FERMA’s live joint webinar with ECIIA on Monday 28 September gathered more than 300 participants
The objective of this joint webinar was to take stock of where we stand after 2 years of GDPR implementation and the practical consequences on businesses. For this, FERMA and ECIIA (European Confederation of Institutes of Internal Auditing) invited the following speakers:
- Olivier Micol, Head of Data Protection Unit at the European Commission, Directorate-General for Justice. He highlighted key elements of the recent GDPR evaluation report of the European Commission, shared the latest data and feedback from companies and civil society. He also gave an overview of future planned initiatives.
- Jérôme Avot, Group Risk Officer and Data Protection Officer at Faurecia, a global leader in automotive technology.”The GDPR served as a common thread from the start to the end of the project. We feel we have turned what might have been perceived as a constraint into an opportunity. “
- Ralf Herold, Senior Vice President, Corporate Audit BASF, a leading chemical company. He is an expert in GDPR as Germany was a pioneer in this piece of legislation.
Jérôme Avot and Ralf Herold shared their experience as a Risk Manager and DPO and as an Internal Auditor by exchanging on the changes that the GDPR involved within their companies.
https://www.ferma.eu/webinar-replay-gdpr-corporate-governance-evaluation-after-2-years-implementation/
Call Girls Miyapur 7001305949 all area service COD available Any Time
GDPR & corporate Governance, Evaluation after 2 years implementation
1.
2. In partnership with
European Risk Manager Report 2020
Edition
Top critical threats to the organisation’s growth prospects within the
next 12 months
CYBER THREAT
UNCERTAIN ECONOMIC
GROWTH
AVAILABILITY OF KEY
SKILLS
DATA FRAUD OR THEFT
OVER-REGULATION
CYBER THREAT
UNCERTAIN ECONOMIC
GROWTH
GEOPOLITICAL
UNCERTAINLY
OVER-REGULATION
CHANGING CONSUMER
BEHAVIOUR
TOP RISK 2020TOP RISK 2018
37% 39%
24%
How do you deal with risks arising from emerging technologies ?
Identification and assessment of risks prior to adoption of new technologies by the
business
Identification and assessment of emerging technologies used by the business
Analysis and remediation of any insurance coverage gaps
5. GDPR :expert’s introduction
Ralf Herold
Senior Vice President, Corporate
Audit BASF
Jérôme Avot
Group Risk Officer and
Data Protection Officer at
Faurecia
Olivier Micol
Head of Data Protection Unit at the
European Commission, Directorate-
General for Justice
6. GDPR :Expert Talk
Olivier Micol
Head of Data Protection Unit at the
European Commission, Directorate-
General for Justice
▪ Key elements of the recent
GDPR evaluation report of
the European Commission
▪ share the latest data and
feedback from companies
and civil society
▪ overview of future planned
initiatives
7. GDPR :Polling question #1
How would you assess the level of divergence in the
enforcement of GDPR regulation by DPA in EU?
❑ High
❑ Medium
❑ Low
8. GDPR :Polling question #2
How do you evaluate your interaction with the DPA in
your country?
❑ Very Good
❑ Good
❑ Bad
❑ Very Bad
9. GDPR :Expert Talk
➢ About FAURECIA
➢ Impact of the GDPR on the activities
➢ How to be both DPO and Risk Manager ?
➢ Ongoing challenges
➢ Covid 19 and GDPR
Jérôme Avot
Group Risk Office and Data
Protection Officer, FAURECIA
11. Impact of the GDPR on the activities
• While the GDPR was mostly generating fear, uncertainty and doubts before its application in May 2018… the
benefits, after more than two years, are widely recognized !
• It forced helped companies to perform a comprehensive inventory of all their data processing activities
• … and act on those which were not (fully) compliant (security, data retention, consent…)
• It helped to start projects (especially security related) which were not considered as “priority 1”. A new
regulation is a good excuse to get budget ☺
• Companies are now taking more care regarding their own sub-contractors (from a legal and practical
standpoint) including requirement for certification, audits, …
• Most companies are now ready in case of Data Breach, they know how to deal with new “data
processing” (privacy by design) and are used to respond to Data Subject Request.
• Wider training program to employees regarding data protection contributing to the reinforcement of the
overall cyber-security of the company
GDPR is a journey, not a destination, but companies have mostly embraced the spirit of GDPR and are
moving in the right direction to drastically improve personal data protection.
12. How to be both DPO and Risk
Manager ?
Being a DPO and Risk Manager is totally compatible…
but not all Risk Manager can be DPO and not all DPO could be Risk Manager
• The word “Risk” is being mentioned more than 78 times in the official GDPR regulation
• Risk Management is one of the pillars of the GDPR Regulation
• So who else better than a “Risk Manager” to manage “Personal Data Protection” risk ?
