IT IT Issues of Supervisory Authority Technical and organisational measures proce dures («cybersecurity») EU DataSubjects ISO 29100 ISO 31000 ISO 29134 ISO 19600 (including external Datacenter) (internal and external)) ISO 27001 ISO 27018 ISO 22301 ISO 20000-1 Desig nation Records of processing activities …and relationships with main ISO standards Training and Awareness GDPR 30

Recommended

GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization Vishnuvarthanan Moorthy
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
GDPR 101
GDPR 101 GDPR 101
GDPR 101 Anubhav Dhiman
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdprMiguel Mello
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 

Recommended

GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization Vishnuvarthanan Moorthy
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
GDPR 101
GDPR 101 GDPR 101
GDPR 101 Anubhav Dhiman
 
Quick guide gdpr
Quick guide gdprQuick guide gdpr
Quick guide gdprMiguel Mello
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPRIT Governance Ltd
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
General data protection
General data protectionGeneral data protection
General data protectionBrijeshR3
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016Bart Van Den Brande
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines 11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines Skyhigh Networks
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 

More Related Content

What's hot

The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
General data protection
General data protectionGeneral data protection
General data protectionBrijeshR3
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016Bart Van Den Brande
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRImogenRutherford
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines 11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines Skyhigh Networks
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 

What's hot (20)

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
General data protection
General data protectionGeneral data protection
General data protection
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016Impact on e-commerce of the GDPR- Etrade Summit 2016
Impact on e-commerce of the GDPR- Etrade Summit 2016
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationThe U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines 11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 

Similar to Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti Stefano

Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
Satori GDPR Overview 2018
Satori GDPR Overview 2018Satori GDPR Overview 2018
Satori GDPR Overview 2018Dean Evans
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectJohn Macasio
 
Development & GDPR
Development & GDPRDevelopment & GDPR
Development & GDPRAndrea Tino
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)Andrea Tino
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiKrowdthink
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckKyle Davies
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analyticsbrunomase
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmChris White
 
Who needs a EU representative according to GDPR article 27?
Who needs a EU representative according to GDPR article 27?Who needs a EU representative according to GDPR article 27?
Who needs a EU representative according to GDPR article 27?idc-representative
 
IAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 

Similar to Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti Stefano (20)

Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
Satori GDPR Overview 2018
Satori GDPR Overview 2018Satori GDPR Overview 2018
Satori GDPR Overview 2018
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
GDPR
GDPRGDPR
GDPR
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
 
Development & GDPR
Development & GDPRDevelopment & GDPR
Development & GDPR
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
The Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech WiewiorowskiThe Privacy Advantage 2016 - Wojciech Wiewiorowski
The Privacy Advantage 2016 - Wojciech Wiewiorowski
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR Whitepaper
 
Who needs a EU representative according to GDPR article 27?
Who needs a EU representative according to GDPR article 27?Who needs a EU representative according to GDPR article 27?
Who needs a EU representative according to GDPR article 27?
 
IAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject RequestsIAB Europe GIG: Working Paper on Data Subject Requests
IAB Europe GIG: Working Paper on Data Subject Requests
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 

Recently uploaded

call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Call Girls in Nagpur High Profile
 
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...priyasharma62062
 
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...ssifa0344
 
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...priyasharma62062
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumFinTech Belgium
 
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823
 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaipriyasharma62062
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...dipikadinghjn ( Why You Choose Us? ) Escorts
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesFalcon Invoice Discounting
 
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...ssifa0344
 
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Gurley shaw Theory of Monetary Economics.
Gurley shaw Theory of Monetary Economics.Gurley shaw Theory of Monetary Economics.
Gurley shaw Theory of Monetary Economics.Vinodha Devi
 
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...priyasharma62062
 
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 

Recently uploaded (20)

call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
 
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
 
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
 
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...
TEST BANK For Corporate Finance, 13th Edition By Stephen Ross, Randolph Weste...
 
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
 
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
VIP Call Girl Service Andheri West ⚡ 9920725232 What It Takes To Be The Best ...
 
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Dighi ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunities
 
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
 
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
 
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Shivane 6297143586 Call Hot Indian Gi...
 
