Promapp Solutions, profile picture
Uploaded byPromapp Solutions
PDF, PPTX272 views

A practical guide to GDPR preparation

This document serves as a practical guide for organizations preparing to comply with the General Data Protection Regulation (GDPR), outlining its significance and core concepts. Key roles, such as the Data Protection Officer (DPO), responsibilities for data controllers and processors, and essential principles for GDPR readiness are detailed. The guide emphasizes the importance of data protection by design, security measures, and the necessity for documentation and assessment to ensure compliance.

Business
Related topics:
Process Improvement

Embed presentation

Download as PDF, PPTX
A practical guide to GDPR preparation. Dean Evens Director Satori Consulting Megan Maddocks Account Executive Promapp
APRACTICALGUIDETO GENERALDATA PROTECTIONREGULATION(GDPR) PREPARATION MAY 1, 2018
A PRACTICAL GUIDE TO GDPR PREPARATION AGENDA 3 This session will address key GDPR questions: 1. What is GDPR and why is it important? 2. What are the core GDPR concepts? 3. What should practitioners know to achieve and maintain compliance? 4. What are the keys to success? 5. Process owners as data stewards? 6. How can Promapp be leveraged to achieve and maintain readiness?
WHAT IS GDPR AND WHY IS IT IMPORTANT? 4
PRACTICAL GUIDE TO GDPR PREPARATION GDPR DEFINITION & FOCUS 5 The objective of the General Data Protection Regulation (GDPR) is harmonization of EU regulations to enhance the rights of EU citizens to govern the privacy of their personal information and ensure organizations provide the right protections. The GDPR applies to EU and non-EU organizations that: (i) offer goods or services to EU residents; (ii) monitor the behavior of EU residents The GDPR effective date: ▪ May 25, 2018 Penalties: ▪ Up to 20,000,000 EUR or 4% worldwide revenue from the previous fiscal year (Article 83). Fines are determined by the Data Protection Authority (Supervisory Authority). * The “Articles” referenced in this document refer to the articles included in the GDPR regulation. A link to the regulation text is included in the Appendix section of this document.
A PRACTICAL GUIDE TO GDPR PREPARATION GDPR DEFINITION & FOCUS: PERSONAL DATA 6 Personal data references any data that can identify a natural person (“data subject”): name, online identifier, identification number, location data, IP address etc. Personal Data Considerations
A PRACTICAL GUIDE TO GDPR PREPARATION GDPR DEFINITION & FOCUS: ROLES ROLES & RESPONSIBILITIES 7 There are several roles needed to support GDPR implementation*. The DPO role is key to successful execution and should act as GDPR owner. Data Protection Officer**: Role that acts as point of contact for the EU Representative and DPA. Understanding GDPR requirements and identifying how it relates to the organization is key. The DPO should identify the appropriate Data Protection Authority (DPA) to engage with. * Controllers that process small scale data intermittently and do not handle sensitive personal data are exempt ** DPO is not required to be a dedicated FTE (see Article 37, 38, and 39)
WHAT ARE THE CORE GDPR CONCEPTS? 8
A PRACTICAL GUIDE TO GDPR PREPARATION GDPR CONCEPTS 9 Principles, privacy, and protection represent the core focus for GDPR readiness. Organizations must focus on adhering to principles, implementing processes to satisfy privacy rights of the individual, and securing data. Principles ▪ Data processed lawfully, fairly, and transparently ▪ Only collect personal data needed ▪ Accuracy of personal data must be maintained ▪ Minimize the time data is kept in a form to identify data subjects ▪ Maintain the confidentiality and integrity of personal data Privacy (rights of data subjects) ▪ Transparent information, communication and modalities for the exercise of the rights of the data subject ▪ Information to be provided where personal data are collected from the data subject ▪ Right of access by the data subject ▪ Right to rectification ▪ Right to erasure (‘right to be forgotten’) ▪ Right to restriction of processing ▪ Right to data portability Protection (controllers and processors) ▪ Data Protection Officer (DPO) ▪ Data protection by design ▪ Records of processing activities ▪ Security of processing ▪ Notification of a personal data breach to the Supervisory Authority ▪ Communication of a personal data breach to the data subject ▪ Data Protection Impact Assessment (DPIA) ▪ Code of conduct
A PRACTICAL GUIDE TO GDPR PREPARATION CONTROLLERS AND PROCESSORS 10 Controller collects and determines the purposes and means of processing personal data. Processor processes personal data on behalf of the controller. Identify processors and provisioned services: ▪ AWS* – EBS, S3, Cloudfront ▪ Data Dog ▪ Application integration points
A PRACTICAL GUIDE TO GDPR PREPARATION CONTROLLERS AND PROCESSORS: PROCESSOR OBLIGATIONS 11 Processors are obligated to establish and maintain GDPR compliance. 1. Processor is required to obtain written consent from the controller prior to appointing sub-processor. 2. Processors (and any sub-processors) shall not process personal data, except in accordance with the instructions of the controller 3. Comply with recordkeeping obligations 4. Cooperate with Data Protection Authorities 5. Adhere to data security obligations 6. Comply with data breach reporting requirements 7. Appoint a Data Protection Officer, if applicable 8. Adhere to cross border transfers requirements
WHAT SHOULD PRACTITIONERS KNOW TO ACHIEVE AND MAINTAIN COMPLIANCE? 12
