SlideShare a Scribd company logo

GDPR - Do It Yourself

G
George Dragusin

ISACA Romania Event Feb 2018 - GDPR Talk

Law
1 of 13
Download to read offline
GDPR – DO ITYOURSELF GEORGE DRAGUSIN ISACA ROMANIA EVENT – 28 FEB 2018 linkedin.com/in/dragusin
DISCLAIMER NOT ANOTHER GDPR PRESENTATION! Any opinions offered are my own and not those of my employer or ISACA. No information contained in this presentation is to be considered as legal advice. This presentation is provided for informational and educational purposes.
DISCLAIMER 2 There is no one size fits all GDPR. Sorry. p.s. there are no GDPR experts Yeah, sorry to burst your bubble. or UNICORNS
WHAT’S THE CHALLENGE ? https://www.closebrotherstechnology.co.uk/general-data-protection-regulation 25 MAY 2018 GDPR WILL CHANGE FUNDAMETALY THE BUSINESS PROCESSES
ANY OPTIONS? q TIME q EXPERIENCE q BUSINESS KNOWLEDGE q PEOPLE q MONEY q FLEXIBILITY
HOW DO WE MAKE IT HAPPEN ? q MANAGEMENT SUPPORT !!! q TEAM q KNOW HOW q PROJECT PLAN
WHAT’S MY GDPR A-TEAM ? Ø PROJECT SPONSOR (MGMT) Ø PM Ø DPO Ø BUSINESS ANALYSTS Ø LEGAL Ø COMPLIANCE Ø IT Ø CISO Ø COMMUNICATION ü Make sure the TEAM has enough authority to do their work ü Make sure the KEY PEOPLE are allocated full time to this project ü You never have enough SOFT SKILLS in your team ü Remember that everyone is trying to help and there are NO EXPERTS
HOW DO WE START? PHASE 1 – Documenting Internal Processes ü Process based approach is recommended for any type of analysis (if you want to see any results down the line) ü Tools used to gather information are not that relevant at this stage (excel could do just fine) ü Interviews are mandatory – no document can tell “the full story” ü Prepare you interview in advance – review procedures, policies, etc ü Everyone is in the same boat – don’t use GDPR to settle personal disputes ü Draw the process diagram – it will help! ü Explain to everyone what DATA PROCESSING is (collection, storage, usage, deletion, etc) ü DELIVERY: Process Evidence Documentation
WHO? WHAT ? WHERE ? ü Data subjects ü Personal data processed ü Documents processed ü Channel used for data collection ü Data collection - data subject vs. 3rd party ü Scope of data processing ü Lawfulness of processing ü Internal procedures ü Hard copy vs. electronic records ü IT systems used to store data (EU vs Non-EU) ü Data disclosure agreements ü Data controller vs. data processors ü Archiving periods
WHAT’S NEXT ? PHASE 1I – GDPR Analysis & Measures ü By now you should have a good idea about what kind of processing you are doing ü LEGAL input in this phase in mandatory (add a dash of COMPLIANCE to the mix) ü Seek input from IT and Security functions (technical aspects) ü Try to keep a balance between theTHEORY and PRACTICE ü Risk based approach is essential ü Don’t overreact – GDPR is not here to kill your business ü Don’t use CONSENT as the reason for every processing activity ü Legitimate interest is also tricky (use it as last resort) ü DELIVERY: Action Plan
IT TRANSFORMATION TECHNICAL MEASURES ü Better overview of what’s required once you finish the analysis for ALL processes ü Changes to IT systems (ex. anonymize data, encryption) ü Implementation of new IT systems (ex. Document Management Systems) ü Can’t be done overnight (money, people, time) ü Any IT change needs to be carefully considered ü Balance the costs with the benefits ü Almost everyone sells a solution that is GDPR complaint / GDPR ready ü Incident response tools
BUSINESS TRANSFORMATION ORGANIZATIONAL MEASURES (some examples) ü Easier to implement than technical measures ü Review contractual agreements ü Review consent and how it’s managed ü Update / create policies & procedures (Data processing, Breach Notification, Subject Access Requests, etc) ü Appoint DPO ü Internal guideline for Data Processing Activities ü Employee training & awareness
CONCLUSION

Recommended

GDPR - CISO Perspective
GDPR - CISO PerspectiveGDPR - CISO Perspective
GDPR - CISO Perspective
George Dragusin
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
Prabath Siriwardena
 
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
Elinar
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeo
Giulio Coraggio
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 

Recommended

GDPR - CISO Perspective
GDPR - CISO PerspectiveGDPR - CISO Perspective
GDPR - CISO Perspective
George Dragusin
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
Prabath Siriwardena
 
