1. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
1Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
ACTION PLAN
Version 2.02
Trainer : Denis Virole
4. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
4Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
The methodology :
• Must be adapted to the maturity level of the organization : a progressive approach step by step
• Must involve the executive committee
• Must focus on organizational and technical aspects
• Must define policies and procedures
• Must appoint a project leader
Action Plan
6. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
6Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
6
Demonstrate
the
complinance
with GDPR
May 2018
Code of conduct
5
Audit of legal
obligations
+
Labellization
+
+
Audit of security
measures4
+
PIA
+
Sécurity by
design
3
Respect of DS
rights
+
Relations with SA
+
Contracts
+
Security
obligations
+
Additional
security tools
Sécurity by
default
2
Private life
protection policy
ISS policy
Organization
Notification PD
breach
Register
1
ISS PD protection
Awareness
CEO
Core business
IT team
users
1 2 3 4 5 6
Current
situation
Inexistent
practices
Incomplete
practices
Basic practices
with a weak
commitment
from the CEO
Formalized
process
understood by the
organism with a
strong
commitment from
each level
Managed and
audited process
which corrects
flaws
Optimized Process
6
8. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
8Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Article 25
Security by design and
by default
Article 30
Register
Article 31
Cooperation with SA
Article 32
Security Processing
Article 33
Notification data
breach to the SA
Article 34
Communication of a
personal data breach
to the DS
Article 35
PIA
Article 36
Prior Consultation le
Action Plan : C Awareness
9. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
9Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
1. Participate in the
awareness of
employees
8. Handle IT tools
2. Identify P
Assess sensitivity
Define potential
damages
Participate in PIA
7. Handle documents
with PD
3. Manage
accreditations
6. Respect best
practices off site and
on site
4. Identify and manage
personal who process
sensitive PD
5. Manage compliance
during
subcontracting
9.Checking
9
Action Plan : Intermediate managers Awareness
10. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
10Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Reinforcing security
La mise en œuvre de politiques :
•Strategic stakes , methodology
ISS policy
• Operational rules
Information Protection
Policy
Commintment to information security
• Commitments
Private life Protection
Policy
• Functional rules
Guides and procedures
10
Action Plan : Policies
12. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
12Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
DPO CISO IT / P
Advice
C
C obligations
PD and P identification
DS rights
PIA Validation
Stakes
Perimeters
Residual risks validation
Participe in the awareness
Core
business
Potential damages
Cor business vulnerabilities
Threat
IT vulnerabilities
IT
P
Source of risks
Level of risks
Participe
Risk management
Formalize the needs and C
objectives
Check compliance
Formalize functional ISS
rules
Check compliance
Integrate rules in IT
solutions
Training All
PD usage
DS rights respect
IT resources usage Security By design
Watch Legal IT
Participe
Checking
Core
business
IT
p
Compliance with
• the GDPR
• Code of conduct
Compliance with ISS policy
Cooperate with the AS SA : CNPD / CNIL
ENISA / ANSSI
Luxembourg/ France
Contact Point For the AS and DS For P and users
13. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
13Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
• Certain rules are identified as constraints
• Native security (security bu design) could be percieved as a
• In all cases there are divergents analyses
• Between Core Business and DPO
• Between Core Business and IT Team
• Between Core business, IT Team on one hand and the other and ISS Team
• Between Cor Business and IISS Team
• Between DPO and CISO
Arbitration needs Arbitre
• Between Core Business and DPO
• Between Core Business and IT Team
• Between Core business, IT Team on one hand and the other and ISS Team
• Between Cor Business and IISS Team
• Between DPO and CISO
Steering Commitee
Validation Steering Commitee
Action Plan : Steering and validation committee
14. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
14Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
incident reporting:
• Loss of Confidentiality
• Loss of Integrity
• Loss of availibility
• Description of the data breach
• C and DPO id Communication ,
• Description of conséquences
• Description of security measures taken
• Communication to the DS
Action Plan : Data breach notification
15. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
15Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Synthesis
1 Provide information in a clear and concise manner
2 C should never refuse to give information except if he cannot identify the DS
3 When the DS uses an electronic network the C must responde via the same network
4 If C doesn't respond, he has to give to the DS the reason and he reminds the right for the DS to lodge a complaint
5 No payment should be requested
6 C must check DS id
7 It is allowed to use symbols and icons if they are understandable
Action Plan : DS rights procedures
16. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
16Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Contrat
PD management – art. 28
1.P PD only in written instructions provided by C
2. Confidentiality duty,
3.Organiszational and technical measures to secure p of PD
4.Obtain authorization from C to use an another P
5.Assist C to manage DS access rights
6.Comply with GDPR rules (notification, PIA, …).
7.Erasing PD under C instruction
8.Make proof available
Action Plan : Contracts
19. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
19Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Requirements relative the policy Requirements relative to the DPO
Requirements relative to
the compliance
Requirements relative to
checking in the timeRequirements relative to
DS rights
Requirements relative to
the loging
Requirements relative to
the data breach
Requirements relative to
the training
Action Plan : Checking
20. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
20Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
1.The MS, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper application of this Regulation, taking account of the specific features of the various
processing sectors and the specific needs of micro, small and medium-sized enterprises.
2.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or
amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
• fair and transparent processing
• the legitimate interests pursued by controllers in specific contexts
• the collection of PD
• the pseudonymisation of PD
• the information provided to the public and to data subjects
• the exercise of the rights of data subjects
• the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental
responsibility over children is to be obtained;
• (the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred
to in Article 32;
• the notification of PD breaches to supervisory authorities and the communication of such PD data breaches to data
subjects;
• the transfer of PD to third countries or international organisations; or
• out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and DS with
regard to processing, without prejudice to the rights of DS pursuant to Articles 77 and 79.
Action Plan : Codes of Conduct
21. Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
21Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
Action Plan : Certification
Article 42 Certification
1.The MS, the SA, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection
certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation
of processing operations by controllers and processors.
The specific needs of micro, small and medium-sized enterprises shall be taken into account. 4.5.2016 L 119/58 Official Journal of
the European Union EN