Focal Point has been helping clients understand and implement GDPR plans for over a year now, and we’ve learned the key to a smooth GDPR implementation is taking the time to design a tactical, scalable implementation plan. Take a look at the pitfalls of implementation planning and tips and tricks for building and executing in our latest slideshare.
This presentation came from our recent webinar, The Keys to a Tactical, Scalable GDPR Implementation Plan. A recording is available on our website.
https://go.focal-point.com/webinar-gdpr-implementation-guide
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Building a Tactical, Scalable GDPR Implementation Plan
1. The Keys to a Tactical,
Scalable GDPR
Implementation Plan
2. 2
Meet the GDPR Team
Eric Dieterich
Principal
Data Privacy Practice
Franchesca Sanabria
Principal
Data Privacy Practice
Catherine Kim
Manager
Data Privacy Practice
3. About Focal Point
WHAT WE DO
We measure, control, and manage your data risks -
reducing the impact of breach or data loss and protecting
your most important assets.
HOW WE DO IT
Top experts from the most in-demand fields are
embedded into each engagement and build deliverables
that have a meaningful impact on your business.
WHO USES FOCAL POINT
Many of the most innovative organizations in the world,
including 5 of the 10 largest companies in the U.S., rely
on Focal Point to manage their data risks.
Cyber security
Data privacy
Identity governance
Project advisory
Workforce development
Data analytics
Internal and IT audit
3
CORE SERVICE AREAS
4. The Current GDPR Landscape
4
Challenge
Lack of prioritization
and ownership of
roadmap projects due
to the cross-functional
nature of the efforts.
Strategy
A risk-based
approach to GDPR
compliance.
Focus
Activities that establish
baseline standards and
processes to support
privacy operations.
Challenge
Inconsistent
interpretations of
requirements leading
to various
approaches, though
they are narrowing.
5. 5
Pitfall #1: Misinterpreting the Definition of
Personal Data
Any information relating to an identified or
identifiable natural person (‘data subject’); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
GDPR’s new definition
of personal data
changes the landscape
for many organizations
in the way they think
about what is and what
is not personal data.
6. 6
# Topic Article(s) Article(s) No. Sub-Article(s)
1 Collection
• Conditions for Consent
• Personal Data Collected from the Data Subject
• Personal Data not Obtained from the Data Subject
Article 13
Article 14
Sub article 13(1), 13(2), 13(3) Information to be Provided where Personal Data are Collected
from the Data Subject, Information to be Provided where Personal Data is Processed for other
Purposes
Sub article 14(1), 14(2), 14(3), 14(4) Information to be Provided Where Personal Data have not
been Obtained from the Data Subject
2 Consent
• Personal Data Collected from the Data Subject
• Personal Data not Obtained from the Data Subject
Article 7
Article 8
Article 13
Sub article 7(1), 7(2) Demonstrating Consent and Demonstrating Consent with a Written
Document from Data Subject
Sub article 7(3) Withdrawing Consent
Sub article 7(4) Separate Consent for Processing
Sub article 8(1), 8(2) Processing Personal Data of a Child with Consent
Sub article 13(1) Information to be Provided where Personal Data are Collected from the Data
Pitfall #2: Complex and Extensive GDPR Articles
The GDPR contains 99 Articles defining
the implementation standards of the
regulation; however, approximately
36 Articles are typically relevant for
organizations acting in the capacity of a
controller or processor.
Considering a logical grouping of the GDPR
Articles allows for a more efficient and
structured approach for alignment.
7. 7
Typical Sequence of Readiness Activities
Readiness &
Benchmarking
Activities
Roadmap Design &
Assignment of Project
Tasks
Implementation &
Enhancement
Activities for High
Risk Processes
Implementation &
Enhancement
Activities for
Moderate Processes
Operationalization of
Privacy Program
Functions
8. 8
Pitfall #3: Inaccurate Scope of the Readiness Activities
▸Employee vs. Customer Personal Data
▸Determining in-scope locations, departments and systems
Two Common Approaches:
Targeted discovery based on known
areas of collection, use, and storage
of personal data.