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
GDPR and Privacy Data AI Miner - Solve your complex privacy data challenges!
Elinar
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
Tommy Vandepitte
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeo
Giulio Coraggio
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
Wearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rightsWearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rights
Giulio Coraggio
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
MyComplianceOffice
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
Stephen Owen
 
GDPR Jan 2018 1
GDPR Jan 2018 1GDPR Jan 2018 1
GDPR Jan 2018 1
Jason Chapman
 
GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
 
EU Privacy Laws and Start-Ups
EU Privacy Laws and Start-UpsEU Privacy Laws and Start-Ups
EU Privacy Laws and Start-Ups
Exove
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
TrekkSoft
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?
FactoVia
 
GDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PanicGDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't Panic
eZ Systems
 
Dave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR JourneyDave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR Journey
Pro Mrkt
 
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPRDigital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Richard Veryard
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
Benoît De Nayer
 
DPO Circle 2018
DPO Circle 2018 DPO Circle 2018
DPO Circle 2018
Georges Ataya
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
UBA legal changes in marketing automation
UBA legal changes in marketing automation UBA legal changes in marketing automation
UBA legal changes in marketing automation
Bart Van Den Brande
 
Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance
ImpactQA
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
XeniT Solutions nv
 

More Related Content

What's hot

What's hot (6)

Data Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethicsData Privacy: What you need to know about privacy, from compliance to ethics
Data Privacy: What you need to know about privacy, from compliance to ethics
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
 
Wearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rightsWearable technologies, privacy and intellectual property rights
Wearable technologies, privacy and intellectual property rights
 
Prepare Your Firm for GDPR
Prepare Your Firm for GDPRPrepare Your Firm for GDPR
Prepare Your Firm for GDPR
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
 
GDPR Jan 2018 1
GDPR Jan 2018 1GDPR Jan 2018 1
GDPR Jan 2018 1
 

Similar to GDPR - Do It Yourself

GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
Ardoq
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
TrekkSoft
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
XeniT Solutions nv
 

Similar to GDPR - Do It Yourself (20)

GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...GDPR From the Trenches - Real-world examples of how companies are approaching...
GDPR From the Trenches - Real-world examples of how companies are approaching...
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
 
EU Privacy Laws and Start-Ups
EU Privacy Laws and Start-UpsEU Privacy Laws and Start-Ups
EU Privacy Laws and Start-Ups
 
Are you GDPR compliant?
Are you GDPR compliant? Are you GDPR compliant?
Are you GDPR compliant?
 
Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?Why care about GDPR and avoid over $20 million fines, even outside EU ?
Why care about GDPR and avoid over $20 million fines, even outside EU ?
 
GDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't PanicGDPR Is Around the Corner - Don't Panic
GDPR Is Around the Corner - Don't Panic
 
Dave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR JourneyDave Lovatt | Our GDPR Journey
Dave Lovatt | Our GDPR Journey
 
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPRDigital Disruption and Consumer Trust - Resolving the Challenge of GDPR
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
General Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's storyGeneral Data Protection Regulation, a developer's story
General Data Protection Regulation, a developer's story
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
 
DPO Circle 2018
DPO Circle 2018 DPO Circle 2018
DPO Circle 2018
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
UBA legal changes in marketing automation
UBA legal changes in marketing automation UBA legal changes in marketing automation
UBA legal changes in marketing automation
 
Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
 
Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR Journey2018: Surviving and thriving under GDPR
Journey2018: Surviving and thriving under GDPR
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018GDPR will be the new regulation on may 2018
GDPR will be the new regulation on may 2018
 

Recently uploaded

一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
yogita9398
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
e9733fc35af6
 
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
mefyqyn
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 

Recently uploaded (20)

Petitioner Moot Memorial including Charges and Argument Advanced.docx
Petitioner Moot Memorial including Charges and Argument Advanced.docxPetitioner Moot Memorial including Charges and Argument Advanced.docx
Petitioner Moot Memorial including Charges and Argument Advanced.docx
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
Article 12 of the Indian Constitution law
Article 12 of the Indian Constitution lawArticle 12 of the Indian Constitution law
Article 12 of the Indian Constitution law
 
Democratic Awareness with Legal Literacy POLS 303.pptx
Democratic Awareness with Legal Literacy POLS 303.pptxDemocratic Awareness with Legal Literacy POLS 303.pptx
Democratic Awareness with Legal Literacy POLS 303.pptx
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
The Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in GreeceThe Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in Greece
 
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdfposts-harmful-to-secular-structure-of-the-country-539103-1.pdf
posts-harmful-to-secular-structure-of-the-country-539103-1.pdf
 
