2. MEMBERS POTENTIAL PROFILE
1. Data Protection Officers (DPO)
2. Legal experts and Lawyers
3. Information Security and Information Technology experts
4. Enterprise and external auditors
5. Compliance Officers
6. General Managers and Financial Officers
7. Data Scientists and Data Management Professionals
8. Projects Managers
9. Enterprise Architects
10. Public Service personnel
11. Marketing Managers
12. Business Managers
13. Consultants
THE PROGRAMME
IN EUROPEAN
DATA PROTECTION
IS DEDICATED TO:
3. Primary Stakeholders
Data protection
Officer
GDPR Compliance
project manager
Process
Owner
Additional Stakeholders
Legal experts
Chief information officer
Chief information Security
officer
External Suppliers
STAKEHOLDERS OF THE GDPR COMPLIANCE
Data Subject
Copyright ictc.eu
DPOCIRCLE.EU
6. Program in European Data Protection
Started in 2016 as a research project with the ITMA asbl core team
and the Belgian Privacy commission. Positioned today as a European
leader in GDPR education. The body of knowledge is packaged to
support a professional certification based on the ISO17024 standard.
Solvay.edu/gdpr
Coms.Solvay.edu/gdpr-modules
DPOCIRCLE.EU
8. Experience sharing,
advocacy and development
of toolbox,
Up to two round table
meeting in a month
Association for
Conferences with the
involvement of Data
Protection authorities
(Belgian ADP, EU EDPS) and
Secretary of state
300 members
DPO and GDPR professionals
DPOCIRCLE.EU
9. Conference on January 30
Followed by many members meetings
up to two per months
Conferences
Inauguration Event in December
2017
DPOCIRCLE.EU
11. DPO and GDPR professionals
Various Round table meetings called DPOCircle Talks
15/5/20183/4/2018
Databreach risk evaluation
Jennifer Salat
10/9/2018 3:59 PMNew!Reply
Round table on the evaluation of data breaches was held by DPOcircle on the thursday 4 th if October
in a cosy audience kindly made available by Solvay. An open and informal discussion covered varous
topics:
1. Data breach recording and definition
2. Types of processes for breach reporting (centralised versus decentralised)
3. Methods of risk evaluation
4. Lessons learned
5. Challenges related to the implementationof data breach reporting requirements in practice
6. Uncertainties in relationto the interpretation of requirements
7. Other subjects (breach related and others)
Data breach recording and definition
It appears from the discussion that though some organisations have the data breach in place, some
other still did not fully understood that besides the management of risk data breaches, controllers
shall have documentation available about any data breach (not only those that were reported to
DPA)a breach log to be available upon DPA request (art 33.5). Several participants use a summary
table to comply with the art 33.5.
Some organisation only record data breaches in this table, others record all incidents and evaluation
(data breach or not).
Data breach reporting process
All participants have a knowledge of centralised processes; evaluation is done by DPO or by a panel,
which includes DPO. Some organisation rely on contacts within units and departments to facilitate the
reporting.
Some organisation delegate this responsibility to data processors, which raises questions about the
accountability.
In some contexts, (hospital environment) processes may be much more complex given additional
requirements (e.g. need to report to police on top of reporting to DPA)
Methods of risk evaluation
Only two participants applied an objective method for the risk evaluation – both are based on the
ENISA recommendations (see references). The advantage seems to be the reproducibility of
evaluationover time and in case of delegation.
Other tool cited is a US tool (see references) and may be too simplistic for GDPR.
In general, it is not easy to perform an objective risk evaluation.
Lessons learned
Data breaches under GDPR are not only related to the IT security, but can also come from other
sources. It appears that the majority of breaches is of this other nature (e.g. lost paper file).
Challenges
Data breach reporting is the responsibility of data controller. However, it is not always easy to
interpret the real cases and understanding of the role of each organisation within complex contexts
(where contact covers several processing activities and responsibilities vary from one activity to
another) is not straightforward. Specifically for legacy activities, where responsibilities where not
documented using these terms and the update of contracts may be underway, but not finished yet.
Other remarks in relationto the controller-processor subject:
DPOCIRCLE.EU
13. • Incident handling exercise (in cooperation with ISACA)
• GDPR-RH de A à Z (1 jours): Comment créer le registre des traitements à travers des différents métiers
en ressources humaines
• GDPR-marketing de A à Z (1 jours): Comment créer le registre des traitements à travers des différents
métiers en marketing
• GDPR et Customer-Care : Comment créer le registre des traitements à travers des processus de qualité
et de suivi des plaintes clients
• GDPR et Gestion des fournisseurs : Comment créer le registre des traitements à travers des processus
de Gestion des fournisseurs
• GDPR et départements IT :Comment interagit la mise en place du GDPR avec les services et équipes
informatique
• Atelier: Protection Impact Assessment (2 jours):
• Data Breach (1 jours)
• Atelier Méthodologie de mise en place (2 jours)
• Privacy by Design (1)
PLANS FOR 2019 (FR – NL)
DPOCIRCLE.EU
14. • Marketing Round table
• HR Round table
• Code of conducts for various professions/federations
• The position of the DPO
• Method and toolkits for DPO
• GDPR skills and comptences
• Healthcase Series
DPOCIRCLE TALKS 2019
DPOCIRCLE.EU