Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR From the Trenches - Real-world examples of how companies are approaching compliance.

928 views

Published on

As GDPR enforcement approaches, companies around the world are making changes to their internal processes and systems to ensure they are compliant by May 2018. For many, getting started can be a daunting task, especially at larger organizations.

There’s no one-size-fits-all strategy for GDPR compliance, but there are some steps that every business should take:

1. Document the data and processes that power your organization
2. Assess the realistic compliance risks that you need to protect against
3. Keep your documentation up-to-date to demonstrate continuous compliance.

In this slide deck, you’ll read about a real-world example of a company that has started their compliance project and how they structured it.

A recording of this webinar is available for free here: http://bit.ly/2hMsQmu

Published in: Software
  • One of the key benefits of ⇒ HelpWriting.net ⇐ clients is that you communicate with writer directly and manage your order personally.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GDPR From the Trenches - Real-world examples of how companies are approaching compliance.

  1. 1. GDPR From the Trenches Real-world examples of how companies are approaching compliance Magnus Valmot Ardoq Simen Breen SANDS Per Franzén Telia Norge Ian Stendera Ardoq
  2. 2. Ask Questions
  3. 3. Simen Breen SANDS
  4. 4. Seeking legal counsel to help you structure compliance projects and assess risk Simen Breen | Senior Lawyer | SANDS
  5. 5. How to start working with the GDPR?  The nature of the GDPR  The GDPR is not sector specific and there is no threshold for the applicability  Work in a structured way from the beginning, and prioritize your efforts.  Before you get down to the details of the GDPR you  … need to know what you are doing with personal data  … need to know what to prioritize
  6. 6. There is no easy way out  No one-size-fits-all strategy for GDPR compliance  GDPR does not impact all businesses the same way, and the starting position is different  Most checklists are either incomplete or so vague that they don’t really help.  First steps should be the same:  Establish a project team  A mapping of personal data processing activities  A mapping of compliance with existing requirements on personal data protection and mapping of existing policies, documentation etc.
  7. 7. Establish a project team • A GDPR compliance project must have sufficient internal resources to succeed • Including the relevant people in your organization is key • The project team needs to have basic knowledge of GDPR and the reason for doing the mapping process • The project manager and the team must be given sufficient time and resources • The project team should be able to make decisions without time-consuming internal processes • External advice if necessary; legal and information security
  8. 8. Mapping the processing of personal data • What types of personal data you process • What are the purposes of the processing • What are the legal bases for your processing activities • What is the source of the data • Where is the data and what systems are used • Who is responsible for the processing and the data systems • How many persons does the processing comprise • Use of data processors • Transfer of data out of the EU/EEA • Activities as data processor • How to document this?
  9. 9. Mapping of your processing activities is necessary for deciding how to go forward • Knowing what processing of personal data the business does is necessary to fulfill the requirements in the GDPR • Being able to understand which requirements are relevant for your business • Being able to concretize the principles etc. to requirements • Being able to make instructions and procedures that actually work in practice
  10. 10. Mapping of your processing activities is necessary for deciding how to go forward • To be able to make priorities (if necessary) • Priorities should not be made based on assessing the article in itself • Priorities should be made considering the processing activities and the risks related thereto • Which processing operations are high risk (to the rights and freedoms of natural persons or legal risk) or business critical
  11. 11. Get it right from the start • You have to structure your compliance project based on your business ▪ Your data processing is the key ▪ Current compliance status is relevant – depending on jurisdiction • Even though the legal requirements are the same for everyone, their practical effects vary greatly • A risk-based approach
  12. 12. Contact Simen Evensen Breen seb@sands.no +47 928 20 300 +47 22 81 46 24
  13. 13. Per Franzén Telia Norway
  14. 14. Experience from an ‟overwhelmed” project manager Per Franzén, Project Manager
  15. 15. EXPERIENCE FROM A PROJECT MANAGER: OVERWHELMING AMOUNT OF GDPR TERMINOLOGY AND INSTRUCTIONS Data minimizationIndividual Rights Purpose limitation - Where do I start? - Are there any guidelines? - How does the GDPR terminology and instructions relate, or do they?
  16. 16. “REACHING COMPLIANCE LEVEL ON GDPR IS KEY FOR OUR BUSINESS AND THEREFORE ONE OF OUR TOP PRIORITIES UNTIL JUNE 2018.” THIS IS THE GUIDANCE FROM TELIA CORPORATE MANAGEMENT GEM AMBITION
