FERMA, profile picture
Uploaded byFERMA
PDF, PPTX1,109 views

GDPR & corporate Governance, Evaluation after 2 years implementation

The document outlines critical threats to organizational growth for 2020, emphasizing cybersecurity and GDPR compliance challenges. It discusses the evolving role of Data Protection Officers (DPO) as risk managers, highlighting the importance of risk assessment in data protection and ongoing challenges in adhering to GDPR. The document also includes expert insights on the impact of GDPR on business activities and addresses the need for agility in compliance, particularly in light of the COVID-19 pandemic.

Embed presentation

Download as PDF, PPTX
In partnership with European Risk Manager Report 2020 Edition Top critical threats to the organisation’s growth prospects within the next 12 months CYBER THREAT UNCERTAIN ECONOMIC GROWTH AVAILABILITY OF KEY SKILLS DATA FRAUD OR THEFT OVER-REGULATION CYBER THREAT UNCERTAIN ECONOMIC GROWTH GEOPOLITICAL UNCERTAINLY OVER-REGULATION CHANGING CONSUMER BEHAVIOUR TOP RISK 2020TOP RISK 2018 37% 39% 24% How do you deal with risks arising from emerging technologies ? Identification and assessment of risks prior to adoption of new technologies by the business Identification and assessment of emerging technologies used by the business Analysis and remediation of any insurance coverage gaps
Risks in Focus 2021
Cybersecurity and Data security as top risk again!
GDPR :expert’s introduction Ralf Herold Senior Vice President, Corporate Audit BASF Jérôme Avot Group Risk Officer and Data Protection Officer at Faurecia Olivier Micol Head of Data Protection Unit at the European Commission, Directorate- General for Justice
GDPR :Expert Talk Olivier Micol Head of Data Protection Unit at the European Commission, Directorate- General for Justice ▪ Key elements of the recent GDPR evaluation report of the European Commission ▪ share the latest data and feedback from companies and civil society ▪ overview of future planned initiatives
GDPR :Polling question #1 How would you assess the level of divergence in the enforcement of GDPR regulation by DPA in EU? ❑ High ❑ Medium ❑ Low
GDPR :Polling question #2 How do you evaluate your interaction with the DPA in your country? ❑ Very Good ❑ Good ❑ Bad ❑ Very Bad
GDPR :Expert Talk ➢ About FAURECIA ➢ Impact of the GDPR on the activities ➢ How to be both DPO and Risk Manager ? ➢ Ongoing challenges ➢ Covid 19 and GDPR Jérôme Avot Group Risk Office and Data Protection Officer, FAURECIA
About FAURECIA
Impact of the GDPR on the activities • While the GDPR was mostly generating fear, uncertainty and doubts before its application in May 2018… the benefits, after more than two years, are widely recognized ! • It forced helped companies to perform a comprehensive inventory of all their data processing activities • … and act on those which were not (fully) compliant (security, data retention, consent…) • It helped to start projects (especially security related) which were not considered as “priority 1”. A new regulation is a good excuse to get budget ☺ • Companies are now taking more care regarding their own sub-contractors (from a legal and practical standpoint) including requirement for certification, audits, … • Most companies are now ready in case of Data Breach, they know how to deal with new “data processing” (privacy by design) and are used to respond to Data Subject Request. • Wider training program to employees regarding data protection contributing to the reinforcement of the overall cyber-security of the company GDPR is a journey, not a destination, but companies have mostly embraced the spirit of GDPR and are moving in the right direction to drastically improve personal data protection.
How to be both DPO and Risk Manager ? Being a DPO and Risk Manager is totally compatible… but not all Risk Manager can be DPO and not all DPO could be Risk Manager • The word “Risk” is being mentioned more than 78 times in the official GDPR regulation • Risk Management is one of the pillars of the GDPR Regulation • So who else better than a “Risk Manager” to manage “Personal Data Protection” risk ? • This is not that obvious: • The DPO is usually considered as a “five-legged sheep” : • Need for (even basic) legal knowledge • Need for Information System Security knowledge • Need to be pedagogue, good ability to communicate and train people • Need to have a good internal network and be recognized • Need to be able to assess risks • Not all “Risk Managers” will therefore do the job ☺ • However being both Risk Manager and DPO has many benefits including: • Benefits from “risk oriented” mindset and ensure perfect alignment with Risk Management methodology • Good mix between daily actions as a “DPO” and more medium/long term action as “Risk Manager” • Being able to assess this specific risk at the right level in the overall risk matrix
