2. 2
Your Presenters
Patricia Brady
Change Management Lead
SEI – Chicago
Preston Clark, J.D.
President, Conduct
and Culture
EVERFI
Tom Cantwell
Transformation Lead
SEI – Boston
Matt Conner
Compliance Lead
SEI – Washington, DC
3. GDPR Overview1
Implementation Cycle2
3
4
5
Assess Current State and
Remediate
Develop the Future State
Maintain Compliance
Implementing
a Competitive
GDPR
Compliance
Posture
6
Change Management and
Training
Themes and Keys to Success
7
6. 6
ATLANTA | BOSTON | CHICAGO | CINCINNATI | DALLAS | MIAMI | NEW YORK | PHOENIX | WASHINGTON
D.C.
About our partner SEI, System Evolution Inc.
For over 25 years, SEI has delivered unparalleled service and proven results
through our unique combination of local expertise and nationwide collaboration.
We are an employee owned, business and technology management consulting
firm focused on implementing tailored solutions. With more than 280 consultants
in 9 offices across the country, SEI is as invested in the success of our clients as we
are in the growth and development of our neighborhoods.
7. A (very) Brief Review of the Law
• GDPR is intended to protect all EU citizens from privacy and data
breaches and includes the following key points:
– Increased territorial scope
– Stiff penalties including fines up to 4% of annual turnover or about $24 million, whichever is greater
– Strengthened requirements for consent
• GDPR data subject rights include:
– Breach notification
– Right to access
– Right to be forgotten
– Data portability
– Ability to contact a company’s data protection officer
7
8. Poll #1
How confident are you that your
company’s data procedures are
robust enough to be considered
compliant?
8
9. 9
Just 26% of respondents said
they felt ‘very confident’ that their data
governance procedures were robust
enough to be classified as compliant by
the looming 25 May deadline.”
61%of marketers said that they would
apply for an extension on the target date if
there was an option to do so, with less than
one month to go until the Information
Commissioners Office (ICO) starts
enforcing the rules in the UK.”
-Ensighten, survey of 150 UK brand and agency-side marketing decision makers
45%of UK marketers have said
their business is setting money aside
to cover any potential fines issued
by regulators.”
GDPR Readiness Statistics
10. GDPR Implementation Cycle
10
Maintain
Develop
Future
State
Assess Current State
and Remediate
May 25th
(or upon completion)
Incorporate lessons learned
and audit results back into
business processes,
strategy, and training
Update strategy, align business
processes, update systems, and
train employees
Conduct discovery, legal
review, assess findings, and
remediate discrepancies
11. Poll #2
What phase of GDPR
implementation best describes
your organization?
11
13. Assess Current State and Remediate
13
Maintain
Develop
Future
State
Assess Current State
and Remediate
May 25th
(or upon completion)
Change
Managemen
t and
Training
14. Understand Where You Process Personal Information
14
IT, business divisions, and third parties are critical areas to investigate to ensure a comprehensive GDPR
program
IT Systems
• Usually centralized
• Understand how personal data
flows across systems
• Where are your data centers?
Third Parties
• Also usually centralized
• Understand who you are sharing
personal data with and why
• Where are they located?
Business Processes
• Ensure organizational coverage
• This is your data registry – start
with the end in mind
• Uncover your ”shadow IT”
Business
Processes
Third
Parties
IT
Systems
15. Current State Assessment and Remediation
15
As with any compliance program, a risk-based iterative approach can help you achieve quick wins early
Identify
where
personal data
is processed
Assess
through a
GDPR / data
privacy lens
Prioritize
using risk-
based criteria
Remediate
in an iterative
approach
Organizational Change
16. Streamline Your Efforts
16
• Don’t rush the start of your identification process and work with the end in mind
• Properly documenting your current state will help you streamline and centralize
efforts across many common aspects of GDPR, saving you time and money
Notice Consent
Data Protection Impact
Assessments (DPIA)
Contracts
Technical and
Organizational Measures
Policies and Procedures
19. GDPR – Future State
Getting to May 25th is only the first part of the GDPR journey. Many global firms will face follow-up work to improve
on initial solutions, proactively measure current controls, and confirm the competitive position of their offerings.