  17. 17. Business Vision and Drivers - Privacy GDPR Requirements NO Legal Requirements NO Privacy Strategy Telia Company Information Asset & Vendor management –project, GSO/ITAT Processes, services /products and IT Asset and vendor management Telia Norge AS EA and IT Governance – GDPR NO Business Architecture Architecture Vision Information and System Architecture Technology Architecture Telia Norge ASTelia Norge GDPR Compliance project GDPR WORK STREAM (in Group Security & Privacy) Work stream management Employee privacy Awareness and com. IT and enterprise architecture Stakeholders DPO Norway PSG GDPR Norway Projects and activities Project Vega - Security NO IT EA Governance NO IT Architecture project Digital Telco initiative Development Trust as a Service System Dev Teams Line org Orderchange Project Management and business readiness Run Project and coordinate with Group Align with other Projects and activities in Norway Prepare business to operate new GDPR requirements Transition planning and execution Opportunities and solutions Migration planning Implementation Goverance Accountable (business) B2B Management B2C Management OneCall Management MyCall Management Chess Management HR Management Procurement Management Legal / Privacy Management Technology Management Security Management Privacy Policies and Objectives Input change (EPICs) - Observations Privacy Requirements Guidance Plans Architecture principles GSO Deliverables IN JANUARY 2017 I STARTED STRUCTURING THE PROJECT, AFTER WHICH WE SPENT 2 MONTHS ON THE AS-IS ANALYSIS, AND 1 MONTH ON GAP ANALYSIS  GDPRITProject
  18. 18. AFTERWARDS I REALIZED THAT GDPR RIGHTS AND PRINCIPLES ARE BASED ON THE MANAGEMENT OF CUSTOMER AND EMPLOYEE PERSONAL DATA Resources OSS BSS Portal Employee Customer Portal GDPR Individual rights Authority CLI DataBase PrivacyData Goverance Data protection principles Telia Norge AS Partners Data Processors Employee Accountability
  19. 19. BUSINESS ARCHITECTURE – HOW DOES GDPR RELATE TO TODAY’S OPERATIONS? Accountability Purposes Legal grounds CustomerEmployee Privacy Data - BO Business Process Roles Processes Systems OSS BSS Portal IT System Roles GDPR Individual rights functionality GDPR Data protection principles functionality Legal requirement TM Forum eTOM L3 Performance of contract Legitimate interests Individual’s consent IT System Roles in IdM GDPR Privacy Data Will be defined by GDPR Project Will be defined by GDPR Project Will be defined by GDPR Project Privacy by Design - Policies
  20. 20. ACCOUNTABILITY IS CENTRAL – TARGET ARCHITECTURE QUALITY SYSTEM (NOW BUILT IN ARDOQ) Common Information Model Management Data (AS-IS) Accountability GDPR GDPR law Single consistent representation for all management data Management Data (TO-BE) Controls (Gap) Observations
  21. 21. THE MODEL WE USE FOR WORKING IN ARDOQ AS-IS GDPR compliance TO-BE TO-BE TO-BE Observations
  22. 22. OUR COMMON INFORMATION MODEL (CIM) IS CENTRAL (WORK IN PROGRESS)
  23. 23. SOME EXAMPLE MODELS – EVERYTHING IS CONNECTED IN OUR CIM 
  24. 24. HOW WE LINK THE REGULATION TO TELIA NORGE’S DAILY OPERATIONS
  25. 25. WHY DO WE USE ARDOQ AND NOT EXCEL? 1. Value adding • When we first gather so much information, it should be useable across the organization • Our IT solution to provide automated GDR Individual rights and related GDPR Data protection principles are using Ardoq as a Policy/Rule engine 2. Maintenance – keeping information up-to-date continuously • Ardoq has support for automating via integrations (input and output) and simplifies manual documentation • We can automate Controls (Gaps) to verify compliance to GDPR (Observations) • GDPR Training for Personell will be using data from Ardoq – will be personalized 3. Traceability • We need to be able to trace how everything is connected and how they impact each other • We now have an AS-IS status of the relations between data elements in the CIM and can run predefined queries
  26. 26. Ian Stendera Ardoq
  27. 27. Lessons Learned Ian Stendera VP of Customer Development at Ardoq
  28. 28. Lessons Learned • Compliance is continuous • Define realistic scope • Think structured
  29. 29. Continuous Compliance ✓ ✓✓✓ May 2018 NOV 2018 May 2019 NOV 2018 Risk
  30. 30. Continuous Compliance Document Optimize Implement Analyze
  31. 31. Define Scope
  32. 32. Define Scope
  33. 33. Think Structured VS
  34. 34. Think Structured: handling attendees’ personal data Org Unit Personal Data Captured Sensitive Data? Processing Purpose Source Lawful Basis Systems handling personal data System Owner # of Data Subjects Transfered externally? Handled outside of EU? Marketing Name, Email, Telephone (optional), company No Manage Attendee Registration Eventbrite webform Consent Eventbrite, Prosperworks, Excel Marketing / Sales 50 Yes, systems are cloud SaaS solutions No Marketing Name, Email, Telephone (optional), company No Send Thank You and Presentations Eventbrite webform ? MailChimp Marketing 50 Yes, systems are cloud SaaS solutions No Marketing Name, Email, Telephone (optional), company No Register for Webinar Eventbrite webform Consent Eventbrite Marketing 50 Yes, systems are cloud SaaS solutions No
  35. 35. Our mission: Transform compliance from a cost To a Value-adding process
  36. 36. Thank you That’s all folks!
  37. 37. Questions? Magnus Valmot Ardoq Simen Breen SANDS Per Franzén Telia Norge Ian Stendera Ardoq
  38. 38. Thanks! Stick around for a Live Ardoq demo

×