Skill Development in Law, Para Legal & other Fields and Export of Trained Man...
Skill Development in Law, Para Legal & other Fields and Export of Trained Man...Skill Development in Law, Para Legal & other Fields and Export of Trained Man...
Skill Development in Law, Para Legal & other Fields and Export of Trained Man...
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
一比一原版(ASU毕业证书)亚利桑那州立大学毕业证成绩单原件一模一样
 
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptxCASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
 
Dematerialisation of securities of private companies
Dematerialisation of securities of private companiesDematerialisation of securities of private companies
Dematerialisation of securities of private companies
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
judicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptxjudicial remedies against administrative actions.pptx
judicial remedies against administrative actions.pptx
 
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
 

GDPR - Do It Yourself

  • 1. GDPR – DO ITYOURSELF GEORGE DRAGUSIN ISACA ROMANIA EVENT – 28 FEB 2018 linkedin.com/in/dragusin
  • 2. DISCLAIMER NOT ANOTHER GDPR PRESENTATION! Any opinions offered are my own and not those of my employer or ISACA. No information contained in this presentation is to be considered as legal advice. This presentation is provided for informational and educational purposes.
  • 3. DISCLAIMER 2 There is no one size fits all GDPR. Sorry. p.s. there are no GDPR experts Yeah, sorry to burst your bubble. or UNICORNS
  • 4. WHAT’S THE CHALLENGE ? https://www.closebrotherstechnology.co.uk/general-data-protection-regulation 25 MAY 2018 GDPR WILL CHANGE FUNDAMETALY THE BUSINESS PROCESSES
  • 5. ANY OPTIONS? q TIME q EXPERIENCE q BUSINESS KNOWLEDGE q PEOPLE q MONEY q FLEXIBILITY
  • 6. HOW DO WE MAKE IT HAPPEN ? q MANAGEMENT SUPPORT !!! q TEAM q KNOW HOW q PROJECT PLAN
  • 7. WHAT’S MY GDPR A-TEAM ? Ø PROJECT SPONSOR (MGMT) Ø PM Ø DPO Ø BUSINESS ANALYSTS Ø LEGAL Ø COMPLIANCE Ø IT Ø CISO Ø COMMUNICATION ü Make sure the TEAM has enough authority to do their work ü Make sure the KEY PEOPLE are allocated full time to this project ü You never have enough SOFT SKILLS in your team ü Remember that everyone is trying to help and there are NO EXPERTS
  • 8. HOW DO WE START? PHASE 1 – Documenting Internal Processes ü Process based approach is recommended for any type of analysis (if you want to see any results down the line) ü Tools used to gather information are not that relevant at this stage (excel could do just fine) ü Interviews are mandatory – no document can tell “the full story” ü Prepare you interview in advance – review procedures, policies, etc ü Everyone is in the same boat – don’t use GDPR to settle personal disputes ü Draw the process diagram – it will help! ü Explain to everyone what DATA PROCESSING is (collection, storage, usage, deletion, etc) ü DELIVERY: Process Evidence Documentation
  • 9. WHO? WHAT ? WHERE ? ü Data subjects ü Personal data processed ü Documents processed ü Channel used for data collection ü Data collection - data subject vs. 3rd party ü Scope of data processing ü Lawfulness of processing ü Internal procedures ü Hard copy vs. electronic records ü IT systems used to store data (EU vs Non-EU) ü Data disclosure agreements ü Data controller vs. data processors ü Archiving periods
  • 10. WHAT’S NEXT ? PHASE 1I – GDPR Analysis & Measures ü By now you should have a good idea about what kind of processing you are doing ü LEGAL input in this phase in mandatory (add a dash of COMPLIANCE to the mix) ü Seek input from IT and Security functions (technical aspects) ü Try to keep a balance between theTHEORY and PRACTICE ü Risk based approach is essential ü Don’t overreact – GDPR is not here to kill your business ü Don’t use CONSENT as the reason for every processing activity ü Legitimate interest is also tricky (use it as last resort) ü DELIVERY: Action Plan
  • 11. IT TRANSFORMATION TECHNICAL MEASURES ü Better overview of what’s required once you finish the analysis for ALL processes ü Changes to IT systems (ex. anonymize data, encryption) ü Implementation of new IT systems (ex. Document Management Systems) ü Can’t be done overnight (money, people, time) ü Any IT change needs to be carefully considered ü Balance the costs with the benefits ü Almost everyone sells a solution that is GDPR complaint / GDPR ready ü Incident response tools
  • 12. BUSINESS TRANSFORMATION ORGANIZATIONAL MEASURES (some examples) ü Easier to implement than technical measures ü Review contractual agreements ü Review consent and how it’s managed ü Update / create policies & procedures (Data processing, Breach Notification, Subject Access Requests, etc) ü Appoint DPO ü Internal guideline for Data Processing Activities ü Employee training & awareness