Gurley shaw Theory of Monetary Economics.
Gurley shaw Theory of Monetary Economics.Gurley shaw Theory of Monetary Economics.
Gurley shaw Theory of Monetary Economics.
 
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
 
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
 

Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti Stefano

  • 1. Lugano (CH), 20 and 21 November 2017 GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION Andrea LEONARDI - Stefano MICHELOTTI 1 A partner of Minerva Group Service
  • 2. Stefano MICHELOTTI is Co-Founder and Chairman of Minerva Group Service s.c.c.p.a , a cooperative joint stock consortium company that is the hub of a network of companies (consortium companies). Minerva Group Service is strongly committed to providing professional and business services (e.g. GRC, GDPR, ISO Management System, Cybersecurity, Project Management, etc.). He is advisor, trainer and auditor for GDPR, Risk Management (ISO 31000) and Compliance Management (ISO 19600). LEONARDI, Andrea (CONSULTANT, TRAINER, AUDITOR – MINERVA GROUP SERVICE) MICHELOTTI, Stefano (CHAIRMAN– MINERVA GROUP SERVICE) Graduating from Bocconi University with over 20 years experience in several industries, functions and projects, Andrea LEONARDI is Co-Founder and Vice President of Minerva Gorup Service s.c.c.pa, a company focused in providing advisory, training and audit services. He is advisor , trainer and auditor for GDPR and related ISO standards (e.g. ISO27001 Information Security Management System, ISO 20000-1 IT Service Management System, ISO 22301 Business Continuity Management System). http://www.linkedin.com/pub/andrea- leonardi/18/2a3/442 @AndreaLeonardix https://www.linkedin.com/in/stefano-michelotti- 49a30418/ @StefanoArchisto SPEAKERS 2 www.minervagroupservice.it
  • 3. GDPR IS LANDING ON YOUR PLANET …ARE YOU READY? GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) What and When? EU Data Subjects Who and Where? Processing (automated means or other) 25 May 2018 Tempus fugit …. Personal data Controller Personal data Why? “information relating to an identified or identifiable natural person (‘data subject’)“ No GDPR (compliance) ?! No (Business ) Party …GDPR How? € Controller ….and huge administrative fines ! Supervisory Authority …up to 4 % of the total worldwide annual turnover Fines Compliance Governance Risk Management A GRC road map to GDPR… …following ISO Management Systems! 3
  • 4. What? CHAPTER II Principles Section 1 Transparency and modalities Section 2 Information and access to personal data Section 3 Rectification and erasure Section 4 Right to object and automated individual decision-making Section 5 Restrictions CHAPTER III Rights of the data subject CHAPTER I General provisions Foreword (173 items) GDPR GDPR 4
  • 5. CHAPTER IV Controller and processor Section 1 General obligations Section 2 Security of personal data Section 3 Data protection impact assessment and prior consultation Section 4 Data protection officer Section 5 Codes of conduct and certification What?GDPR 5
  • 6. CHAPTER V Transfers of personal data to third countries or international organisations CHAPTER VI Independent supervisory authorities Section 1 Independent status Section 2 Competence, tasks and powers CHAPTER VII Cooperation and consistency CHAPTER VIII Remedies, liability and penalties CHAPTER IX Provisions relating to specific processing situations CHAPTER X Delegated acts and implementing acts What?GDPR 6
  • 7. DATA SUBJECT GDPR Applies Who? CHAPTER I General provisions “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system “ PROCESSING PERSONAL DATA FILING SYSTEM GDPR 7
  • 8. PERSONAL DATA CHAPTER I General provisions genetic data biometric data’ data concerning health “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Who?GDPR 8
  • 9. PROCESSING CHAPTER I General provisions profiling any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction PERSONAL DATA pseudonymisat ion’ any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person Who?GDPR 9
