The document provides information about the EU General Data Protection Regulation (GDPR) and preparing for its requirements. It notes that the GDPR concerns all companies and authorities in the EU and introduces new guidelines for technology and organization. Customers will have more rights under the GDPR, and authorities will enforce the rules more strictly with higher fines for noncompliance. Companies have limited time to prepare and must establish data protection and IT security management practices and documentation.

1. EU
General Data Protection
Regulation
COMPLETE THE MANDATORY PROGRAM IN EUROPEAN PRIVACY!

2. BIO
Programmer, Trainer, Consultant for HP NonStop (Tandem) for more than 30 years
Presentation on GTUG / Connect Conference November 2009
„Application Migration to NonStop H- and J-Series”
Presentation on GTUG / Connect Conference April 2014
„Safety Review of a NonStop Data Center”
Former Speaker of GTUG
Diploma Physics, University Bonn
Foundation Certificate in IT Service Management
Project Manager Certificate of IHK Koblenz
Privacy Policy Manager Certificate of IHK Koblenz
Examiner for Operative and Strategic IT Professionals at IHK Cologne
2

3. EU-GDPR
REGULATION (EU) 2016/679
OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
on the protection of natural persons
with regard to the processing of personal data
and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation)
99 articles and 173 recitals
It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety
and directly applicable in all Member States.
3

4. Disclaimer
I am not an expert in British law.
I do not know about the relationship
between British law and EU law,
now and in the future.
But suppose, You want to play
according to GDPR rules ...
and all companies within the EU have to ...
4

5. GDPR - Abstract
It concerns all companies, authorities and associations.
There are new guidelines for technology and organization.
Customers get more rights,
supervisory authorities judge more strictly,
fines are much higher.
There is only a limited timeframe to prepare.
5

6. Recital 78
Appropriate technical and organizational measures
When developing, designing, selecting and using
applications, services and products
that are based on the processing of personal data or process personal data to fulfil their task,
producers should be encouraged to take into account
the right to data protection when developing and designing such products, services and
applications
and, with due regard to the state of the art, to make sure that controllers and processors are able
to fulfil their data protection obligations.
6

7. What are the new rules in IT safety?
IT Safety Management
◦ Plan / Do / Check / Act -> Plan / ...
„data protection by default“ configuration
„data protection by design“ of software
◦ Encryption
◦ Performance and scalability
◦ Design for data deletion and long term locking
◦ Desaster recovery
State of the Art: Today´s technical possibilities
7

8. How to process personal data correctly?
◦ Documentation of all personal data processing
◦ Evaluation of all processes according to these principles:
1. Lawful – fair – transparent
2. Specified purpose
3. Data minimisation
4. Accuracy
5. Storage with time limitation
6. Integriy – Availability – Security
◦ Risk check of all processes
◦ Consultation of the supervisory authority
on all processing with high risk
8

9. How to process personal data correctly?
- New Rights and Obligations -
◦ Consent of data subjects may be no longer legitimate.
◦ All contracts on data processing must be
adjusted, and therefore negotiated anew!
◦ To correctly exercise the rights of the data subject
a new management procedure is needed!
9

10. Art. 5 GDPR
Principles relating to processing of personal data
Accountability
The controller
(“the natural or legal person, public authority, agency”)
shall be responsible for,
and be able to demonstrate compliance.
10

11. What are the opportunities and
obligations for software vendors?
Obligations for IT users / Opportunities for software companies
More Tools needed:
◦ Inventory
◦ Documentation of source code
◦ Interface documentation
◦ Configuration control
◦ Monitoring
◦ of IT processing
◦ of mangement procedures
Check on safety and data protection of all IT applications
11

12. What are the benefits
for the HP NonStop community?
Availability, Integrity, Security, Performance, Scalability
◦ The advantages of HP NonStop Applications!
Optimize
◦ HP guidelines
◦ Brainstorming of support people
◦ Consultants
HP NonStop defines „the state of the art“
12

13. Projects should be set up now. - Time is running out!
First half of 2017: Gathering information
◦ GDPR / ITSM: VdS_3473 / Risk Analysis / TeleTrusT „State of the Art“
Second half of 2017:
◦ Introduction of IT safety and data protection management
◦ Generating required documents
◦ Change of contracts between processors and controllers
◦ Prototyping of management procedures
Until 25 May 2018:
◦ Accomodation to national laws and further EU regulations based on GDPR
◦ Fine tuning of management procedures
◦ Insurances for IT risks still taken
◦ General introduction of management procedures
13

14. How to prepare
for the new Data Protection Regulation?
Gather information on the most relevant topics!
◦ 1. GDPR Principles 2. Lawfulness of processing
3. Consent of the data subject 4. Information to be provided
5. Rights of the data subject 6. Processing on behalf of a controller
7. IT Safety 8. Data protection impact assessment
Establish a data protection management!
Establish an IT safety management!
Embed both into a compliance management
14

15. Peter Haase Consulting
PETER HAASE
KIRCHSTR. 12 – D-56820 MESENICH/MOSEL
INFO@PETERHAASE.DE
MOBILE +49-171-8442242
PHONE +49-2673-9580050
VOICE-MAIL / FAX: +49-3212-9860123