Ongoing challenges ? • Three main ongoing challenges to deal with in the current context: • Ensure continuous GDPR compliance • How to make sure that all new and existing data processing activities are recorded and compliant ? • How to ensure that all changes are being done in compliance with GDPR mindset ? • Spot the weakest link • Security of data is a matter of weakest link and the difficulty is to find out what could be this weakest link leading to a data breach. • How well protected are your test environments ? Does your replicated data are being anonymized ? • Where are your backup stored and how secure they are ? • How well protected is your sub-contractor laptop holding a backup of all your data ? • Deal with the invalidation of the Privacy Shield (since July 2020) • Should we put in place Standard Contractual Clauses (SCCs) or even Binding Corporate Rules (BCRs) ? • Should we start compartmentalizing data in different regions ? (e-mails for instance) • Should we suspend temporarily such transfers until clear guidance is released ?
Covid-19 and GPDR During this difficult and complex period, all Europeans DPA are making efforts to provide guidance and assistance to companies on this complex topic… but companies still need to apply GDPR principles and be agile in a fast-paced changing environment ! • Employers have obligations to ensure the health and safety of employees while at work but they also need to ensure compliance with GDPR: A real challenge in this Covid-19 context ! • Health information is classed as “special category of personal data” under GDPR meaning a Data Protection Impact Assessment should be done in order to understand the risks associated with such kind of data processing and… ensure those risks are properly mitigated ! • Typical steps include: • Identify clear needs (“purpose limitation” and “data minimization” principles) for each cases (temperature screening, CCTV, close contacts…) and collect ONLY NECESSARY data • Identity a “Lawful basis of processing” (and forget about consent) • Prepare a “Privacy Policy” (“right to be informed” principle) • Ensure Security and Confidentiality of data (“security” principle) • And… document the measures taken (“accountability” principle)
GDPR :Expert Talk ➢ About BASF ➢ Impact of the GDPR on the activities ➢ The role of internal auditors: what has changed? ➢ Ongoing challenges ➢ Covid 19 and GDPR Ralf Herold Senior Vice President, Corporate Audit BASF
Facts important to know: Objectives of the EU-GDPR – protection of natural person, and more..! Striving for a balance of all 3 objectives in a common EU-market with same market rules & conditions for all market subjects  protection of personal data is not an absolute right GDPR Recital 1 “protection of natural persons in relation to the processing of personal data Art 1 GDPR & Recital 9 “free flow of personal data throughout the Union” Recital 2 Recital 4 “Economic union, strengthening EU market development” “freedom to conduct business”
17 NationNation Enterprise Enterprise Employee Customer/Vendor 2 3 4 5 6 1 Nation/Government Enterprise/Company 1. Nation/Nation: Contracts & No-Spy 2. Government/Enterprise: Regulatory Business Framework 3. Government/Citizen: Civil Rights/Right to be left alone/Data ownership and disposition rights  National Security & Law Enforcement – “Social Contract: Citizens  Government” 4. Enterprise/Enterprise: Contracts – IP rights – Anti-Trust Regulations 5. Enterprise/Employee: Contracts - Consensus 6. Enterprise/Customer/Vendor: Contracts - Consensus Data Subjects Protection of the Rights of a Natural Person – What Enterprises can do and have to focus on ➢ Enterprises adhere to rules ➢ Can‘t solve political disputes or Nations or Government affairs
BASF SE = Main Establishment BASF Group EU-Companies = Group Of Undertakings Lead Supervisory Authority The State Commissioner for Data Protection and the Freedom of Information Rhineland-Palatinate LfDI RLP Data Protection Commissioner by Country Consistency Mechanism BASF applies the One-Stop-Shop Concept (Art. 56 & Art. 60 GDPR) Data Protection @ BASF ➢ by design Europa ➢ de facto Global
Questions & Answers
Supporting documents
Thank you
About FERMA FERMA brings together 22 risk management associations in 21 European countries. They represent nearly 5,000 professional risk managers active in a wide range of business sectors. The Federation of European Risk Management Associations (FERMA) speaks for the risk management profession in Europe. FERMA acts on its behalf at European level and promotes the risk management profession. FERMA provides a risk management perspective on European issues and strengthens the profession through a European risk management certification (rimap). www.ferma.eu
About ECIIA ECIIA gives voice to 48.000 Internal Auditors in 34 countries from wider Europe. The European Confederation of Institutes of Internal Auditing (ECIIA) is the voice of internal audit in Europe. Our role is to enhance corporate governance through the promotion of the professional practice of internal auditing. The ECIIA mission is to further the development of good corporate governance and internal audit at the European level, through • Knowledge sharing • Developing key relationships • Impacting the regulatory environment, by dealing with the European Union, its Parliament and the European Authorities.