Broad stroke approach with information
gathering questionnaire and focus on
discovery for higher risk processes.
9. 9
Pitfall #4: “Owned by IT”
GDPR is not…
▸Only an IT effort
▸Only a privacy/legal effort
▸Something that tools alone can
address
Technology & GDPR
Data Privacy Impact
Assessment
Data Subject Rights
Encryption
Customer Requests
Data Masking
Tools are frequently used to support the following:
10. 10
Pitfall #5: Underestimating Cross-functional Efforts
▸Several initiatives such as Right to Erasure, Right to Data
Portability, Right to Data Subject Rights require cross-functional
efforts.
▸Unclear ownership of remediation activities leads to trouble.
Implementation
Project #
Implementation
Project
Project
Department
Owner
CorpIT
BUIT
Information
Security
CorpLegal
BULegal
Finance
Human
Resources
Medical
Marketing
Customer
Care
4.1
Enhance
Consent Forms
Privacy ✔ ✔ ✔ ✔ ✔ ✔ ✔
Collaborative Departments
11. 11
GDPR: Grouping of Implementation Projects
Governance
Policies, procedures, and
standards updates
Operations/Business
Business operations
enhancements
System
Technical process updates or
additions for in-scope systems
Project
Reference
10.1.a Establish DPIA Program
Corp./Div. Corp.
Collaborative
Departments
IT Security, Compliance, Audit
Project Dept.
Owner
Privacy
Key Deliverables
DPIA Policy
DPIA Procedure and Workflow
DPIA Questionnaire
Priority High
Estimated
Resources
1 FTE
Estimated Duration 1-2 months
Estimated Cost
Internal/External Resources Time: $28,000 to $56,000
(based on 1 FTE, 4 to 8 weeks, and a blended hourly
rate of $175)
Dependencies 2.5.a Privacy Protection by Design Policy
Sample project implementation attributes
12. 12
Pitfall #6: Unrealistic Implementation Timelines
▸Approach focused on the prioritization of high risks for projects,
processes, third parties, and systems.
▸For systems-focused projects, start with the higher risk systems.
Risk Index Criteria for High Risk Systems
Volume Systems managed
internally vs. externally
Sensitivity of personal
data elements
Data types
(employee, customer, client)
✔ ✔ ✔ ✔
13. GDPR: Typical Project Activities
13
1.
Implement Encryption and Data
Masking Policies, Procedures,
and Mechanisms
2.
Implement Right to Erasure
Policies, Procedures,
and Capabilities
3.
Implement Right to Data
Portability Policies, Procedures,
and Capabilities
4.
Implement System-Specific
Assessment Program
5.
Develop a Privacy Impact
Assessment (PIA) Methodology
6.
Establish Protection by Design and
Default Mechanisms
7.
Appoint and Implement Data
Protection Officer Function
8.
Establish Designation of
Representative
9.
Enhance Breach
Notification Process
14. GDPR: Typical Project Activities
14
10.
Enhance and Maintain Records
of All Processing Activities
11.
Enhance Processor and Sub-
Processor Management Procedures
12.
Enhance Data Subject Rights
13.
Enhance Conditions for Consent
Policies and Procedures
14.
Enhance Privacy Notices
15.
Enhance Data Minimization
Procedures
16.
Enhance Data Retention
Policies and Procedures
17.
Enhance Privacy Training
15. 15
Communication & Implementation Plan
▸Design a communication plan that
facilitates the socialization of the
details of the roadmap activities
through implementation
workshops.
▸For corporate and business
unit/division specific initiatives,
define decision-making
committees with business, IT,
privacy, and legal parties.
Planning
Workshops
Executive
Leadership
Division &
Regional
Leadership
Global
Privacy
Counsel
Relevant
Business
Operations
Information
Technology
Compliance
& Legal