A PRACTICAL GUIDE TO GDPR PREPARATION PRINCIPLES FOR CONTROLLERS AND PROCESSORS 13 Objective – establish guidelines to promote collection, use, processing, and storage is performed responsibly and in accordance with GDPR requirements. GDPR Requirement… Security Principles** 1. Simplicity 2. Balanced Security 3. Least Privilege 4. Plan for Failure 5. Zero/limit Trust 6. Data Centric Security 7. Design with Multi-tenancy in Mind 8. Build in Traceability Privacy Principles 1. Lawful, fairness, and transparency 2. Purpose limitations 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality
A PRACTICAL GUIDE TO GDPR PREPARATION DATA PROTECTION BY DESIGN AND BY DEFAULT 14 Objective - To minimize risk to privacy and build trust in the system. Protection by design applies to all personal data. GDPR Requirement… Implement the appropriate technical and organizational measures and integrate them into processing to protect the rights and freedoms of EU citizens. GDPR risk drives development of measures. Actions to Take… 1. Operationalize principles 2. Implement process to establish and maintain records of data processing activities 3. Establish information flows of personal data 4. Define technical and organization measures – pseudonymization, encryption
A PRACTICAL GUIDE TO GDPR PREPARATION DATA PROTECTION IMPACT ASSESSMENT (DPIA) 15 Objective – Identify privacy and security risk and take the right measures to reduce it to an acceptable level. DPIA applies to high risk personal data. GDPR Requirement… 1. Documented measures to ensure risk is managed in compliance with GDPR DPIA required during processing of high risk activities. 2. DPIA must be perform prior to implementation Actions to Take… 1. Implement DPIA Process ▪ Develop DPIA questionnaire and establish threshold for DPIA requirement ▪ Define method for privacy and security review ▪ Create template for DPIA documentation ▪ Establish DPIA approval process
A PRACTICAL GUIDE TO GDPR PREPARATION CROSS BORDER TRANSFERS 16 Transfers of personal data outside the EEA (European Economic Area) is strictly prohibited. Data transfer can occur if: ▪ Adequacy decision ▪ Binding Corporate Rules (BCR) approved by DPA ▪ Certifications in place ▪ Standard contractual clauses are in place ▪ Ad hoc contractual clauses ▪ Consent from the data subject ▪ Approved Code of Conduct ▪ Privacy Shield compliance
A PRACTICAL GUIDE TO GDPR PREPARATION SECURITY OF PROCESSING 17 Identify stack responsibility and apply controls to ensure security of processing ▪ IT Security Policy ▪ Security Processes and Procedures ▪ Access Control ▪ Security in Systems Lifecycle Management ▪ Secure Software Development ▪ Data Protection ▪ Malware Protection ▪ Network Security ▪ Vulnerability Management ▪ Change Management ▪ Security Incident Response – Breach Notification ▪ Disaster Recovery ▪ Supplier Management
WHAT ARE THE KEYS TO SUCCESS? 18
A PRACTICAL GUIDE TO GDPR PREPARATION ESTABLISH A PLAN 19 GDPR requires the organization to address privacy and security of personal data. A proven approach to gaining clarity on GDPR relevance and understanding how to execute is described below. The Data Protection Officer (DPO) must lead the effort to achieve and maintain alignment. Preparation •Assign data privacy ownership •Understand the regulation Assessment •Assess the EU citizen personal data collected and processed •Identify how the rights of the individual applies •Understand the risk of activities •Assess processors Implementation •Implement GDPR principles •Implement data protection by design •Create and maintain documentation for personal processing activities •Implement data protection impact assessments •Align security controls Maintenance •Operationalize GDPR controls
A PRACTICAL GUIDE TO GDPR PREPARATION PROCESS OWNERS AS DATA STEWARD 20 • Leading practices are evolving to establish Data Steward role • Role is aligned with Business Process Owners to understand data assets supporting the process and ensuring controls are in place • Key contributor to DPIA as/if required • Work with DPO, Application, Information Security, Compliance and Supplier Management team members to ensure data protection • Underpins Data Protection by Design principle
A PRACTICAL GUIDE TO GDPR PREPARATION KEY POINTS 21 Focus on the following… 1. Understand your data 2. Use principles to drive the right behaviors and build a culture of privacy & security 3. Address protection by design for all personal data 4. Maintain records of processing activities documentation 5. Align security controls with the activities performed and ensure they are defensible 6. Perform data protection impact assessments for all high risk activities, and maintain documentation 7. Manage third party/processor relationships
A PRACTICAL GUIDE TO GDPR PREPARATION PROMAPP TO ACHIEVE AND MAINTAIN READINESS 22 A short demonstration…
Questions? www.promapp.com www.satoriconsulting.com
APPENDIX 24
A PRACTICAL GUIDE TO GDPR PREPARATION GDPR MYTHS 25 Understanding GDPR requirements can be complex. There are several common misperceptions that should be clarified. 1. A Data Protection Officer is required for all organizations 2. Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro or 4% annual worldwide revenue 3. Consent is always required for processing of personal data 4. Parental consent is always required when collecting personal information from a child 5. Individuals have the absolute right to be forgotten 6. Biometric data is sensitive data 7. Controllers do not require processing agreements with processors – GDPR takes care of this 8. Security technology solutions are needed to enable GDPR compliance 9. Automated decision-making can not be performed (e.g., use of AI)
A PRACTICAL GUIDE TO GDPR PREPARATION REFERENCE SOURCES 26 ▪ GDPR Regulation - Full regulation Abbreviated regulation Web-based GDPR regulation resource ▪ UK ICO Guide to GDPR ▪ White & Case has great insight into GDPR ▪ A series of 10 posts that provide insight into the operational impact of GDPR ▪ List of Data Protection Authorities for EU Member States ▪ UK ICO Assessment Questionnaire