More Related Content

PPTX
GDPR & corporate governance: the role of risk management and internal audit o...
byFERMA
 
PDF
Artificial intelligence (1)
bykiravaibhavDib
 
PPTX
FERMA European Risk Manager Report 2020: full set of results
byFERMA
 
PDF
Webinar: Why risk managers should look at Artificial Intelligence now?
byFERMA
 
PDF
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
byFERMA
 
PDF
European Risk Management Seminar 2018 - Sustainability Report
byFERMA
 
PPTX
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
byFERMA
 
PDF
Risk Manager European Profile 2018
byFERMA
 
GDPR & corporate governance: the role of risk management and internal audit o...
byFERMA
 
Artificial intelligence (1)
bykiravaibhavDib
 
FERMA European Risk Manager Report 2020: full set of results
byFERMA
 
Webinar: Why risk managers should look at Artificial Intelligence now?
byFERMA
 
Risk management recovery and resilience covid 19 survey report 2020 2020.12.0...
byFERMA
 
European Risk Management Seminar 2018 - Sustainability Report
byFERMA
 
Webinar: Risk management in a global pandemic - Early lessons learned, EU – U...
byFERMA
 
Risk Manager European Profile 2018
byFERMA
 

What's hot

PDF
Ferma report: Artificial Intelligence applied to Risk Management
byFERMA
 
PDF
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
byFERMA
 
PPTX
Sustainability as risk management
byMetso Group
 
PDF
Sustainability & Risk Management
byTurlough Guerin GAICD FGIA
 
PDF
ESG Risks and Thai Banks: Time to Walk the Talk
bySarinee Achavanuntakul
 
PPTX
Sustainable Brands New Metrics: The evolution of social and human capital man...
byMike Wallace
 
PDF
Managing the ESG Ecosystem US EPA_Feb_2021
byMike Wallace
 
PDF
EMEA Insurers Snapshot - Regional Snapshot
byMelissa Scianna
 
PPTX
Insurance Role in a Climate Change Constraint World: UAE Motor Best Practice ...
byNarimanMaalouf
 
PDF
Sustainability Knowledge Group launches new digital reporting tool
bySustainability Knowledge Group
 
PPTX
Sustainability and Integrated Reporting
bypaul young cpa, cga
 
Ferma report: Artificial Intelligence applied to Risk Management
byFERMA
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
byFERMA
 
Sustainability as risk management
byMetso Group
 
Sustainability & Risk Management
byTurlough Guerin GAICD FGIA
 
ESG Risks and Thai Banks: Time to Walk the Talk
bySarinee Achavanuntakul
 
Sustainable Brands New Metrics: The evolution of social and human capital man...
byMike Wallace
 
Managing the ESG Ecosystem US EPA_Feb_2021
byMike Wallace
 
EMEA Insurers Snapshot - Regional Snapshot
byMelissa Scianna
 
Insurance Role in a Climate Change Constraint World: UAE Motor Best Practice ...
byNarimanMaalouf
 
Sustainability Knowledge Group launches new digital reporting tool
bySustainability Knowledge Group
 
Sustainability and Integrated Reporting
bypaul young cpa, cga
 

Similar to GDPR & corporate Governance, Evaluation after 2 years implementation

PDF
7 Key GDPR Requirements & the Role of Data Governance
byDATUM LLC
 
PDF
Enterprise Data World 2018
byjadams6
 
PPTX
Keep Calm and Comply: 3 Keys to GDPR Success
bySirius
 
PDF
eu-market-access-gdpr-fundamentals-by-risk-associates
byMohsin Termezy
 
PPTX
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PPTX
General Data Protection Regulation (GDPR)
byControlCase
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
PDF
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
PPTX
EU's General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PPTX
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
byQualsys Ltd
 
