The European Union (EU) is implementing GDPR (General Data Protection Regulation) on May 25, 2018. Organizations who offer goods or services to EU residents or monitor the behavior of EU residents must comply, or they may incur significant financial penalties. Are you ready? Time is running out to ensure you comply with the new requirements. In this webinar presentation, Dean Evans, Satori Consulting to learn what the GDPR requirements mean for your organization, plus get a practical guide to achieving GDPR readiness including how to implement processes to satisfy the privacy rights of individuals. Dean will cover: => What is GDPR? => Common GDPR misconceptions => Key considerations => How to develop a plan of action => Process owners as data stewards

1. A practical guide
to GDPR
preparation.
Dean Evens
Director
Satori Consulting
Megan Maddocks
Account Executive
Promapp

2. APRACTICALGUIDETO GENERALDATA
PROTECTIONREGULATION(GDPR)
PREPARATION
MAY 1, 2018

3. A PRACTICAL GUIDE TO GDPR PREPARATION
AGENDA
3
This session will address key GDPR questions:
1. What is GDPR and why is it important?
2. What are the core GDPR concepts?
3. What should practitioners know to achieve and maintain
compliance?
4. What are the keys to success?
5. Process owners as data stewards?
6. How can Promapp be leveraged to achieve and maintain readiness?

4. WHAT IS GDPR AND WHY IS IT IMPORTANT?
4

5. PRACTICAL GUIDE TO GDPR PREPARATION
GDPR DEFINITION & FOCUS
5
The objective of the General Data Protection Regulation (GDPR) is
harmonization of EU regulations to enhance the rights of EU citizens to govern
the privacy of their personal information and ensure organizations provide the
right protections.
The GDPR applies to EU and non-EU organizations that:
(i) offer goods or services to EU residents;
(ii) monitor the behavior of EU residents
The GDPR effective date:
▪ May 25, 2018
Penalties:
▪ Up to 20,000,000 EUR or 4% worldwide revenue from the previous fiscal
year (Article 83). Fines are determined by the Data Protection Authority
(Supervisory Authority).
* The “Articles” referenced in this document refer to the articles included in the GDPR regulation. A link
to the regulation text is included in the Appendix section of this document.

6. A PRACTICAL GUIDE TO GDPR PREPARATION
GDPR DEFINITION & FOCUS: PERSONAL DATA
6
Personal data references any data that can identify a natural person
(“data subject”): name, online identifier, identification number,
location data, IP address etc.
Personal Data Considerations

7. A PRACTICAL GUIDE TO GDPR PREPARATION
GDPR DEFINITION & FOCUS: ROLES ROLES & RESPONSIBILITIES
7
There are several roles needed to
support GDPR implementation*.
The DPO role is key to successful
execution and should act as
GDPR owner.
Data Protection Officer**: Role
that acts as point of contact for
the EU Representative and DPA.
Understanding GDPR
requirements and identifying how
it relates to the organization is
key.
The DPO should identify the
appropriate Data Protection
Authority (DPA) to engage with.
* Controllers that process small scale data intermittently and do not handle sensitive personal
data are exempt
** DPO is not required to be a dedicated FTE (see Article 37, 38, and 39)

8. WHAT ARE THE CORE GDPR CONCEPTS?
8

9. A PRACTICAL GUIDE TO GDPR PREPARATION
GDPR CONCEPTS
9
Principles, privacy, and protection represent the core focus for GDPR readiness.
Organizations must focus on adhering to principles, implementing processes to
satisfy privacy rights of the individual, and securing data.
Principles
▪ Data processed lawfully, fairly, and transparently
▪ Only collect personal data needed
▪ Accuracy of personal data must be maintained
▪ Minimize the time data is kept in a form to identify
data subjects
▪ Maintain the confidentiality and integrity of
personal data
Privacy (rights of data subjects)
▪ Transparent information, communication and
modalities for the exercise of the rights of the
data subject
▪ Information to be provided where personal data
are collected from the data subject
▪ Right of access by the data subject
▪ Right to rectification
▪ Right to erasure (‘right to be forgotten’)
▪ Right to restriction of processing
▪ Right to data portability
Protection (controllers and processors)
▪ Data Protection Officer (DPO)
▪ Data protection by design
▪ Records of processing activities
▪ Security of processing
▪ Notification of a personal data breach to the
Supervisory Authority
▪ Communication of a personal data breach to the
data subject
▪ Data Protection Impact Assessment (DPIA)
▪ Code of conduct

