GDPR & corporate Governance, Evaluation after 2 years implementation

In partnership with
European Risk Manager Report 2020
Edition
Top critical threats to the organisation’s growth prospects within the
next 12 months
CYBER THREAT
UNCERTAIN ECONOMIC
GROWTH
AVAILABILITY OF KEY
SKILLS
DATA FRAUD OR THEFT
OVER-REGULATION
CYBER THREAT
UNCERTAIN ECONOMIC
GROWTH
GEOPOLITICAL
UNCERTAINLY
OVER-REGULATION
CHANGING CONSUMER
BEHAVIOUR
TOP RISK 2020TOP RISK 2018
37% 39%
24%
How do you deal with risks arising from emerging technologies ?
Identification and assessment of risks prior to adoption of new technologies by the
business
Identification and assessment of emerging technologies used by the business
Analysis and remediation of any insurance coverage gaps

Cybersecurity and Data security as top risk again!

GDPR :expert’s introduction
Ralf Herold
Senior Vice President, Corporate
Audit BASF
Jérôme Avot
Group Risk Officer and
Data Protection Officer at
Faurecia
Olivier Micol
Head of Data Protection Unit at the
European Commission, Directorate-
General for Justice

GDPR :Expert Talk
Olivier Micol
Head of Data Protection Unit at the
European Commission, Directorate-
General for Justice
▪ Key elements of the recent
GDPR evaluation report of
the European Commission
▪ share the latest data and
feedback from companies
and civil society
▪ overview of future planned
initiatives

GDPR :Polling question #1
How would you assess the level of divergence in the
enforcement of GDPR regulation by DPA in EU?
❑ High
❑ Medium
❑ Low

GDPR :Polling question #2
How do you evaluate your interaction with the DPA in
your country?
❑ Very Good
❑ Good
❑ Bad
❑ Very Bad

GDPR :Expert Talk
➢ About FAURECIA
➢ Impact of the GDPR on the activities
➢ How to be both DPO and Risk Manager ?
➢ Ongoing challenges
➢ Covid 19 and GDPR
Jérôme Avot
Group Risk Office and Data
Protection Officer, FAURECIA

Impact of the GDPR on the activities
• While the GDPR was mostly generating fear, uncertainty and doubts before its application in May 2018… the
benefits, after more than two years, are widely recognized !
• It forced helped companies to perform a comprehensive inventory of all their data processing activities
• … and act on those which were not (fully) compliant (security, data retention, consent…)
• It helped to start projects (especially security related) which were not considered as “priority 1”. A new
regulation is a good excuse to get budget ☺
• Companies are now taking more care regarding their own sub-contractors (from a legal and practical
standpoint) including requirement for certification, audits, …
• Most companies are now ready in case of Data Breach, they know how to deal with new “data
processing” (privacy by design) and are used to respond to Data Subject Request.
• Wider training program to employees regarding data protection contributing to the reinforcement of the
overall cyber-security of the company
GDPR is a journey, not a destination, but companies have mostly embraced the spirit of GDPR and are
moving in the right direction to drastically improve personal data protection.

How to be both DPO and Risk
Manager ?
Being a DPO and Risk Manager is totally compatible…
but not all Risk Manager can be DPO and not all DPO could be Risk Manager
• The word “Risk” is being mentioned more than 78 times in the official GDPR regulation
• Risk Management is one of the pillars of the GDPR Regulation
• So who else better than a “Risk Manager” to manage “Personal Data Protection” risk ?
• This is not that obvious:
• The DPO is usually considered as a “five-legged sheep” :
• Need for (even basic) legal knowledge
• Need for Information System Security knowledge
• Need to be pedagogue, good ability to communicate and train people
• Need to have a good internal network and be recognized
• Need to be able to assess risks
• Not all “Risk Managers” will therefore do the job ☺
• However being both Risk Manager and DPO has many benefits including:
• Benefits from “risk oriented” mindset and ensure perfect alignment with Risk Management
methodology
• Good mix between daily actions as a “DPO” and more medium/long term action as “Risk Manager”
• Being able to assess this specific risk at the right level in the overall risk matrix

Ongoing challenges ?
• Three main ongoing challenges to deal with in the current context:
• Ensure continuous GDPR compliance
• How to make sure that all new and existing data processing activities are recorded and compliant ?
• How to ensure that all changes are being done in compliance with GDPR mindset ?
• Spot the weakest link
• Security of data is a matter of weakest link and the difficulty is to find out what could be this
weakest link leading to a data breach.
• How well protected are your test environments ? Does your replicated data are being
anonymized ?
• Where are your backup stored and how secure they are ?
• How well protected is your sub-contractor laptop holding a backup of all your data ?
• Deal with the invalidation of the Privacy Shield (since July 2020)
• Should we put in place Standard Contractual Clauses (SCCs) or even Binding Corporate Rules (BCRs)
?
• Should we start compartmentalizing data in different regions ? (e-mails for instance)
• Should we suspend temporarily such transfers until clear guidance is released ?