PPTX
General Data Protection Regulation (GDPR) Implications for Canadian Firms
byaccenture
 
PDF
Aon GDPR white paper
byGraeme Cross
 
PDF
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
PDF
General Data Protection Regulation: Where are we now?
byLeigh Hill
 
PPTX
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PDF
Five strategies for gdpr compliance
byPeter Goldbrunner
 
PDF
Setting the right GDPR priorities
byAlberto Canadè
 
PDF
GDPR Webinar - feb
bySophos Benelux
 
PPTX
GDPR How to get started?
byPeter Witsenburg
 
7 Key GDPR Requirements & the Role of Data Governance
byDATUM LLC
 
Enterprise Data World 2018
byjadams6
 
Keep Calm and Comply: 3 Keys to GDPR Success
bySirius
 
eu-market-access-gdpr-fundamentals-by-risk-associates
byMohsin Termezy
 
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
General Data Protection Regulation (GDPR)
byControlCase
 
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
EU's General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
byQualsys Ltd
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
byaccenture
 
Aon GDPR white paper
byGraeme Cross
 
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
General Data Protection Regulation: Where are we now?
byLeigh Hill
 
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Five strategies for gdpr compliance
byPeter Goldbrunner
 
Setting the right GDPR priorities
byAlberto Canadè
 
GDPR Webinar - feb
bySophos Benelux
 
GDPR How to get started?
byPeter Witsenburg
 

More from FERMA

PDF
FERMA contribution to the French Presidency agenda
byFERMA
 
PDF
The role of risk management in corporate resilience
byFERMA
 
PDF
Webinar: the role of risk management in corporate resilience
byFERMA
 
PDF
People, Planet & Performance: sustainability guide for risk and insurance man...
byFERMA
 
PDF
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
byFERMA
 
PDF
Argo Group: operationalizing emerging risk 2020
byFERMA
 
PDF
Argo Group: entry for emerging risk initiative of the year Award 2020
byFERMA
 
PPTX
George Ong, Chief Risk Officer, Northern Ireland Water
byFERMA
 
PPTX
The European risk manager report 2020: webinar presentation
byFERMA
 
PDF
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
byFERMA
 
PDF
Facts and figures about our risk management associations in Europe 2019
byFERMA
 
PPTX
Webinar: how risk management can contribute to sustainable growth?
byFERMA
 
PPTX
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
byFERMA
 
PDF
Ferma European Risk Manager Report 2018
byFERMA
 
PDF
Ferma PwC European Risk Manager Report_ full set results 2018
byFERMA
 
PDF
European risk management sustainability seminar report
byFERMA
 
PDF
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
byFERMA
 
PDF
European Risk Management Seminar 2018 - Cyber Report
byFERMA
 
PDF
Ferma perspectives #2 - Cyber Risk Governance 09.10.2018
byFERMA
 
PDF
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
byFERMA
 
FERMA contribution to the French Presidency agenda
byFERMA
 
The role of risk management in corporate resilience
byFERMA
 
Webinar: the role of risk management in corporate resilience
byFERMA
 
People, Planet & Performance: sustainability guide for risk and insurance man...
byFERMA
 
Collaboration of the Year Award winner 2020: Pim Moerman and Rob van den Eijn...
byFERMA
 
Argo Group: operationalizing emerging risk 2020
byFERMA
 
Argo Group: entry for emerging risk initiative of the year Award 2020
byFERMA
 
George Ong, Chief Risk Officer, Northern Ireland Water
byFERMA
 
The European risk manager report 2020: webinar presentation
byFERMA
 
GDPR & corporate governance: The Role of Internal Audit and Risk Management O...
byFERMA
 
