Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR project board deck (example)


Published on

This is an example of a deck for the decision makers (generally the board of directors) to first explain that data protection is a (reputational, legal, operational) risk that - like any other business risk needs to be managed. Then it allows for some explanation of the status of data protection (law) and the main novelties under the GDPR. It then highlights the main changes required in project mode and (later on, after the handover) in business-as-usual mode.

Extra reference to the Vlerick reference (because published after the publication of this slide deck):

Published in: Law
  • Be the first to comment

  • Be the first to like this

GDPR project board deck (example)

  2. 2. BUSINESS Price Profit Cost External Cost Internal Cost (perceived) value for customer Value proposition Value creation Value delivery Value capture experience convenience meeting the customers’ needs product design meeting the qualifiers image additional functionalities future proofquality people meeting the users’ needs culture
  3. 3. VALUE CAPTURE IS HARD Value captured = Value of the business
  4. 4. THE SAUCE IS ALWAYS AT RISK • Financial risk • Solvability • Liquidity • Cash flow • Operational risk • Counterparty risk • Customers • Credit risk • Suppliers • Market risk • Reputational risk • Legal risk • ...
  6. 6. 4 KEY CHALLENGES “Change comes from outside. And that is what you should use to challenge how your team has got to the end product.” - Prof. Stijn Viaene - Use 4 key challenges: • Experience IS value, not just functionality. The reference experience is NOT the sector, it is Google, Facebook, Uber, … • Customers are moving targets. • You can’t (and shouldn’t) have it all in-house: data, skills, … What is core and should be owned? What can we outsource? • You need well architected information systems.
  7. 7. APPLY Whatwecomprehend What there is to know What we don’t know we know What we know we know What we don’t know we don’t know What we know we don’t know Unknown Unknown Known Known
  8. 8. MODELS & FRAMEWORKS • Business threats a.o. disruption / creative destruction
  10. 10. RISK APPROACH Impact Likelihood Share Accept Avoid Mitigate High High Low Low Impact Likelihood Mitigate Cont. monitoring Share Accept Per. monitoring Mitigate Cont. review Avoid Mitigate Per. Review High High Low Low
  11. 11. THE IDEAL
  12. 12. FOR REAL ?!
  13. 13. ISDPP IS (JUST) ANOTHER RISK • Customers • Who are your customers? • What do your customers value? • Why do your customers choose you? • Suppliers • Who are your customers? • What relationship do you have with your suppliers? (“value partition”) • Why do you have this relationship with your suppliers? • Competitive edge • Culture • Ideas • Operational excellence • Cost control • Trade secrets • Protectable intellectual property • … Part of the secret sauce
  14. 14. INFORMATION MANAGEMENT ARCHITECTURE LIFECYCLE • Databases • Links • Silos v transversal Information asset ownership
  15. 15. ISDPP “INTELLIGENCE” WHAT IS OUT THERE? • (Information) Threat Intelligence • network • peers • vendor information • threat reports • threat intelligence services • futurists • sci-fi • …
  16. 16. Environment Physical Human Device Application Repository Carrier LAYERS & DIMENSIONS Risk Assessment Risk Decision Controls Incident Management Changes • In the regulatory environment • In processes • In people (JLT) • In technology Network Data 3rd Parties • 1st line • 2nd line • 3rd line • Impact • Probability • Avoid • Mitigate • Share • Accept
  17. 17. LEGAL OVERVIEW Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
  18. 18. GDPR - NEW • Processor now also an addressee • Organisation • ”Accountability” (reversal of the burden of proof), concrete • Processing register (and risk register) • Privacy impact assessment (“PIA”) • Privacy by Design and Privacy by Default • Data Protection Officer • Acknowledgement of “frame”-mechanisms: certifications, codes of conduct, binding corporate rules,… • Incident management and data breach notification • Rights of individual are increased and further elaborated • Enforcement • Administrative fines universal and uniform • Collective actions of individuals universal and uniform
  19. 19. GDPR – CHANGE - VISUAL Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
  20. 20. CHANGE PROGRAM PROJECT • Change management • HR review • Roles and function review, a.o. o DPO needed? o Information asset owners ? • HR processes review • Communication & Training • Processes review • Processing register • In iterations for legacy processes • Consent of data subjects • Incident management review • Project management review • PIA, PbD, • Documentation => register • Complaints management (rights update) • Outsourcing partner review • Access management • IT review • Archicture view • Security measures: comfortable? • Need to have • Nice to have BUSINESS AS USUAL • Tone at the top ! • “Money where your mouth is” • Decisions on data protection • Sponsor • HR • Communication & Training • Awareness (= top of mind) • Processes • Periodic review and update • IT • Security is moving target – upgrade, patch, decommission • New development - PbD • Monitoring & Reporting • Test • Firs tline controls (KPI, SL, etc.) • Board reporting to ISO and DPO • Consolidating dashboard to top management In parts / iterations
  21. 21. CHANGE RISK
  22. 22. CONTROL THE CHANGE Change management • Decisions • Action plan • Tone at the top • Budget and skilled people • Multinational coordination ?