  • 10. Where? CONTROLLER PROCESSOR OFFERING Goods services PROCESSING EU EXTRA EU DATA SUBJECT Established in EU UEMonitoring of behavioring CHAPTER I General provisions “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 4.5.2016 L 119/32 Official Journal of the European Union EN “ “….This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. “ GDPR CONTROLLER PROCESSOR NOT established in EU PROCESSING 10
  • 11. Why? SUPERVISORY AUTHORITY effective, proportionate and dissuasive. CHAPTER VIII Remedies, liability and penalties administrative fines imposition GDPR 11 e.g. for Italy
  • 12. € COMPANY Art. 8 CONTROLLER PROCESSOR obligations of the controller and the processor Art. 11 Art. 2539 Art. 4243 up to2 % of the total worldwide annual turnover of the preceding financial year administrative fines up to 10 000 000 EUR Infringements of the following provisions obligations of the controller and the processor CHAPTER II Principles obligations of the controller and the processor CHAPTER IV Controller and processor Why?GDPR 12
  • 13. € up to 20 000 000 EUR COMPANY PROCESSING basic principles for processing Art.5 Art.6 Art.7 Art.9 DATA SUBJECT Infringements of the following provisions Art. 1222 up to 4 % of the total worldwide annual turnover of the preceding financial year administrative fines CHAPTER III Rights of the data subject Infringements of the following provisions CHAPTER II Principles Why?GDPR 13
  • 14. RISK MANAGEMENT GOVERNANCE COMPLIANCE ISO 31000 ISO 19600 GDPR ISO 29100 PRIVACY Governance, Risk Management, Compliance for Data Protection How?GDPR ISO 29134 ISO 19011 GDPR GRC 14
  • 15. ISO 29100 Standard ISO 29100:2011 «information technology – security techniques – privacy framework» Standard ISO 31000:2009 “Risk management — Principles and guidelines”ISO 31000 Standard ISO 19600:2014 «Compliance management systems — Guidelines»ISO 19600 How?GDPR ISO 29134 ISO/IEC 29134 Information technology — Security techniques — Guidelines for privacy impact assessment ISO 19011 Standard ISO 19011:20111 “Guidelines for auditing management Systems” 15
  • 16. How?GDPR ISO 29100 CONTROLLER PROCESSOR PROCESSINGPII Mapping Roles, responsibilities and interactions Principles COMPLIANCEPolicies CONTROLS “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…” GDPR GDPR “…natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;..” GDPR “…appropriate technical and organisational measures” GDPR Principles GDPR “…records of processing activities” PRIVACY FRAMEWOK 16
  • 17. How?GDPR DATA PROTECTION OFFICER “..to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; ..” GDPR “…to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; …” “…to cooperate with the supervisory authority..” “…to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. “ ISO 19600 ISO 19011 ISO 19600 ISO 29134 ISO 27001 17
  • 18. How?GDPR ISO 31000 Establishing the external context Establishing the internal context Risk assessment Risk identification Risk analysis Risk evaluation Risk treatment Establishing the context Risk Management GDPR “…appropriate technical and organisational measures” GDPR “…Taking into account the nature, scope, context and purposes of processing…” GDPR RISK MANAGEMENT FRAMEWOK “…the risks of varying likelihood and severity for the rights and freedoms of natural persons..” 18
  • 19. How?GDPR ISO 29134 19 Preparing the grounds for PIA process for conducting a PIA General Determine whether a PIA is necessary (threshold analysis) Preparation of the PIA Perform the PIA Follow the PIA Report structure PIA Report General Scope of PIA Risk Assessment Risk Treatment Plan Conclusions and Decisions PIA Public Summary Annex A (informative) Scale criteria on the level of impact and on the likelihood
  • 20. How?GDPR COMPLIANCE FRAMEWOK ISO 19600 GDPR Compliance SUPERVISORY AUTHORITY Privacy Shield Code of Conduct Certificati on Legal, contractual, regulatory , technical Requirements COMPLIANCE MANAGEMENT FRAMEWOK 20 Standa rds
  • 21. How?GDPR IT SERVICE INFORMATION SECURITY BUSINESS CONTINUITY ISO 20000-1 ISO 22301 GDPR GRC ISO 27001 GDPR GRC “…appropriate technical and organisational measures” 21
  • 22. How?GDPR Standard ISO/IEC 20000-1:2011 « Information technology — Service management — Part 1: Service management system requirements» ISO 20000-1 ISO 27001 Standard ISO/IEC 27001:2013 «Information technology — Security Techniques – Information Security Management Systems – Requirements» ISO 222301 Standard ISO 22301:2012 “Societal security — Business continuity management systems — Requirements” 22