Facts and figures about our risk management associations in Europe 2019
byFERMA
 
Webinar: how risk management can contribute to sustainable growth?
byFERMA
 
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
byFERMA
 
Ferma European Risk Manager Report 2018
byFERMA
 
Ferma PwC European Risk Manager Report_ full set results 2018
byFERMA
 
European risk management sustainability seminar report
byFERMA
 
Fer008 ferma risk-mangmt_18_sem_sustainabiity_report_v15_07_nov18 (1)
byFERMA
 
European Risk Management Seminar 2018 - Cyber Report
byFERMA
 
Ferma perspectives #2 - Cyber Risk Governance 09.10.2018
byFERMA
 
Preparing for cyber insurance - FERMA - Insurance Europe - BIPAR
byFERMA
 

Recently uploaded

DOCX
How to Buy Apple ID Accounts in 2026.docx
byDigital Marketing in the USA
 
DOCX
Best Online Sources for Buying Verified PayPal Business Accounts.docx
bymarketing
 
PDF
First Equity BOD New Copper Licences 26 Jan 2026
byJames AH Campbell
 
PDF
Where to Buy Gmail Accounts Online: A 2026 Guide
byusaseoshops
 
PPTX
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
DOCX
Why Should I Buy Old Gmail Accounts_losangeless _______________.docx
byjoshuabellc7
 
PDF
Where and why Buy Verified Binance Accounts With Full KYC ....pdf
byhttps://propvaservice.com/
 
PDF
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
PPTX
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
PDF
V3Cube On-Demand House Cleaning App Solution
byV3CUBE TECHNOLABS
 
PDF
9 Best Sites to Buy Old Gmail Accounts (PVA & Aged).pdf
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
PPTX
Yurii Chaika: Бізнес-цінність ПМО в різних типах бізнесу та моделях компанії ...
byLviv Startup Club
 
DOCX
7 Sites to Buy Verified Binance Account Overview.docx
byTopsellerit
 
PDF
Dr. Michael T. Conner - Serves As CEO
byDr. Michael T. Conner
 
PDF
Using-pension-savings-to-support-home-ownership.pdf
byHenry Tapper
 
PDF
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 
PDF
Gmail Accounts and Email Communication Architecture: An Academic Study of Dig...
bythumberjames7
 
PDF
Maksym Vyshnivetskyi: Управління якістю (UA)
byLviv Startup Club
 
PDF
IT Administration Staffing Jobs in Albany,Ny.pdf
byThe Sculpt Aesthetics Sculpt Cosmetic Surgery
 
PDF
Startup 8 - Student's Book - ENGLISH - Advanced 2
byenglishcloudresource
 
How to Buy Apple ID Accounts in 2026.docx
byDigital Marketing in the USA
 
Best Online Sources for Buying Verified PayPal Business Accounts.docx
bymarketing
 
First Equity BOD New Copper Licences 26 Jan 2026
byJames AH Campbell
 
Where to Buy Gmail Accounts Online: A 2026 Guide
byusaseoshops
 
PDYN Investor Presentation - January 2026.pptx
byPalladyne AI
 
Why Should I Buy Old Gmail Accounts_losangeless _______________.docx
byjoshuabellc7
 
Where and why Buy Verified Binance Accounts With Full KYC ....pdf
byhttps://propvaservice.com/
 
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
V3Cube On-Demand House Cleaning App Solution
byV3CUBE TECHNOLABS
 
9 Best Sites to Buy Old Gmail Accounts (PVA & Aged).pdf
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
Yurii Chaika: Бізнес-цінність ПМО в різних типах бізнесу та моделях компанії ...
byLviv Startup Club
 
7 Sites to Buy Verified Binance Account Overview.docx
byTopsellerit
 
Dr. Michael T. Conner - Serves As CEO
byDr. Michael T. Conner
 
Using-pension-savings-to-support-home-ownership.pdf
byHenry Tapper
 
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 
Gmail Accounts and Email Communication Architecture: An Academic Study of Dig...
bythumberjames7
 
Maksym Vyshnivetskyi: Управління якістю (UA)
byLviv Startup Club
 
IT Administration Staffing Jobs in Albany,Ny.pdf
byThe Sculpt Aesthetics Sculpt Cosmetic Surgery
 