More Related Content

PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
PDF
A Pratical Guide to GDPR - F.Coin
byFranco Coin
 
PPTX
Gdpr action plan - ISSA
byUlf Mattsson
 
PPTX
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
PDF
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
byDATUM LLC
 
PDF
GDPR for Dummies
byCaroline Boscher
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
A Pratical Guide to GDPR - F.Coin
byFranco Coin
 
Gdpr action plan - ISSA
byUlf Mattsson
 
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
byDATUM LLC
 
GDPR for Dummies
byCaroline Boscher
 

What's hot

PDF
DAMA Ireland - GDPR
byDAMA Ireland
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
PPT
Building a register of data processing
byTim Gough
 
PPTX
GDPR: Your Journey to Compliance
byCobweb
 
PDF
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
PPTX
GDPR From the Trenches - Real-world examples of how companies are approaching...
byArdoq
 
PDF
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
PPTX
Vuzion Love Cloud GDPR Event
byVuzion
 
PDF
Data Privacy and the GDPR
byDemandbase
 
PDF
EY General Data Protection Regulation: Are you ready?
byVYTIS MALECKAS
 
PPTX
Ensuring GDPR Compliance - A Zymplify Guide
byZymplify
 
PPTX
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
PPTX
EU General Data Protection Regulation - Update 2017
byCliff Ashcroft
 