• This is not that obvious:
• The DPO is usually considered as a “five-legged sheep” :
• Need for (even basic) legal knowledge
• Need for Information System Security knowledge
• Need to be pedagogue, good ability to communicate and train people
• Need to have a good internal network and be recognized
• Need to be able to assess risks
• Not all “Risk Managers” will therefore do the job ☺
• However being both Risk Manager and DPO has many benefits including:
• Benefits from “risk oriented” mindset and ensure perfect alignment with Risk Management
methodology
• Good mix between daily actions as a “DPO” and more medium/long term action as “Risk Manager”
• Being able to assess this specific risk at the right level in the overall risk matrix
13. Ongoing challenges ?
• Three main ongoing challenges to deal with in the current context:
• Ensure continuous GDPR compliance
• How to make sure that all new and existing data processing activities are recorded and compliant ?
• How to ensure that all changes are being done in compliance with GDPR mindset ?
• Spot the weakest link
• Security of data is a matter of weakest link and the difficulty is to find out what could be this
weakest link leading to a data breach.
• How well protected are your test environments ? Does your replicated data are being
anonymized ?
• Where are your backup stored and how secure they are ?
• How well protected is your sub-contractor laptop holding a backup of all your data ?
• Deal with the invalidation of the Privacy Shield (since July 2020)
• Should we put in place Standard Contractual Clauses (SCCs) or even Binding Corporate Rules (BCRs)
?
• Should we start compartmentalizing data in different regions ? (e-mails for instance)
• Should we suspend temporarily such transfers until clear guidance is released ?
14. Covid-19 and GPDR
During this difficult and complex period, all Europeans DPA are making efforts to provide guidance and
assistance to companies on this complex topic… but companies still need to apply GDPR principles and be
agile in a fast-paced changing environment !
• Employers have obligations to ensure the health and safety of employees while at work but they also need
to ensure compliance with GDPR: A real challenge in this Covid-19 context !
• Health information is classed as “special category of personal data” under GDPR meaning a Data
Protection Impact Assessment should be done in order to understand the risks associated with
such kind of data processing and… ensure those risks are properly mitigated !
• Typical steps include:
• Identify clear needs (“purpose limitation” and “data minimization” principles) for each cases
(temperature screening, CCTV, close contacts…) and collect ONLY NECESSARY data
• Identity a “Lawful basis of processing” (and forget about consent)
• Prepare a “Privacy Policy” (“right to be informed” principle)
• Ensure Security and Confidentiality of data (“security” principle)
• And… document the measures taken (“accountability” principle)
15. GDPR :Expert Talk
➢ About BASF
➢ Impact of the GDPR on the activities
➢ The role of internal auditors: what has changed?
➢ Ongoing challenges
➢ Covid 19 and GDPR
Ralf Herold
Senior Vice President, Corporate
Audit BASF
16. Facts important to know: Objectives of the EU-GDPR – protection of
natural person, and more..!
Striving for a balance of all 3 objectives in a common EU-market with same market rules &
conditions for all market subjects protection of personal data is not an absolute right
GDPR
Recital 1
“protection of natural persons in relation to the processing of
personal data
Art 1 GDPR & Recital 9
“free flow of personal data throughout the Union”
Recital 2
Recital 4
“Economic union, strengthening EU market
development”
“freedom to conduct business”
17. 17
NationNation
Enterprise Enterprise
Employee Customer/Vendor
2
3
4
5 6
1
Nation/Government
Enterprise/Company
1. Nation/Nation: Contracts & No-Spy
2. Government/Enterprise: Regulatory Business Framework
3. Government/Citizen: Civil Rights/Right to be left alone/Data ownership and disposition rights
National Security & Law Enforcement – “Social Contract: Citizens Government”
4. Enterprise/Enterprise: Contracts – IP rights – Anti-Trust Regulations
5. Enterprise/Employee: Contracts - Consensus
6. Enterprise/Customer/Vendor: Contracts - Consensus
Data Subjects
Protection of the Rights of a Natural Person –
What Enterprises can do and have to focus on
➢ Enterprises adhere
to rules
➢ Can‘t solve political
disputes or Nations
or Government
affairs
18. BASF SE = Main
Establishment
BASF Group EU-Companies
= Group Of Undertakings
Lead Supervisory Authority
The State Commissioner for
Data Protection and the
Freedom of Information
Rhineland-Palatinate
LfDI RLP
Data Protection Commissioner
by Country
Consistency Mechanism
BASF applies the One-Stop-Shop Concept (Art. 56 & Art. 60 GDPR)
Data Protection @ BASF
➢ by design Europa
➢ de facto Global
22. About FERMA
FERMA brings together 22 risk management associations in 21 European countries.
They represent nearly 5,000 professional risk managers active in a wide
range of business sectors.
The Federation of European Risk Management Associations (FERMA)
speaks for the risk management profession in Europe.
FERMA acts on its behalf at European level and promotes the risk
management profession.
FERMA provides a risk management perspective on European issues and
strengthens the profession through a European risk management
certification (rimap).
www.ferma.eu
23. About ECIIA
ECIIA gives voice to 48.000 Internal Auditors in 34 countries from wider Europe.
The European Confederation of Institutes of Internal Auditing (ECIIA) is the
voice of internal audit in Europe.
Our role is to enhance corporate governance through the promotion of
the professional practice of internal auditing.
The ECIIA mission is to further the development of good corporate
governance and internal audit at the European level, through
• Knowledge sharing
• Developing key relationships
• Impacting the regulatory environment, by dealing with the European
Union, its Parliament and the European Authorities.