Covid-19 and GPDR
During this difficult and complex period, all Europeans DPA are making efforts to provide guidance and
assistance to companies on this complex topic… but companies still need to apply GDPR principles and be
agile in a fast-paced changing environment !
• Employers have obligations to ensure the health and safety of employees while at work but they also need
to ensure compliance with GDPR: A real challenge in this Covid-19 context !
• Health information is classed as “special category of personal data” under GDPR meaning a Data
Protection Impact Assessment should be done in order to understand the risks associated with
such kind of data processing and… ensure those risks are properly mitigated !
• Typical steps include:
• Identify clear needs (“purpose limitation” and “data minimization” principles) for each cases
(temperature screening, CCTV, close contacts…) and collect ONLY NECESSARY data
• Identity a “Lawful basis of processing” (and forget about consent)
• Prepare a “Privacy Policy” (“right to be informed” principle)
• Ensure Security and Confidentiality of data (“security” principle)
• And… document the measures taken (“accountability” principle)

GDPR :Expert Talk
➢ About BASF
➢ Impact of the GDPR on the activities
➢ The role of internal auditors: what has changed?
➢ Ongoing challenges
➢ Covid 19 and GDPR
Ralf Herold
Senior Vice President, Corporate
Audit BASF

Facts important to know: Objectives of the EU-GDPR – protection of
natural person, and more..!
Striving for a balance of all 3 objectives in a common EU-market with same market rules &
conditions for all market subjects  protection of personal data is not an absolute right
GDPR
Recital 1
“protection of natural persons in relation to the processing of
personal data
Art 1 GDPR & Recital 9
“free flow of personal data throughout the Union”
Recital 2
Recital 4
“Economic union, strengthening EU market
development”
“freedom to conduct business”

17
NationNation
Enterprise Enterprise
Employee Customer/Vendor
2
3
4
5 6
1
Nation/Government
Enterprise/Company
1. Nation/Nation: Contracts & No-Spy
2. Government/Enterprise: Regulatory Business Framework
3. Government/Citizen: Civil Rights/Right to be left alone/Data ownership and disposition rights
 National Security & Law Enforcement – “Social Contract: Citizens  Government”
4. Enterprise/Enterprise: Contracts – IP rights – Anti-Trust Regulations
5. Enterprise/Employee: Contracts - Consensus
6. Enterprise/Customer/Vendor: Contracts - Consensus
Data Subjects
Protection of the Rights of a Natural Person –
What Enterprises can do and have to focus on
➢ Enterprises adhere
to rules
➢ Can‘t solve political
disputes or Nations
or Government
affairs

BASF SE = Main
Establishment
BASF Group EU-Companies
= Group Of Undertakings
Lead Supervisory Authority
The State Commissioner for
Data Protection and the
Freedom of Information
Rhineland-Palatinate
LfDI RLP
Data Protection Commissioner
by Country
Consistency Mechanism
BASF applies the One-Stop-Shop Concept (Art. 56 & Art. 60 GDPR)
Data Protection @ BASF
➢ by design Europa
➢ de facto Global

About FERMA
FERMA brings together 22 risk management associations in 21 European countries.
They represent nearly 5,000 professional risk managers active in a wide
range of business sectors.
The Federation of European Risk Management Associations (FERMA)
speaks for the risk management profession in Europe.
FERMA acts on its behalf at European level and promotes the risk
management profession.
FERMA provides a risk management perspective on European issues and
strengthens the profession through a European risk management
certification (rimap).
www.ferma.eu

About ECIIA
ECIIA gives voice to 48.000 Internal Auditors in 34 countries from wider Europe.
The European Confederation of Institutes of Internal Auditing (ECIIA) is the
voice of internal audit in Europe.
Our role is to enhance corporate governance through the promotion of
the professional practice of internal auditing.
The ECIIA mission is to further the development of good corporate
governance and internal audit at the European level, through
• Knowledge sharing
• Developing key relationships
• Impacting the regulatory environment, by dealing with the European
Union, its Parliament and the European Authorities.

GDPR & corporate Governance, Evaluation after 2 years implementation

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Similar to GDPR & corporate Governance, Evaluation after 2 years implementation

Similar to GDPR & corporate Governance, Evaluation after 2 years implementation (20)

More from FERMA

More from FERMA (20)

Recently uploaded

Recently uploaded (20)

GDPR & corporate Governance, Evaluation after 2 years implementation