PPTX
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
PPTX
Webianr: GDPR: How to build a data protection framework
byLeigh Hill
 
PPTX
The Meaning and Impact of the General Data Protection Regulation
byJake DiMare
 
DAMA Ireland - GDPR
byDAMA Ireland
 
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
Building a register of data processing
byTim Gough
 
GDPR: Your Journey to Compliance
byCobweb
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
byArdoq
 
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
Vuzion Love Cloud GDPR Event
byVuzion
 
Data Privacy and the GDPR
byDemandbase
 
EY General Data Protection Regulation: Are you ready?
byVYTIS MALECKAS
 
Ensuring GDPR Compliance - A Zymplify Guide
byZymplify
 
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
EU General Data Protection Regulation - Update 2017
byCliff Ashcroft
 
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
Webianr: GDPR: How to build a data protection framework
byLeigh Hill
 
The Meaning and Impact of the General Data Protection Regulation
byJake DiMare
 

Similar to A practical guide to GDPR preparation

PDF
10 Key GDPR Requirements You Must Know to Protect Your Business
byVISTA InfoSec
 
PPTX
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
bym-hance
 
PDF
GDPR: What does it mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR: What does it mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PDF
Gdpr for business full
byFionnuala Hendrick
 
PPTX
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
PPTX
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
PDF
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
byGary Dodson
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
GDPR in the Healthcare Industry
byEMMAIntl
 
PDF
Mcis 2018 DEFeND Project
byDEFeND Project
 
PDF
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
PPTX
Associates quick guide to gdpr v 1.0
byAaron Banham
 
PPTX
GDPR Privacy Introduction
byNiclasGranqvist
 
PDF
Happy clients happy compliance
byIRIS
 
PDF
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
PPTX
GDPR: the Steps Event Planners Need to Follow
byetouches
 
PPTX
GDPR Benefits and a Technical Overview
byErnest Staats
 
PDF
The Right Steps to Becoming GDPR Compliant
byWSO2
 
10 Key GDPR Requirements You Must Know to Protect Your Business
byVISTA InfoSec
 
Microsoft dynamics 365 for small and medium sized charities - session 2 gdpr
bym-hance
 
GDPR: What does it mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
GDPR: What does it mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
Gdpr for business full
byFionnuala Hendrick
 
How GDPR will change Personal Data Control and Affect Everyone
byThomas Goubau
 
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
byGary Dodson
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
GDPR in the Healthcare Industry
byEMMAIntl
 
Mcis 2018 DEFeND Project
byDEFeND Project
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
Associates quick guide to gdpr v 1.0
byAaron Banham
 
GDPR Privacy Introduction
byNiclasGranqvist
 
Happy clients happy compliance
byIRIS
 
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
GDPR: the Steps Event Planners Need to Follow
byetouches
 
GDPR Benefits and a Technical Overview
byErnest Staats
 
The Right Steps to Becoming GDPR Compliant
byWSO2
 

More from Promapp Solutions

PDF
Promapp webinar how to drive engagement in process
byPromapp Solutions
 
PDF
Promapp how to get sufficient resourcing
byPromapp Solutions
 
PDF
How to get leadership buy in promapp
byPromapp Solutions
 
PDF
Marlborough District Council presentation
byPromapp Solutions
 
PDF
Promapp CONNECT photos
byPromapp Solutions
 
PDF
Promapp CONNECT 2018
byPromapp Solutions
 
PDF
Michigan State University presentation
byPromapp Solutions
 
PDF
Matt Spears presentation
byPromapp Solutions
 
PDF
RPA and BPM: Making the connection
byPromapp Solutions
 
PDF
Nurturing improvement with Ravensdown
byPromapp Solutions
 
PDF
Queenstown Lakes District Council presentation
byPromapp Solutions
 
PDF
Medifab presentation
byPromapp Solutions
 
PDF
Central Coast Council presentation
byPromapp Solutions
 
PDF
Bayside City Council presentation
byPromapp Solutions
 
PDF
Affinity Education presentation
byPromapp Solutions
 
PDF
CONNECT top takeaways
byPromapp Solutions
 
PDF
Promapp CONNECT Global trends
byPromapp Solutions
 
PDF
Promapp webinar Understand the role of process in digital transformation.
byPromapp Solutions
 