10. A PRACTICAL GUIDE TO GDPR PREPARATION
CONTROLLERS AND PROCESSORS
10
Controller collects and
determines the purposes and
means of processing
personal data.
Processor processes personal
data on behalf of the
controller.
Identify processors and
provisioned services:
▪ AWS* – EBS, S3,
Cloudfront
▪ Data Dog
▪ Application integration
points

11. A PRACTICAL GUIDE TO GDPR PREPARATION
CONTROLLERS AND PROCESSORS: PROCESSOR OBLIGATIONS
11
Processors are obligated to establish and maintain GDPR compliance.
1. Processor is required to obtain written consent from the controller prior to
appointing sub-processor.
2. Processors (and any sub-processors) shall not process personal data, except in
accordance with the instructions of the controller
3. Comply with recordkeeping obligations
4. Cooperate with Data Protection Authorities
5. Adhere to data security obligations
6. Comply with data breach reporting requirements
7. Appoint a Data Protection Officer, if applicable
8. Adhere to cross border transfers requirements

12. WHAT SHOULD PRACTITIONERS KNOW TO
ACHIEVE AND MAINTAIN COMPLIANCE?
12

13. A PRACTICAL GUIDE TO GDPR PREPARATION
PRINCIPLES FOR CONTROLLERS AND PROCESSORS
13
Objective – establish guidelines to promote collection, use, processing,
and storage is performed responsibly and in accordance with GDPR
requirements.
GDPR Requirement…
Security Principles**
1. Simplicity
2. Balanced Security
3. Least Privilege
4. Plan for Failure
5. Zero/limit Trust
6. Data Centric Security
7. Design with Multi-tenancy in Mind
8. Build in Traceability
Privacy Principles
1. Lawful, fairness, and transparency
2. Purpose limitations
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

14. A PRACTICAL GUIDE TO GDPR PREPARATION
DATA PROTECTION BY DESIGN AND BY DEFAULT
14
Objective - To minimize risk to privacy and build trust in the system. Protection by
design applies to all personal data.
GDPR Requirement…
Implement the appropriate technical and organizational measures and integrate
them into processing to protect the rights and freedoms of EU citizens. GDPR risk
drives development of measures.
Actions to Take…
1. Operationalize principles
2. Implement process to establish and maintain records of data processing activities
3. Establish information flows of personal data
4. Define technical and organization measures – pseudonymization, encryption

15. A PRACTICAL GUIDE TO GDPR PREPARATION
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
15
Objective – Identify privacy and security risk and take the right measures to
reduce it to an acceptable level. DPIA applies to high risk personal data.
GDPR Requirement…
1. Documented measures to ensure risk is managed in compliance with GDPR DPIA
required during processing of high risk activities.
2. DPIA must be perform prior to implementation
Actions to Take…
1. Implement DPIA Process
▪ Develop DPIA questionnaire and establish threshold for DPIA requirement
▪ Define method for privacy and security review
▪ Create template for DPIA documentation
▪ Establish DPIA approval process

16. A PRACTICAL GUIDE TO GDPR PREPARATION
CROSS BORDER TRANSFERS
16
Transfers of personal data outside the EEA (European Economic Area) is
strictly prohibited. Data transfer can occur if:
▪ Adequacy decision
▪ Binding Corporate Rules (BCR) approved by DPA
▪ Certifications in place
▪ Standard contractual clauses are in place
▪ Ad hoc contractual clauses
▪ Consent from the data subject
▪ Approved Code of Conduct
▪ Privacy Shield compliance