Continuous Improvement Privacy by Design (PbD)Competitive Strategy Enduring Processes
Culture | Communications | Training
• Many initial GDPR
solutions are manual and
labor intensive
• Technology and process
investments can reduce the
cost of compliance,
improve the customer
experience, and foster
confidence with trade
partners
• Address revenue stream
impacts with privacy
capabilities
• Identify alternative
methods to achieve
meaningful digital
marketing
19
• Privacy by default
• Inclusion of data protection
during system and process
design
• Data minimization
• Limited access
• Data profitability strategy
• Aligned to strategy and
driven by PbD
requirements
• Adaptable to continuous
improvement and new
legislation other than
GDPR
• Cost and resource
effective and efficient
20. Competitive Strategy
Threats Opportunities
Revenue Streams for Data Controllers:
• Consent opt-in results will reduce
opportunities to market consumer data
• Data minimization requirements will reduce
the scope of data collected for marketing
Opportunities to Improve Customer Retention:
• Invest in strong user experience and content
design to build customer trust
• Invest and market data privacy as a strength
Marketing Challenges:
• B2C companies that rely on targeted digital
advertising will need alternative methods to
make up gaps in digital advertising
Marketing Alternatives:
• Increased use of contextual advertising based
on content being viewed (e.g., advertisements
for tickets when viewing a sports page)
• Replace data stores with real-time calls for
dynamic advertising
Revenue
Streams
Marketing
GDPR introduces challenges that will force some businesses to revisit their revenue model. With
careful planning, these challenges can be mitigated and potentially even be turned into advantages.
21. Continuous Improvement
• Introduce back-end automation to execute on consent choices
• Implement advanced analytics to understand consent elasticity
opportunities
• Implement MDM solutions to streamline request fulfillment
• Improve intake and tracking mechanisms
• Implement data mapping tools to improve visibility into
processing activities, and improve governance for system changes
• Introduce improved controls to reduce the risk of data breach
• Design and implement improvements to ensure 72 hour reporting
compliance
1
Consent
Management
Individual Rights2
Record of
Processing
3
Security4
Many firms turned to tactical methods to ensure compliance for May 25th. Opportunities remain to improve
business performance through selective investment in continuous improvements.
21
22. • Developing new and redesigning existing processes must be aligned to the corporate
strategy, be adaptable to continuous improvement, and be rooted in the Privacy by Design
requirements in GDPR
• Critical to implement controls to trigger data privacy considerations prior to
approval/implementation of new processing activities, projects, products, and IT systems
• Build in processes and procedures to efficiently address the data privacy considerations on
an enduring cost and resource effective basis
• Consider IT solutions but only if it makes the process more efficient and cost effective
• Educate and train employees
Privacy by Design (PbD) and
Developing Enduring Processes
22
In order for PbD to be effective, it must be incorporated deeply into an organization’s culture,
policies, procedures, and business processes
24. Acculturating Privacy – Change Management
and Training
24
Maintain
Develop
Future
State
Assess Current State
and Remediate
May 25th
(or upon completion)
Change
Managemen
t and
Training
25. Change Management – Key Success Factors
25
Key success factors to effectively manage change programs
ADOPTION
Change Execution
ADVOCACY
Institutionalize
ACCEPTANCE
Change Strategy
AWARENESS
Change Readiness
§ Leadership aligned
and engaged
§ Stakeholder impacts
identified
§ Barriers to change
identified
§ Drivers of change
understood
§ Desired outcomes
articulated
§ Change roadmap
developed
§ Risk mitigation plan
defined
§ Communications
plan designed
§ Change agents
prepared to
champion the change
§ Communications
disseminated
