Presentation by Hatime Araki (Keley Data) with Benjamin Chouai (Saul Associé), the September 21th

1. Take the necessary steps to
comply with GDPR

2. Page 2 – © Keley - Confidentiel –
GDPR
(RGPD - French)
officially starting May 25, 2018

3. Page 3 – © Keley - Confidentiel –

4. Page 4 – © Keley - Confidentiel –

5. Page 5 – © Keley - Confidentiel –
M. C

6. Page 6 – © Keley - Confidentiel –
Communication
/ Promotion
@
SMS
Courier
Call
Data treatment Data usage
Quality
Enrichment
Predictive
Targeting
Structure
Tools and
applications
Data
Collection
Personalized
actions
Optimization
CRM
CDP
DMP
ERP
Advertising
/ Content
Web
Display
SEM

7. Page 7 – © Keley - Confidentiel –
« A fantastic opportunity to finally devote
resources to organize and structure our data »
« This will also impact economic
models and marketing strategies »
« Long-term project, to deploy
and maintain over time »
« A lack of awareness in terms
of operational management. »
« New measures and
actions to undertake »
« Many difficulties
ahead »
« Needs a dedicated project team
and availability of partners »

8. Page 8 – © Keley - Confidentiel –
...and now?
Pragmatic and efficient action:
> 360∞ data vision:
> Mapping of personal data
> Resumption of expected benefits
> Breakdown in contexts of Privacy Impact Analysis ( PIA )
> Evaluating risks and measures by context:
> Definition of Defendable Minimum
> Evaluation of Stakes and Accessibility
=> Prioritization of actions
> Setting up tools to accelerate and sustain the plan
… with a goal of constant improvement

9. Page 9 – © Keley - Confidentiel –

10. Page 10 – © Keley - Confidentiel –
10
Job
Vision
Usage
Vision
SI
Vision
Quality
Vision
Different focus for a 360∞ vision
Definition of existing data for each job:
what does a client mean for
marketing, for purchase
Gathering usages of data,
frequency and respective
contributions?
Description of data trajectories in
various SI environments
Listing established rules
impacting data and its
respect
360 °

11. Page 11 – © Keley - Confidentiel –
...while focusing on expected benefits
> GDPR compliance creates a fantastic opportunity for companies in terms of:
Image
Install or restore third party confidence in the company when
dealing with personal data
Law Prepare the "digital responsibility" of the company
IT Secure and enhance treatment and storage of data
Job Increase valorization and monitoring of data
HR
Give responsibility to actors in the company in terms of
personal data

12. Page 12 – © Keley - Confidentiel –

13. Page 13 – © Keley - Confidentiel –
Context qualification
> A study context comprises one or several treatments on a data source with a
determined purpose
Description générale d'un Contexte
Informations générales
Etude d'impact
Date de l'analyse ex: 01/10/2017 Analyste Prénom Nom Fonctiondel'analyste ex : Data manager
Informations générales sur le contexte
Typede projet ex : Nettoyage des adresses postales Finalité/ Objectif ex: communication parcourrier Typede traitement ex : Normalisationpostale
Personnes concernées ex : clients Nombred'individu(estimation) ex : 2 000 000 Nombred'informationpar individu ex: 10
Base / Application concernée ex: Base de porteurde carte de fidélitéResponsabledetraitement ex : Prestataire externe Responsableopérationnel ex : Responsable interne
Contributeurs projet
Chef de projet ex: directeur des opérations Expert données personnelles ex : directeur juridique Expert sécurité ex : RSSI, directeur technique
Expert technique/ étude ex : data manager Responsableexploitation ex : data manager Autres à renseigner
Description des données traitées (cf procédure de gestion de la traçabilité)
Liste des données Source des données Base concernée Destination des données
Type de données
(cf onglet 05)
Périmètre géographique du
traitement (Pays)
ex : nom ex : Saisie Magasin ex : Magasin ex : CRM ex : données d'identification ex : France
Collecte des données et transparence de l'information (cf procédure de gestion de la traçabilité)
Liste des données Type de collecte Méthode de collecte
Méthode d'information des
personnes
Responsable de la gestion des
droits d'accès/rectification
Autre
Civilité ex : directe, indirecte ex : liste déroulante, champs libre ex : Conditionsgénérales de la carte ex : Fonction +Nom
Règles de conservation & purge des données
Liste des données Durée de conservation Règles de purge Règles d'archivage
Règles de sécurisation de la
destruction
Resonsable du processus de
purge
Adresse postale ex : 3 ans
ex : mensuellement en semi-
automatique
ex : 5 ans sur serveur chiffré ex : broyage sécurisé ex : Fonction +Nom
Sécurité (cf procédure traçabilité, procédure habilitations, plan de contrôle)
Liste des applicatifs / systèmes /
bases
Politique de mots de passe Gestion des logs
Chiffrement des données /
transferts
Profils d'habilitations Responsable des habilitations
Dépôt du fichier ex : oui ex : trace des interventions ex : oui, type de chiffrement ex : Data Manager ex : Fonction +Nom
Test de l'application
Remarques et informations additionnelles
• Which treatment for which purpose?
What?
• Who plays a part, who is
responsible?
Who?
• Which source and which collection
mode?
Wich Data?
• … of conservation and purge?
Which Rules?
• … tracking and accreditation?
Which Security?
• … tests and verifications?
Which Controls?