17. A PRACTICAL GUIDE TO GDPR PREPARATION
SECURITY OF PROCESSING
17
Identify stack responsibility and apply controls to
ensure security of processing
▪ IT Security Policy
▪ Security Processes and Procedures
▪ Access Control
▪ Security in Systems Lifecycle Management
▪ Secure Software Development
▪ Data Protection
▪ Malware Protection
▪ Network Security
▪ Vulnerability Management
▪ Change Management
▪ Security Incident Response – Breach Notification
▪ Disaster Recovery
▪ Supplier Management

18. WHAT ARE THE KEYS TO SUCCESS?
18

19. A PRACTICAL GUIDE TO GDPR PREPARATION
ESTABLISH A PLAN
19
GDPR requires the organization to address privacy and security of personal data.
A proven approach to gaining clarity on GDPR relevance and understanding how
to execute is described below. The Data Protection Officer (DPO) must lead the
effort to achieve and maintain alignment.
Preparation
•Assign data privacy
ownership
•Understand the
regulation
Assessment
•Assess the EU citizen
personal data collected
and processed
•Identify how the rights
of the individual
applies
•Understand the risk of
activities
•Assess processors
Implementation
•Implement GDPR
principles
•Implement data
protection by design
•Create and maintain
documentation for
personal processing
activities
•Implement data
protection impact
assessments
•Align security controls
Maintenance
•Operationalize GDPR
controls

20. A PRACTICAL GUIDE TO GDPR PREPARATION
PROCESS OWNERS AS DATA STEWARD
20
• Leading practices are evolving to establish Data Steward role
• Role is aligned with Business Process Owners to understand data assets
supporting the process and ensuring controls are in place
• Key contributor to DPIA as/if required
• Work with DPO, Application, Information Security, Compliance and Supplier
Management team members to ensure data protection
• Underpins Data Protection by Design principle

21. A PRACTICAL GUIDE TO GDPR PREPARATION
KEY POINTS
21
Focus on the following…
1. Understand your data
2. Use principles to drive the right behaviors and build a culture of privacy &
security
3. Address protection by design for all personal data
4. Maintain records of processing activities documentation
5. Align security controls with the activities performed and ensure they are
defensible
6. Perform data protection impact assessments for all high risk activities, and
maintain documentation
7. Manage third party/processor relationships

22. A PRACTICAL GUIDE TO GDPR PREPARATION
PROMAPP TO ACHIEVE AND MAINTAIN READINESS
22
A short demonstration…

23. Questions?
www.promapp.com
www.satoriconsulting.com

24. APPENDIX
24

25. A PRACTICAL GUIDE TO GDPR PREPARATION
GDPR MYTHS
25
Understanding GDPR requirements can be complex. There are several common
misperceptions that should be clarified.
1. A Data Protection Officer is required for all organizations
2. Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro or
4% annual worldwide revenue
3. Consent is always required for processing of personal data
4. Parental consent is always required when collecting personal information from
a child
5. Individuals have the absolute right to be forgotten
6. Biometric data is sensitive data
7. Controllers do not require processing agreements with processors – GDPR
takes care of this
8. Security technology solutions are needed to enable GDPR compliance
9. Automated decision-making can not be performed (e.g., use of AI)

26. A PRACTICAL GUIDE TO GDPR PREPARATION
REFERENCE SOURCES
26
▪ GDPR Regulation - Full regulation Abbreviated regulation Web-based GDPR
regulation resource
▪ UK ICO Guide to GDPR
▪ White & Case has great insight into GDPR
▪ A series of 10 posts that provide insight into the operational impact of GDPR
▪ List of Data Protection Authorities for EU Member States
▪ UK ICO Assessment Questionnaire