Startup 8 - Student's Book - ENGLISH - Advanced 2
byenglishcloudresource
 

GDPR & corporate Governance, Evaluation after 2 years implementation

  • 2.
    In partnership with EuropeanRisk Manager Report 2020 Edition Top critical threats to the organisation’s growth prospects within the next 12 months CYBER THREAT UNCERTAIN ECONOMIC GROWTH AVAILABILITY OF KEY SKILLS DATA FRAUD OR THEFT OVER-REGULATION CYBER THREAT UNCERTAIN ECONOMIC GROWTH GEOPOLITICAL UNCERTAINLY OVER-REGULATION CHANGING CONSUMER BEHAVIOUR TOP RISK 2020TOP RISK 2018 37% 39% 24% How do you deal with risks arising from emerging technologies ? Identification and assessment of risks prior to adoption of new technologies by the business Identification and assessment of emerging technologies used by the business Analysis and remediation of any insurance coverage gaps
  • 3.
  • 4.
    Cybersecurity and Datasecurity as top risk again!
  • 5.
    GDPR :expert’s introduction RalfHerold Senior Vice President, Corporate Audit BASF Jérôme Avot Group Risk Officer and Data Protection Officer at Faurecia Olivier Micol Head of Data Protection Unit at the European Commission, Directorate- General for Justice
  • 6.
    GDPR :Expert Talk OlivierMicol Head of Data Protection Unit at the European Commission, Directorate- General for Justice ▪ Key elements of the recent GDPR evaluation report of the European Commission ▪ share the latest data and feedback from companies and civil society ▪ overview of future planned initiatives
  • 7.
    GDPR :Polling question#1 How would you assess the level of divergence in the enforcement of GDPR regulation by DPA in EU? ❑ High ❑ Medium ❑ Low
  • 8.
    GDPR :Polling question#2 How do you evaluate your interaction with the DPA in your country? ❑ Very Good ❑ Good ❑ Bad ❑ Very Bad
  • 9.
    GDPR :Expert Talk ➢About FAURECIA ➢ Impact of the GDPR on the activities ➢ How to be both DPO and Risk Manager ? ➢ Ongoing challenges ➢ Covid 19 and GDPR Jérôme Avot Group Risk Office and Data Protection Officer, FAURECIA
  • 10.
  • 11.
    Impact of theGDPR on the activities • While the GDPR was mostly generating fear, uncertainty and doubts before its application in May 2018… the benefits, after more than two years, are widely recognized ! • It forced helped companies to perform a comprehensive inventory of all their data processing activities • … and act on those which were not (fully) compliant (security, data retention, consent…) • It helped to start projects (especially security related) which were not considered as “priority 1”. A new regulation is a good excuse to get budget ☺ • Companies are now taking more care regarding their own sub-contractors (from a legal and practical standpoint) including requirement for certification, audits, … • Most companies are now ready in case of Data Breach, they know how to deal with new “data processing” (privacy by design) and are used to respond to Data Subject Request. • Wider training program to employees regarding data protection contributing to the reinforcement of the overall cyber-security of the company GDPR is a journey, not a destination, but companies have mostly embraced the spirit of GDPR and are moving in the right direction to drastically improve personal data protection.
  • 12.
    How to beboth DPO and Risk Manager ? Being a DPO and Risk Manager is totally compatible… but not all Risk Manager can be DPO and not all DPO could be Risk Manager • The word “Risk” is being mentioned more than 78 times in the official GDPR regulation • Risk Management is one of the pillars of the GDPR Regulation • So who else better than a “Risk Manager” to manage “Personal Data Protection” risk ? • This is not that obvious: • The DPO is usually considered as a “five-legged sheep” : • Need for (even basic) legal knowledge • Need for Information System Security knowledge • Need to be pedagogue, good ability to communicate and train people • Need to have a good internal network and be recognized • Need to be able to assess risks • Not all “Risk Managers” will therefore do the job ☺ • However being both Risk Manager and DPO has many benefits including: • Benefits from “risk oriented” mindset and ensure perfect alignment with Risk Management methodology • Good mix between daily actions as a “DPO” and more medium/long term action as “Risk Manager” • Being able to assess this specific risk at the right level in the overall risk matrix
  • 13.