PDF
Australian council drives process ownership and success
byPromapp Solutions
 
PDF
A fresh approach to bpm drives engagement
byPromapp Solutions
 
Promapp webinar how to drive engagement in process
byPromapp Solutions
 
Promapp how to get sufficient resourcing
byPromapp Solutions
 
How to get leadership buy in promapp
byPromapp Solutions
 
Marlborough District Council presentation
byPromapp Solutions
 
Promapp CONNECT photos
byPromapp Solutions
 
Promapp CONNECT 2018
byPromapp Solutions
 
Michigan State University presentation
byPromapp Solutions
 
Matt Spears presentation
byPromapp Solutions
 
RPA and BPM: Making the connection
byPromapp Solutions
 
Nurturing improvement with Ravensdown
byPromapp Solutions
 
Queenstown Lakes District Council presentation
byPromapp Solutions
 
Medifab presentation
byPromapp Solutions
 
Central Coast Council presentation
byPromapp Solutions
 
Bayside City Council presentation
byPromapp Solutions
 
Affinity Education presentation
byPromapp Solutions
 
CONNECT top takeaways
byPromapp Solutions
 
Promapp CONNECT Global trends
byPromapp Solutions
 
Promapp webinar Understand the role of process in digital transformation.
byPromapp Solutions
 
Australian council drives process ownership and success
byPromapp Solutions
 
A fresh approach to bpm drives engagement
byPromapp Solutions
 

Recently uploaded

PDF
Zaid Alsikafi - A Chicago-Based Investor
byZaid Alsikafi
 
PDF
6f0f6b8445ec521879693a52223a777er3e4.pdf
bytostyhazel456
 
PDF
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 
DOCX
5 Simple Steps to Purchase Telegram Accounts For Best Service Topusapro.docx
bytopusapro.com
 
PDF
Best 7 Sites to Buy Verified Venmo Accounts With Zero ....pdf
bybxi4tn48i3wkgpbyyfg
 
PDF
Top 7 Places to Buy Aged LinkedIn Accounts and Should ....pdf
byh55oga0kd25m12iaza2
 
PPTX
Project Management Tools for Faster, Smarter Execution
byBlue Sky Index
 
PDF
Equinox Gold - Corporate Presentation.pdf
byEquinox Gold Corp.
 
PDF
Buy Verified Binance Account-Best Cryptocurrenc....pdf
byzze2jltsflran03jy3m
 
PDF
_How to Safely Buy Instagram Accounts in 2025.pdf
byzze2jltsflran03jy3m
 
PDF
Bio, Pic and Speaker Vita for Attorney Dar'shun Kendrick
byKairos Capital Legal Advisors,LLC
 
PDF
How to Buy Instagram Accounts in 2026.pdf
byh55oga0kd25m12iaza2
 
PDF
Where to Buy Verified Chime Accounts for Quick ....pdf
bykmn4gloa39pwajpujj
 
PPTX
Con Keating's slides from Pension PlayPen budget comments
byHenry Tapper
 
PDF
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
PDF
5 Best Marketplaces to Buy and Sell Facebook Accounts ... in 25-26.pdf
bymarketing
 
DOCX
Guide to Safely Buy a Verified Binance Account Today.docx
byh55oga0kd25m12iaza2
 
PDF
Dark Side of Hosting_ Why People Buy Verified Airbnb Accounts
byUsaviral Wave
 
PDF
Dubai Multi Commodities Centre (DMCC) – Supplier Code of Conduct Policy
byDubai Multi Commodity Centre
 
PDF
Buy Verified Google Ads Accounts to Maximize #ROI and Launch High-Impact #PPC...
byusasmmpva3211
 
Zaid Alsikafi - A Chicago-Based Investor
byZaid Alsikafi
 
6f0f6b8445ec521879693a52223a777er3e4.pdf
bytostyhazel456
 
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 
5 Simple Steps to Purchase Telegram Accounts For Best Service Topusapro.docx
bytopusapro.com
 
Best 7 Sites to Buy Verified Venmo Accounts With Zero ....pdf
bybxi4tn48i3wkgpbyyfg
 
Top 7 Places to Buy Aged LinkedIn Accounts and Should ....pdf
byh55oga0kd25m12iaza2
 
Project Management Tools for Faster, Smarter Execution
byBlue Sky Index
 
Equinox Gold - Corporate Presentation.pdf
byEquinox Gold Corp.
 