§ People trained on
desired behaviors
and ways of working
§ Ongoing execution of
alignment activities
§ Governance
established
§ Benefits
measurement
underway
26. Change Management – Best Practices
Best practices to effectively manage and drive adoption in GDPR change programs
Advocacy
AdoptionAwareness
Acceptance
§ GDPR impacts a broad range of stakeholders,
create segments for each stakeholder group
§ Engage leadership early on to ensure buy-in
and facilitate decision-making
§ Conduct an organizational impact assessment
(e.g., adding a data privacy officer (DPO),
adding new responsibilities to existing roles)
§ Plan to ensure that privacy is both a successful
cultural shift and role based change
§ Establish adoption criteria for what each group
needs to do differently to be GDPR compliant
§ Create targeted messaging and engagements
to guide individuals through the required
change
§ Identify, train, and support your advocates to
continuously champion data privacy
§ Outline and measure the activities necessary
for achieving the benefits of GDPR compliance
29. Maintaining Compliance
29
Organizational Measures
• Continuous and proactive efforts to maintain compliance will save time
and money in the long run
• GDPR compliance is a continuous effort and must become “business as
usual” within the organization, not a one-time project
• Be able to demonstrate to regulators that your GDPR compliance
initiative has not gone stale
– Mock Audits
– Regular internal reviews
– Continued reminders (training, education, communications)
• Provide mechanism and resources to support grassroots privacy efforts
– “Now that I have learned so much about GDPR, I realize we might be doing something incorrectly. Who do I go
to?”
32. Poll #3
How do you feel about your company’s
infrastructure for handling subject access
requests (SARs) e.g., IT systems, personnel
resources, processes, call centers, etc.?
32
34. GDPR Post May 25th Operational Focus Areas
PRIVACY BY DESIGN DATA GOVERNANCE TRACEABILITY & ASSURANCE TECHNOLOGY
Ø Privacy as a central
component to new
product development
Ø Data profitability
strategy within confines
of regulatory compliance
Ø Data privacy as a
competitive advantage
Ø Cultural shift to Privacy
by Default
Ø Social, Mobile, Analytics,
and Cloud (SMAC)
evolving privacy strategy
Ø Enabling business agility
through appropriate
standards and resources
Ø Constant systematic
monitoring and reporting
–compliance is only a
snapshot in time
Ø Crucial for right to
erasure, significant area
of weakness for most
large organizations
Ø Data Subject Access
Requests (DSAR)
Ø Internal/external data
protection auditing as a
routine business practice
Ø Need for more pointed
Identity and Access
Management (IAM)
solutions to better
manage “need-to-know”
Ø Automating
anonymization so critical
business intelligence
activities are not affected
Ø Flexible architecture,
allowing for low cost
adaptability to future
regulatory demands
vLeverage GDPR practices and experience to get ahead of future regulatory changes beyond the EU
35. Keys to Success
• Current state assessment and remediation will only get you to compliance at a
point in time – establishment of enduring programs is critical
• Include GDPR and data privacy into corporate strategy
• Implement a comprehensive change management and ongoing training effort
• Develop enduring processes rooted in Privacy by Design that are efficient,
scalable, and adaptable
• Maintain programs through regular internal reviews/mock audits, then incorporate
lessons learned back into strategy and processes
• With the global focus on data privacy and protection, it’s a matter of when, not if,
new laws and regulations will impact your business – prepare now
35
37. 37
Your Presenters
Patricia Brady
Change Management Lead
SEI – Chicago
Preston Clark, J.D.
President, Conduct
and Culture
EVERFI
Tom Cantwell
Transformation Lead
SEI – Boston
Matt Conner
Compliance Lead
SEI – Washington, DC
38. GDPR
● Course Length: 10 minutes
● Languages: 20
● Key Topics:
○ What is GDPR
○ When and Where GDPR
Applies
○ Staffing Implications
○ Reporting Requirements
○ Data Ownership