    Ongoing challenges ? •Three main ongoing challenges to deal with in the current context: • Ensure continuous GDPR compliance • How to make sure that all new and existing data processing activities are recorded and compliant ? • How to ensure that all changes are being done in compliance with GDPR mindset ? • Spot the weakest link • Security of data is a matter of weakest link and the difficulty is to find out what could be this weakest link leading to a data breach. • How well protected are your test environments ? Does your replicated data are being anonymized ? • Where are your backup stored and how secure they are ? • How well protected is your sub-contractor laptop holding a backup of all your data ? • Deal with the invalidation of the Privacy Shield (since July 2020) • Should we put in place Standard Contractual Clauses (SCCs) or even Binding Corporate Rules (BCRs) ? • Should we start compartmentalizing data in different regions ? (e-mails for instance) • Should we suspend temporarily such transfers until clear guidance is released ?
  • 14.
    Covid-19 and GPDR Duringthis difficult and complex period, all Europeans DPA are making efforts to provide guidance and assistance to companies on this complex topic… but companies still need to apply GDPR principles and be agile in a fast-paced changing environment ! • Employers have obligations to ensure the health and safety of employees while at work but they also need to ensure compliance with GDPR: A real challenge in this Covid-19 context ! • Health information is classed as “special category of personal data” under GDPR meaning a Data Protection Impact Assessment should be done in order to understand the risks associated with such kind of data processing and… ensure those risks are properly mitigated ! • Typical steps include: • Identify clear needs (“purpose limitation” and “data minimization” principles) for each cases (temperature screening, CCTV, close contacts…) and collect ONLY NECESSARY data • Identity a “Lawful basis of processing” (and forget about consent) • Prepare a “Privacy Policy” (“right to be informed” principle) • Ensure Security and Confidentiality of data (“security” principle) • And… document the measures taken (“accountability” principle)
  • 15.
    GDPR :Expert Talk ➢About BASF ➢ Impact of the GDPR on the activities ➢ The role of internal auditors: what has changed? ➢ Ongoing challenges ➢ Covid 19 and GDPR Ralf Herold Senior Vice President, Corporate Audit BASF
  • 16.
    Facts important toknow: Objectives of the EU-GDPR – protection of natural person, and more..! Striving for a balance of all 3 objectives in a common EU-market with same market rules & conditions for all market subjects  protection of personal data is not an absolute right GDPR Recital 1 “protection of natural persons in relation to the processing of personal data Art 1 GDPR & Recital 9 “free flow of personal data throughout the Union” Recital 2 Recital 4 “Economic union, strengthening EU market development” “freedom to conduct business”
  • 17.
    17 NationNation Enterprise Enterprise Employee Customer/Vendor 2 3 4 56 1 Nation/Government Enterprise/Company 1. Nation/Nation: Contracts & No-Spy 2. Government/Enterprise: Regulatory Business Framework 3. Government/Citizen: Civil Rights/Right to be left alone/Data ownership and disposition rights  National Security & Law Enforcement – “Social Contract: Citizens  Government” 4. Enterprise/Enterprise: Contracts – IP rights – Anti-Trust Regulations 5. Enterprise/Employee: Contracts - Consensus 6. Enterprise/Customer/Vendor: Contracts - Consensus Data Subjects Protection of the Rights of a Natural Person – What Enterprises can do and have to focus on ➢ Enterprises adhere to rules ➢ Can‘t solve political disputes or Nations or Government affairs
  • 18.
    BASF SE =Main Establishment BASF Group EU-Companies = Group Of Undertakings Lead Supervisory Authority The State Commissioner for Data Protection and the Freedom of Information Rhineland-Palatinate LfDI RLP Data Protection Commissioner by Country Consistency Mechanism BASF applies the One-Stop-Shop Concept (Art. 56 & Art. 60 GDPR) Data Protection @ BASF ➢ by design Europa ➢ de facto Global
  • 19.
  • 20.
  • 21.
  • 22.
    About FERMA FERMA bringstogether 22 risk management associations in 21 European countries. They represent nearly 5,000 professional risk managers active in a wide range of business sectors. The Federation of European Risk Management Associations (FERMA) speaks for the risk management profession in Europe. FERMA acts on its behalf at European level and promotes the risk management profession. FERMA provides a risk management perspective on European issues and strengthens the profession through a European risk management certification (rimap). www.ferma.eu
  • 23.
    About ECIIA ECIIA givesvoice to 48.000 Internal Auditors in 34 countries from wider Europe. The European Confederation of Institutes of Internal Auditing (ECIIA) is the voice of internal audit in Europe. Our role is to enhance corporate governance through the promotion of the professional practice of internal auditing. The ECIIA mission is to further the development of good corporate governance and internal audit at the European level, through • Knowledge sharing • Developing key relationships • Impacting the regulatory environment, by dealing with the European Union, its Parliament and the European Authorities.