Buy Verified Binance Account-Best Cryptocurrenc....pdf
byzze2jltsflran03jy3m
 
_How to Safely Buy Instagram Accounts in 2025.pdf
byzze2jltsflran03jy3m
 
Bio, Pic and Speaker Vita for Attorney Dar'shun Kendrick
byKairos Capital Legal Advisors,LLC
 
How to Buy Instagram Accounts in 2026.pdf
byh55oga0kd25m12iaza2
 
Where to Buy Verified Chime Accounts for Quick ....pdf
bykmn4gloa39pwajpujj
 
Con Keating's slides from Pension PlayPen budget comments
byHenry Tapper
 
LCP-Pension-Submisson-CDC-Superfund-December-2025.pdf
byHenry Tapper
 
5 Best Marketplaces to Buy and Sell Facebook Accounts ... in 25-26.pdf
bymarketing
 
Guide to Safely Buy a Verified Binance Account Today.docx
byh55oga0kd25m12iaza2
 
Dark Side of Hosting_ Why People Buy Verified Airbnb Accounts
byUsaviral Wave
 
Dubai Multi Commodities Centre (DMCC) – Supplier Code of Conduct Policy
byDubai Multi Commodity Centre
 
Buy Verified Google Ads Accounts to Maximize #ROI and Launch High-Impact #PPC...
byusasmmpva3211
 

