From Scratch to Strong: Introduction to Drafting of Criminal Cases and Applic...
GDPR - Do It Yourself
1. GDPR – DO ITYOURSELF
GEORGE DRAGUSIN
ISACA ROMANIA EVENT – 28 FEB 2018
linkedin.com/in/dragusin
2. DISCLAIMER
NOT
ANOTHER
GDPR
PRESENTATION!
Any opinions offered are my own and not those of my employer or
ISACA. No information contained in this presentation is to be considered as
legal advice. This presentation is provided for informational and educational
purposes.
3. DISCLAIMER 2
There is no one size fits all GDPR. Sorry.
p.s. there are no GDPR experts
Yeah, sorry to burst your bubble.
or UNICORNS
4. WHAT’S THE CHALLENGE ?
https://www.closebrotherstechnology.co.uk/general-data-protection-regulation
25 MAY 2018
GDPR WILL
CHANGE
FUNDAMETALY
THE BUSINESS
PROCESSES
6. HOW DO WE MAKE IT HAPPEN ?
q MANAGEMENT SUPPORT !!!
q TEAM
q KNOW HOW
q PROJECT PLAN
7. WHAT’S MY GDPR A-TEAM ?
Ø PROJECT SPONSOR (MGMT)
Ø PM
Ø DPO
Ø BUSINESS ANALYSTS
Ø LEGAL
Ø COMPLIANCE
Ø IT
Ø CISO
Ø COMMUNICATION
ü Make sure the TEAM has enough authority to
do their work
ü Make sure the KEY PEOPLE are allocated full
time to this project
ü You never have enough SOFT SKILLS in your
team
ü Remember that everyone is trying to help and
there are NO EXPERTS
8. HOW DO WE START?
PHASE 1 – Documenting Internal Processes
ü Process based approach is recommended for any type of analysis (if you want to see any
results down the line)
ü Tools used to gather information are not that relevant at this stage (excel could do just fine)
ü Interviews are mandatory – no document can tell “the full story”
ü Prepare you interview in advance – review procedures, policies, etc
ü Everyone is in the same boat – don’t use GDPR to settle personal disputes
ü Draw the process diagram – it will help!
ü Explain to everyone what DATA PROCESSING is (collection, storage, usage, deletion, etc)
ü DELIVERY: Process Evidence Documentation
9. WHO? WHAT ? WHERE ?
ü Data subjects
ü Personal data processed
ü Documents processed
ü Channel used for data collection
ü Data collection - data subject vs. 3rd party
ü Scope of data processing
ü Lawfulness of processing
ü Internal procedures
ü Hard copy vs. electronic records
ü IT systems used to store data (EU vs Non-EU)
ü Data disclosure agreements
ü Data controller vs. data processors
ü Archiving periods
10. WHAT’S NEXT ?
PHASE 1I – GDPR Analysis & Measures
ü By now you should have a good idea about what kind of processing you are doing
ü LEGAL input in this phase in mandatory (add a dash of COMPLIANCE to the mix)
ü Seek input from IT and Security functions (technical aspects)
ü Try to keep a balance between theTHEORY and PRACTICE
ü Risk based approach is essential
ü Don’t overreact – GDPR is not here to kill your business
ü Don’t use CONSENT as the reason for every processing activity
ü Legitimate interest is also tricky (use it as last resort)
ü DELIVERY: Action Plan
11. IT TRANSFORMATION
TECHNICAL MEASURES
ü Better overview of what’s required once you finish the analysis for ALL processes
ü Changes to IT systems (ex. anonymize data, encryption)
ü Implementation of new IT systems (ex. Document Management Systems)
ü Can’t be done overnight (money, people, time)
ü Any IT change needs to be carefully considered
ü Balance the costs with the benefits
ü Almost everyone sells a solution that is GDPR complaint / GDPR ready
ü Incident response tools
12. BUSINESS TRANSFORMATION
ORGANIZATIONAL MEASURES (some examples)
ü Easier to implement than technical measures
ü Review contractual agreements
ü Review consent and how it’s managed
ü Update / create policies & procedures (Data processing, Breach Notification, Subject
Access Requests, etc)
ü Appoint DPO
ü Internal guideline for Data Processing Activities
ü Employee training & awareness