Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR - no beginning no end


Published on

GDPR - no beginning no end by Tobias Bräutigam, Bird & Bird

Seminar 26th April 2018: GDPR tulee - mitä tapahtuu h-hetken jälkeen

Published in: Business
  • Be the first to comment

  • Be the first to like this

GDPR - no beginning no end

  1. 1. GDPR – no beginning no end Tobias Bräutigam, head of data protection group, Bird & Bird Helsinki 26.04.2018
  2. 2. Compliance is a journey, not a point in time.
  3. 3. GDPR applicable 25th May. There wont' be a fire work.
  4. 4. Typical Privacy Program Products • Privacy policies (HR, Recruitment, Customers) • Cookie policy (?) • Data Protection Annex – role: Controller • Data Protection Annex – role: Processor • Article 30 documentation template • Data Protection Impact Assessment/Threshold assessment form  Those need to be updated, but there will be relatively little change This should not be news. Slide 4
  5. 5. What is needed the day after?
  6. 6. Just a footnote (not our topic today) 1 More is coming: NIS, ePrivacy Regulation Slide 6
  7. 7. Introducing: Privacy Perpetuum Mobile Slide 7
  8. 8. Why is it needed? Slide 8
  9. 9. Slide 9 You will have to make decisions Accountability Risk-based approach Governance is key
  10. 10. Slide 10 ... and implement decisions on a system level Legal Engineering Privacy Engineering is the answer
  11. 11. Slide 11 ... and make sure everyone does Vendor management is key Costs (for audits etc) Accountability
  12. 12. How to build a post-GDPR privacy program? Slide 12
  13. 13. Another footnote (as the following might be overwhelming) 1 The following thoughts are meant to give direction Slide 13
  14. 14. Elements of your future privacy program 1. Governance structure 1. Risk-management 2. Definition of roles 3. Measure success 2. Privacy engineering: 1. Implement privacy early on 2. Change system v. Change policy describing the system 3. Vendor management 1. Mapping and classification 2. Audits Aka the PPM Slide 14
  15. 15. 1. Governance Structure 1. Risk-management • Who (which level) decides? • How documented? • A lot of awareness needed 2. Definition of roles • RACI • Centralized/decentralized model 3. Measure and report • Define metrics (e.g. 95% of our high volume vendors have signed our DPA by 1.6.) • Improve metrics (examples) All this could be defined in a privacy governance policy Slide 15 Obstacles: Admitting status; internal politics
  16. 16. 2. Privacy Engineering "Privacy engineering is a specialty discipline of systems engineering focused on removing conditions that can create problems for people when system operations process their information." engineering/about According to NIST Slide 16
  17. 17. Privacy Engineering (2) Privacy (by) Design DPIA Engineering requirements Risk mangement UX Design Data flow modelling Data management Elements of privacy engineering Slide 17 Obstacles: Skills, time
  18. 18. Vendor management Breaches often occur at vendor level Slide 18 Know • Start with mapping vendors (re: personal data) • Set up a vendor management system Classify • Risk-based approach (sensitivity, volume, lifecycle) • 3 classes: low risk – medium risk – high risk Manage • DPA • Audits Learn and improve • Discuss IT security and privacy • Up or out (where alternatives are possible) Obstacles: Resources,
  19. 19. Looking at this from a product perspective Governance Privacy Governance Policy Metrics documents Privacy engineering Privacy Requirement document Privacy assessment process (30 => threshold => DPIA) Control framework Vendor management Vendor requirements/DPAs Vendor classification system For most of those tasks, both legal and technical skills are needed Slide 19
  20. 20. Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address. Thank you Tobias Bräutigam, OTT +358 50 482 3424