  • 23. How?GDPR Design and transition of new or changed services SMS ISO 20000-1 PROCESS Control processes Configuration management Change management Release and deployment management Service delivery processes Capacity management Service continuity & availability management Service level management Information security Management Budgeting & accounting for services Service reporting Resolution processes Relationship processes Incident and service request management Problem management Business relationship management Supplier management SMS ISO 20000-1 and relationships with ISMS ISO 27001 and BCMS ISO 22301 A.17 ISO 27001, Annex A ISO 22301 ISO 27001 ISO 20000-1 23
  • 24. How?GDPR Design and transition of new or changed services SMS ISO 20000-1 PROCESS Control processes Configuration management Change management Release and deployment management Service delivery processes Capacity management Service continuity & availability management Service level management Information security Management Budgeting & accounting for services Service reporting Resolution processes Relationship processes Incident and service request management Problem management Business relationship management Supplier management SMS ISO 20000-1 and main relationships with GDPR ISO 20000-1 GDPR Privacy by design Privacy by default GDPR Privacy breach GDPR GDPRRights of the data subject GDPR External processors and third parties 24 GDPRPrivacy Impact assessment
  • 25. How?GDPR PERSONAL DATA INFORMATION SECURITY IT SECURITY «CYBERSECURITY» DOC IT ISO 27001 ISO 27032 GDPR ISO 27001 ISO 27018 cloud ISO 27032 ISO 27018 Standard ISO/IEC 27018: 2014 “Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” Standard ISO/IEC 27032 : 2012 «Information technology — Security techniques — Guidelines for cybersecurity» PHYSICAL SECURITY HR AND ORGANIZATIONAL SECURITY DATA PROTECTION 25
  • 26. How?GDPR DATA Integrity, Availability, Confidentiality Information Security Objectives IT SW Threat Vulnerability Physical and Environmental security perimeter ISO 27001 Incident assetts Processing 26
  • 27. How?GDPR ISO 27001 Annex A A.5 Information Security Policy A.6 Organization of Information Security A.7 Human Resource Security A.8 Assett Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.12 Operations Security A.13 Communication Security A.14 System Acquisition, development and maintenance A.15 Supplier relationships A.16 Information Security Incident Management A.17 Information Security aspects of business continuity A.18 Compliance GDPR “…appropriate technical and organisational measures” 27
  • 28. How?GDPR A.18 Compliance A.18 A.18.1.4 privacy and protection of personal identifiables information (PII) A.18.1 compliance with legal and contractual requirements CLAUSE CONTROL OBJECTIVE CONTROL ISO 19600 ISO 27001 Annex A 28
  • 29. How?GDPR ISO 22301 (BIA) BUSINESS IMPACT ANALYS PROCESSING DATA Incident RISK ASSESSMENT DISRUPTION DATA SUBJECT Impact Loss of Availability RESILIENCE BUSINESS CONTINUITY STRATEGY GDPR Privacy by design Privacy by default GDPR (PIA) Privacy Impact Assessment GDPR Privacy breach BUSINESS CONTINUITY PLANS TESTING AND EXERCISING GDPR ISO 31000 ISO 29134 29
  • 30. GDPR: AN INFOGRAPHIC GDPR purposes of processing DATA PROCESSING operations on data data GOVERNANCE RISK MANAGEMENT COMPLIANCE data Information & Consent Storage Rights of the Data Subject Risk (confidentiality, integrity ,availability) Controller Processors & Data handlers DPO Perimeter and means in data processing GRC in data processing Resilience Privacy Impact Assessmen Personal data breach doc ORGANIZATION & HR PHYSICAL SITES INFORMATION TECHNOLOGY doc IT («privacy by default & privacy by design») cloud Transmission Dissemination IT IT Issues of Supervisory Authority Technical and organisational measures proce dures («cybersecurity») EU DataSubjects ISO 29100 ISO 31000 ISO 29134 ISO 19600 (including external Datacenter) (internal and external)) ISO 27001 ISO 27018 ISO 22301 ISO 20000-1 Desig nation Records of processing activities …and relationships with main ISO standards Training and Awareness GDPR 30