14. Page 14 – © Keley - Confidentiel –
Pre-Diagnosis or Self Assessment
> A first analysis should reveal the main contexts with high risk while
relying on simplified criteria
1 . Personal Information Sensitivity
• Common
• Perceived as sensitive
• Sensitive in terms of law
2 . Purpose / Minimization
• Conservation time
• Archiving time
• Anonymization mode
• Encryption choice
3 . Organization / Process
• Managing accreditations
• Managing risks
• Managing incidents
• Managing projets
4 . Consent / Portability
• Information on the
concerned party
• Access to its data
• Possibility to oppose, rectify
and restore
5 . Quality / Sécurity
• Preserve data cohérence • Logical security
• Physical security
Sensibilité
Finalité
Organisation
/ Process
Consenteme
nt /
Portabilité
Sécurité
Minimum Défendable
Evaluation on each axis
from 1 (perfect) to 4 (bad)

15. Page 15 – © Keley - Confidentiel –
> Identified risks should be placed on a grid according to:
> their gravity
> their likelihood
> This should evaluate the stakes of the measure associated with risk reduction
maximum
important
limited
marginal
marginal limited important maximum
Mapping the risks
Likelihood
Gravity
Stakes - -
Stakes -
Stakes +
M1
M2
M3
Stakes + +
R
3
R
2
R
1

16. Page 16 – © Keley - Confidentiel –
Association of measures with identified risks
Evaluation of these measures is done
on 3 axis:
> on each axis, a grade from 1 to 5
Accessibility is defined by using
these 3 grades
Difficulty Cost Time
M1 3 2 3 -
M2 2 1 2 +
M3 2 2 4 -
R1 : Malevolent injection of false data via
a web form
M1 : Install a site for managing consent and
portability of data
R2 : Inadvertent deletion of data M2 : Applying rules for conservation,
archiving and purge
R3 : Theft of personal information for
redistribution or exploiting by a third
party
M3 : Revision of contracts with one or
several providers

17. Page 17 – © Keley - Confidentiel –
Prioritization of measures
Accessibility
Stakes
++
- -
- - ++
Very high priority
High priority
Moderate
priority
Low priority
M1
M2
M3
> Measures to take are prioritized depending on:
> Their stakes
> Their Accessibility

18. Page 18 – © Keley - Confidentiel –
Watch out for All Excel!

19. Page 19 – © Keley - Confidentiel –
Choosing a tool: main functionalities
> Tools do not share all the functionalities that can be grouped in 4 families:
Functions connected
to GDPR
• Data treatment
register
• PIA plan
• Managing contracts
• Managing rights and
accreditations
• Tracking security
issues
• Integration in internal
systems
Project tracking
functions
• Task tracking
• Reporting and
control panel
• Employee
education
• Sharing user
experience
• Comparison inside
a company or
between
companies
Functions dedicated
to individuals
• Managing legal
notices
• Managing individual
demands
• Monitoring sites and
applications
• Managing portability
• Dedicated web site
for visitors
relationship
management
Technical / data
functions
• Anonymization of
data
• Secured data
analysis
• Monitoring data
misusage

20. Page 20 – © Keley - Confidentiel –
APM
ActeCil
DPMS-
PrivaCil
TrustArc OneTrust Ensighten Privitar
GDPR 4 4 4 4 1 3
Project tracking 4 3 3 3 0 0
Dedicated to individuals 0 3 3 3 4 0
Technical / data 0 0 0 0 0 4
Ease of use 3 3 4 4 3 1
References 4 4 3 3 1 1
FR FR US US US UK
from free to several thousand euros per month
Choosing a tool: selected tools
There are more specialized tools like TrackUp...or Didomi

21. Page 21 – © Keley - Confidentiel –
Taking action with Keley - Data
Unlaunched project Ongoing project
 Quick evaluation of the task size
based on:
• Number of entities/services concerned
• Number of systems and databases
• Number of context (data/treatment)
• Number of measures to uphold and track
=> Commando style launch of the
project for strong mobilisation and
maximum efficiency
 Flash diagnosis of your GDPR
approach
=> Faster implementation at
different levels:
• 360∞ Data Vision
• Minimum Defendable
• Prioritization of actions
• Choice of tool
They trust us: Orange, Renault, La Poste, Reed Expo...and you?

22. Contact
information
5 rue Sixtus, 75015 Paris
Métro : Dupleix ou Bir Hakeim
Phone : + 33 1 80 48 26 20
Adress : 28 rue du Docteur Finlay,
75015 Paris
Métro: Dupleix or Bir Hakeim
Phone: +33 1 80 48 26 25
haraki@keley-data.com