A practical guide to GDPR preparation

  • 1.
    A practical guide toGDPR preparation. Dean Evens Director Satori Consulting Megan Maddocks Account Executive Promapp
  • 2.
  • 3.
    A PRACTICAL GUIDETO GDPR PREPARATION AGENDA 3 This session will address key GDPR questions: 1. What is GDPR and why is it important? 2. What are the core GDPR concepts? 3. What should practitioners know to achieve and maintain compliance? 4. What are the keys to success? 5. Process owners as data stewards? 6. How can Promapp be leveraged to achieve and maintain readiness?
  • 4.
    WHAT IS GDPRAND WHY IS IT IMPORTANT? 4
  • 5.
    PRACTICAL GUIDE TOGDPR PREPARATION GDPR DEFINITION & FOCUS 5 The objective of the General Data Protection Regulation (GDPR) is harmonization of EU regulations to enhance the rights of EU citizens to govern the privacy of their personal information and ensure organizations provide the right protections. The GDPR applies to EU and non-EU organizations that: (i) offer goods or services to EU residents; (ii) monitor the behavior of EU residents The GDPR effective date: ▪ May 25, 2018 Penalties: ▪ Up to 20,000,000 EUR or 4% worldwide revenue from the previous fiscal year (Article 83). Fines are determined by the Data Protection Authority (Supervisory Authority). * The “Articles” referenced in this document refer to the articles included in the GDPR regulation. A link to the regulation text is included in the Appendix section of this document.
  • 6.
    A PRACTICAL GUIDETO GDPR PREPARATION GDPR DEFINITION & FOCUS: PERSONAL DATA 6 Personal data references any data that can identify a natural person (“data subject”): name, online identifier, identification number, location data, IP address etc. Personal Data Considerations
  • 7.
    A PRACTICAL GUIDETO GDPR PREPARATION GDPR DEFINITION & FOCUS: ROLES ROLES & RESPONSIBILITIES 7 There are several roles needed to support GDPR implementation*. The DPO role is key to successful execution and should act as GDPR owner. Data Protection Officer**: Role that acts as point of contact for the EU Representative and DPA. Understanding GDPR requirements and identifying how it relates to the organization is key. The DPO should identify the appropriate Data Protection Authority (DPA) to engage with. * Controllers that process small scale data intermittently and do not handle sensitive personal data are exempt ** DPO is not required to be a dedicated FTE (see Article 37, 38, and 39)
  • 8.
    WHAT ARE THECORE GDPR CONCEPTS? 8
  • 9.
    A PRACTICAL GUIDETO GDPR PREPARATION GDPR CONCEPTS 9 Principles, privacy, and protection represent the core focus for GDPR readiness. Organizations must focus on adhering to principles, implementing processes to satisfy privacy rights of the individual, and securing data. Principles ▪ Data processed lawfully, fairly, and transparently ▪ Only collect personal data needed ▪ Accuracy of personal data must be maintained ▪ Minimize the time data is kept in a form to identify data subjects ▪ Maintain the confidentiality and integrity of personal data Privacy (rights of data subjects) ▪ Transparent information, communication and modalities for the exercise of the rights of the data subject ▪ Information to be provided where personal data are collected from the data subject ▪ Right of access by the data subject ▪ Right to rectification ▪ Right to erasure (‘right to be forgotten’) ▪ Right to restriction of processing ▪ Right to data portability Protection (controllers and processors) ▪ Data Protection Officer (DPO) ▪ Data protection by design ▪ Records of processing activities ▪ Security of processing ▪ Notification of a personal data breach to the Supervisory Authority ▪ Communication of a personal data breach to the data subject ▪ Data Protection Impact Assessment (DPIA) ▪ Code of conduct
  • 10.
    A PRACTICAL GUIDETO GDPR PREPARATION CONTROLLERS AND PROCESSORS 10 Controller collects and determines the purposes and means of processing personal data. Processor processes personal data on behalf of the controller. Identify processors and provisioned services: ▪ AWS* – EBS, S3, Cloudfront ▪ Data Dog ▪ Application integration points
  • 11.
    A PRACTICAL GUIDETO GDPR PREPARATION CONTROLLERS AND PROCESSORS: PROCESSOR OBLIGATIONS 11 Processors are obligated to establish and maintain GDPR compliance. 1. Processor is required to obtain written consent from the controller prior to appointing sub-processor. 2. Processors (and any sub-processors) shall not process personal data, except in accordance with the instructions of the controller 3. Comply with recordkeeping obligations 4. Cooperate with Data Protection Authorities 5. Adhere to data security obligations 6. Comply with data breach reporting requirements 7. Appoint a Data Protection Officer, if applicable 8. Adhere to cross border transfers requirements
  • 12.
    WHAT SHOULD PRACTITIONERSKNOW TO ACHIEVE AND MAINTAIN COMPLIANCE? 12
  • 13.
    A PRACTICAL GUIDETO GDPR PREPARATION PRINCIPLES FOR CONTROLLERS AND PROCESSORS 13 Objective – establish guidelines to promote collection, use, processing, and storage is performed responsibly and in accordance with GDPR requirements. GDPR Requirement… Security Principles** 1. Simplicity 2. Balanced Security 3. Least Privilege 4. Plan for Failure 5. Zero/limit Trust 6. Data Centric Security 7. Design with Multi-tenancy in Mind 8. Build in Traceability Privacy Principles 1. Lawful, fairness, and transparency 2. Purpose limitations 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality
  • 14.
