Gdpr action plan 2017

Règlementeuropéenpourlaprotectiondespersonnesphysiques
àl'égarddutraitementdesDCP
1Copyright Ageris Group – Reproduction interdite Tél. : +33 (0) 3 87 62 06 00 www.ageris-training.com
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
ACTION PLAN
Version 2.02
Trainer : Denis Virole

Action Plan

3
Reinforced commitment
Reinforced DS rigths Reinforced security
obligations
Ability to prove compliance
Action Plan

The methodology :
• Must be adapted to the maturity level of the organization : a progressive approach step by step
• Must involve the executive committee
• Must focus on organizational and technical aspects
• Must define policies and procedures
• Must appoint a project leader
Action Plan

Action Plan : Actors Identification
Project leader

6
Demonstrate
the
complinance
with GDPR
May 2018
Code of conduct
5
Audit of legal
obligations
+
Labellization
+
+
Audit of security
measures4
+
PIA
+
Sécurity by
design
3
Respect of DS
rights
+
Relations with SA
+
Contracts
+
Security
obligations
+
Additional
security tools
Sécurity by
default
2
Private life
protection policy
ISS policy
Organization
Notification PD
breach
Register
1
ISS PD protection
Awareness
CEO
Core business
IT team
users
1 2 3 4 5 6
Current
situation
Inexistent
practices
Incomplete
practices
Basic practices
with a weak
commitment
from the CEO
Formalized
process
understood by the
organism with a
strong
commitment from
each level
Managed and
audited process
which corrects
flaws
Optimized Process
6

Analysis and comments from AGERIS Group
The total number of administrative sanctions has considerably increased
Action Plan : C Awareness

Article 25
Security by design and
by default
Article 30
Register
Article 31
Cooperation with SA
Article 32
Security Processing
Article 33
Notification data
breach to the SA
Article 34
Communication of a
personal data breach
to the DS
Article 35
PIA
Article 36
Prior Consultation le
Action Plan : C Awareness

1. Participate in the
awareness of
employees
8. Handle IT tools
2. Identify P
Assess sensitivity
Define potential
damages
Participate in PIA
7. Handle documents
with PD
3. Manage
accreditations
6. Respect best
practices off site and
on site
4. Identify and manage
personal who process
sensitive PD
5. Manage compliance
during
subcontracting
9.Checking
9
Action Plan : Intermediate managers Awareness

Reinforcing security
La mise en œuvre de politiques :
•Strategic stakes , methodology
ISS policy
• Operational rules
Information Protection
Policy
Commintment to information security
• Commitments
Private life Protection
Policy
• Functional rules
Guides and procedures
10
Action Plan : Policies

Organization
Hierarchical link Functional link
PD Protection
ISS Functional
link
Steering comitee
Managers
Relays
CEO
11
Action Plan : Organization

DPO CISO IT / P
Advice
C
C obligations
PD and P identification
DS rights
PIA Validation
Stakes
Perimeters
Residual risks validation
Participe in the awareness
Core
business
Potential damages
Cor business vulnerabilities
Threat
IT vulnerabilities
IT
P
Source of risks
Level of risks
Participe
Risk management
Formalize the needs and C
objectives
Check compliance
Formalize functional ISS
rules
Check compliance
Integrate rules in IT
solutions
Training All
PD usage
DS rights respect
IT resources usage Security By design
Watch Legal IT
Participe
Checking
Core
business
IT
p
Compliance with
• the GDPR
• Code of conduct
Compliance with ISS policy
Cooperate with the AS SA : CNPD / CNIL
ENISA / ANSSI
Luxembourg/ France
Contact Point For the AS and DS For P and users

• Certain rules are identified as constraints
• Native security (security bu design) could be percieved as a
• In all cases there are divergents analyses
• Between Core Business and DPO
• Between Core Business and IT Team
• Between Core business, IT Team on one hand and the other and ISS Team
• Between Cor Business and IISS Team
• Between DPO and CISO
Arbitration needs Arbitre
• Between Core Business and DPO
• Between Core Business and IT Team
• Between Core business, IT Team on one hand and the other and ISS Team
• Between Cor Business and IISS Team
• Between DPO and CISO
Steering Commitee
Validation Steering Commitee
Action Plan : Steering and validation committee

incident reporting:
• Loss of Confidentiality
• Loss of Integrity
• Loss of availibility
• Description of the data breach
• C and DPO id Communication ,
• Description of conséquences
• Description of security measures taken
• Communication to the DS
Action Plan : Data breach notification

Synthesis
1 Provide information in a clear and concise manner
2 C should never refuse to give information except if he cannot identify the DS
3 When the DS uses an electronic network the C must responde via the same network
4 If C doesn't respond, he has to give to the DS the reason and he reminds the right for the DS to lodge a complaint
5 No payment should be requested
6 C must check DS id
7 It is allowed to use symbols and icons if they are understandable
Action Plan : DS rights procedures

Contrat
PD management – art. 28
1.P PD only in written instructions provided by C
2. Confidentiality duty,
3.Organiszational and technical measures to secure p of PD
4.Obtain authorization from C to use an another P
5.Assist C to manage DS access rights
6.Comply with GDPR rules (notification, PIA, …).
7.Erasing PD under C instruction
8.Make proof available
Action Plan : Contracts

Severity
4. Maximal
3. Important
2. Limited
1. Negligeable
Risks mapping
1. Negligeable 2. Limited 3. Important 4. Maximal
Likelihood
Illegal
acces
Illegal
acces
Action Plan : PIA

4. Decision
4.1 Evaluation
No Yes
4.2 Objectifs 4.3 Action Plan
4.4 Validation
Decision : The validation of the PIA
Objective is to necide to accept or not residual risks
Source : – CNIL http://www.cnil.fr
Action Plan : PIA

Requirements relative the policy Requirements relative to the DPO
Requirements relative to
the compliance
checking in the timeRequirements relative to
DS rights
the loging
the data breach
the training
Action Plan : Checking

1.The MS, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper application of this Regulation, taking account of the specific features of the various
processing sectors and the specific needs of micro, small and medium-sized enterprises.
2.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or
amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
• fair and transparent processing
• the legitimate interests pursued by controllers in specific contexts
• the collection of PD
• the pseudonymisation of PD
• the information provided to the public and to data subjects
• the exercise of the rights of data subjects
• the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental
responsibility over children is to be obtained;
• (the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred
to in Article 32;
• the notification of PD breaches to supervisory authorities and the communication of such PD data breaches to data
subjects;
• the transfer of PD to third countries or international organisations; or
• out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and DS with
regard to processing, without prejudice to the rights of DS pursuant to Articles 77 and 79.
Action Plan : Codes of Conduct

Action Plan : Certification
Article 42 Certification
1.The MS, the SA, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection
certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation
of processing operations by controllers and processors.
The specific needs of micro, small and medium-sized enterprises shall be taken into account. 4.5.2016 L 119/58 Official Journal of
the European Union EN

Organization
• Regulations
• Trainings
• Methodology
• Directives
• Procedures
• Checking et Proves
• Sanctions
• Technology
Commitment
• CEO / C
• Directions
• Managers
• Administrators
• Users
Relativity
PD Sensitivity
And stakes
• Potentiality
• Impacts Private life
• Rules

Gdpr action plan 2017

Recommended

Recommended

More Related Content

Similar to Gdpr action plan 2017

Similar to Gdpr action plan 2017 (20)

Recently uploaded

Recently uploaded (20)

Gdpr action plan 2017