The document outlines the implementation of the General Data Protection Regulation (GDPR) in marketing organizations, emphasizing the importance of organizational readiness, stakeholder buy-in, and the appointment of a Data Protection Officer (DPO). It provides a structured approach comprising preparation, running, and maintaining data privacy compliance, alongside highlighting key principles such as transparency, data minimization, and security. The document stresses the urgency of compliance, particularly in the context of data processing activities both within and outside the EU.

1. GDPR for Dummies
How to implement the New Regulation
In your Marketing Organisation?

2. Benoît De Nayer
Co-Founder and Director
ACTITO
Benoit.de.nayer@actito.com
Twitter: @benoitdenayer

3. ACTITO,
Agile Marketing Automation

4. The clock is ticking…
#GDPR

5. What’s in a Name
GDPR
=
General Regulation on Data Protection

6. #R18
GPD
When?

7. #R18
GPD
What will change?

8. Generalities

9. #R18
GPD
Nothing revolutionary

10. #R18
GPD
One text in place of 28

11. #R18
GPD
…But still 28 National Authorities

12. Scope

13. GDPR
Automated data processing

14. GDPR
Inside the EU, but also outside

15. Principles
- Lawfullness, fairness, transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality

16. GDPR
Lawfulnesss

17. GDPR
Transparency

18. GDPR
Right to be forgotten

19. GDPR
Data Portability

20. GDPR
Right to oppose

21. Obligations of the Data Controller

22. GDPR
Documentation

23. GDPR
« Privacy by design »

24. GDPR
« Data Minimization » and « Smart Data »
- The more data are collected, higher
are the risks
- One should focus on most pertinent
data
- One should focus on most recent
data

25. GDPR
Accountability of sub contractors

26. GDPR
Data Security

27. GDPR
Communication on breaches

28. #R18
GPD
The advent of the DPO : the new unicorn

29. How to Implement GDPR
in your organisation?

30. 1° Prepare
• Ensure organisational readiness for GDPR and stakeholders backing
• Review contracts, procedures and policies
• Document treatments
2° Run
• Implement procedures
• Ease Data Subjects exercice of their rights
3° Maintain
• Trigger Assessments when needed
• Improve Processes over time
• Maintain awareness

31. 1. Prepare

32. GDPR
It’s still time…

33. Gain the Buy-in of key stakeholders

34. GDPR
Create your GDPR team : hire a DPO
As a company, You need a DPO if you conduct regular and
systematic monitoring of data subjects on a large scale:
• The number of data subjects concerned – either as a specific number or
as a proportion of the relevant population
• The volume of data and/or the range of different data items being
processed
• The duration, or permanence, of the data processing activity
• The geographical extent of the processing activity

35. Educate team members and third parties

36. GDPR
Map existing data assets and business processes
• Why are you holding it?
• How did you obtain it?
• Why was it originally gathered?
• How long will you retain it?
• How secure is it, both in terms of encryption and
accessibility?
• Do you ever share it with third parties and on what
basis might you do so?

37. Solve relevant third parties issues

38. GDPR
Assess extra-EU data transfers

39. Not only data centers are concerned

40. The clock is ticking…

41. The clock is ticking…

42. The clock is ticking…Privacy Shield

43. The clock is ticking…Obligation to compliance audit of vendors:
Ready to go to court in Austin, TX ?

44. The clock is ticking…
Standard Contractual clauses
and corporate binding rules.
Are they implemented?

45. GDPR
Create a Central Personal data register

46. Review Procedures and Privacy Policies

47. Review privacy notices
to reflect data subject rights

48. Re-evaluate Insurance Coverages

49. GDPR
Check your Tools : the end of the « API economy? »
Source point.io

50. Check your tools : An advantage for integrated suites?

51. 2. Run

52. Improve consumer requests handling

53. Report and manage Personal Data Breach incidents

54. 3. Maintain

55. Trigger Impact Assesments when needed
The DPIA must contain a systematic description of the envisaged processing
operations;
• the purposes of the processing;
• the legitimate interest pursued by the controller (if applicable);
• an assessment of the risks to the rights and freedoms of the data subjects;
• the measures envisaged to address the risks; and,
• safeguards, security measures and mechanisms to ensure the protection of
personal data and to demonstrate compliance.

56. Et vos audits?
Conduct internal
& third parties audits

57. GDPR
Keep informed

58. Conclusion

59. Back to Basics
DATA :
From latin Dare, Dedi, Datum :
To GIVE something in hands

60. GDPR
Privacy as a feature
Privacy is a feature, not a bug…

61. GDPR
Privacy as a feature
The case for
a new
economy of privacy

62. Thank you!
Benoît De Nayer
Co_founder & Director
ACTITO