    A PRACTICAL GUIDETO GDPR PREPARATION DATA PROTECTION BY DESIGN AND BY DEFAULT 14 Objective - To minimize risk to privacy and build trust in the system. Protection by design applies to all personal data. GDPR Requirement… Implement the appropriate technical and organizational measures and integrate them into processing to protect the rights and freedoms of EU citizens. GDPR risk drives development of measures. Actions to Take… 1. Operationalize principles 2. Implement process to establish and maintain records of data processing activities 3. Establish information flows of personal data 4. Define technical and organization measures – pseudonymization, encryption
  • 15.
    A PRACTICAL GUIDETO GDPR PREPARATION DATA PROTECTION IMPACT ASSESSMENT (DPIA) 15 Objective – Identify privacy and security risk and take the right measures to reduce it to an acceptable level. DPIA applies to high risk personal data. GDPR Requirement… 1. Documented measures to ensure risk is managed in compliance with GDPR DPIA required during processing of high risk activities. 2. DPIA must be perform prior to implementation Actions to Take… 1. Implement DPIA Process ▪ Develop DPIA questionnaire and establish threshold for DPIA requirement ▪ Define method for privacy and security review ▪ Create template for DPIA documentation ▪ Establish DPIA approval process
  • 16.
    A PRACTICAL GUIDETO GDPR PREPARATION CROSS BORDER TRANSFERS 16 Transfers of personal data outside the EEA (European Economic Area) is strictly prohibited. Data transfer can occur if: ▪ Adequacy decision ▪ Binding Corporate Rules (BCR) approved by DPA ▪ Certifications in place ▪ Standard contractual clauses are in place ▪ Ad hoc contractual clauses ▪ Consent from the data subject ▪ Approved Code of Conduct ▪ Privacy Shield compliance
  • 17.
    A PRACTICAL GUIDETO GDPR PREPARATION SECURITY OF PROCESSING 17 Identify stack responsibility and apply controls to ensure security of processing ▪ IT Security Policy ▪ Security Processes and Procedures ▪ Access Control ▪ Security in Systems Lifecycle Management ▪ Secure Software Development ▪ Data Protection ▪ Malware Protection ▪ Network Security ▪ Vulnerability Management ▪ Change Management ▪ Security Incident Response – Breach Notification ▪ Disaster Recovery ▪ Supplier Management
  • 18.
    WHAT ARE THEKEYS TO SUCCESS? 18
  • 19.
    A PRACTICAL GUIDETO GDPR PREPARATION ESTABLISH A PLAN 19 GDPR requires the organization to address privacy and security of personal data. A proven approach to gaining clarity on GDPR relevance and understanding how to execute is described below. The Data Protection Officer (DPO) must lead the effort to achieve and maintain alignment. Preparation •Assign data privacy ownership •Understand the regulation Assessment •Assess the EU citizen personal data collected and processed •Identify how the rights of the individual applies •Understand the risk of activities •Assess processors Implementation •Implement GDPR principles •Implement data protection by design •Create and maintain documentation for personal processing activities •Implement data protection impact assessments •Align security controls Maintenance •Operationalize GDPR controls
  • 20.
    A PRACTICAL GUIDETO GDPR PREPARATION PROCESS OWNERS AS DATA STEWARD 20 • Leading practices are evolving to establish Data Steward role • Role is aligned with Business Process Owners to understand data assets supporting the process and ensuring controls are in place • Key contributor to DPIA as/if required • Work with DPO, Application, Information Security, Compliance and Supplier Management team members to ensure data protection • Underpins Data Protection by Design principle
  • 21.
    A PRACTICAL GUIDETO GDPR PREPARATION KEY POINTS 21 Focus on the following… 1. Understand your data 2. Use principles to drive the right behaviors and build a culture of privacy & security 3. Address protection by design for all personal data 4. Maintain records of processing activities documentation 5. Align security controls with the activities performed and ensure they are defensible 6. Perform data protection impact assessments for all high risk activities, and maintain documentation 7. Manage third party/processor relationships
  • 22.
    A PRACTICAL GUIDETO GDPR PREPARATION PROMAPP TO ACHIEVE AND MAINTAIN READINESS 22 A short demonstration…
  • 23.
  • 24.
  • 25.
    A PRACTICAL GUIDETO GDPR PREPARATION GDPR MYTHS 25 Understanding GDPR requirements can be complex. There are several common misperceptions that should be clarified. 1. A Data Protection Officer is required for all organizations 2. Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro or 4% annual worldwide revenue 3. Consent is always required for processing of personal data 4. Parental consent is always required when collecting personal information from a child 5. Individuals have the absolute right to be forgotten 6. Biometric data is sensitive data 7. Controllers do not require processing agreements with processors – GDPR takes care of this 8. Security technology solutions are needed to enable GDPR compliance 9. Automated decision-making can not be performed (e.g., use of AI)
  • 26.
    A PRACTICAL GUIDETO GDPR PREPARATION REFERENCE SOURCES 26 ▪ GDPR Regulation - Full regulation Abbreviated regulation Web-based GDPR regulation resource ▪ UK ICO Guide to GDPR ▪ White & Case has great insight into GDPR ▪ A series of 10 posts that provide insight into the operational impact of GDPR ▪ List of Data Protection Authorities for EU Member States ▪ UK ICO Assessment Questionnaire