The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.

1. HOW TO GET
STARTED WITH BEING
GDPR COMPLIANT
BY SIDDHARTH RAM DINESH

2. Where do I begin
finding out about
GDPR?
What is GDPR?
How would a
company go about
being GDPR
compliant?
Why is GDPR
important?
Who does GDPR
affect ?

3. GDPR … What is it ?

4. “ The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a
regulation by which the European Parliament, the Council of the European Union
and the European Commission intend to strengthen and unify data protection for
all individuals within the European Union (EU). “

5. WHATS CHANGED?

6. One Set of Rules Across the EU
Personal Data Redefined
New Individual Rights
Mandatory Breach Notification
Financial Repercussions
Joint Responsibility
Information Governance
Truly Global Impact

7. GDPR - PROCESS FLOW

8. A generic process flow an
organization could follow to
achieve GDPR compliance before
May 25, 2018

9. Q2 2017 Q3 2017 Q4 2017 Q1 2018 Q2 2018
April May June July August September October November December January February March April May June
Awareness and Communication
Initiation Define policies and procedures
Regulation
date 25th May
2018
Current state
assessment and plan
Implement technology and business changes
Gap and Risk Assessment Training
Update Contracts
Update privacy notices and consent
GDPR PRocEss Flow TIMELINE

10. GAP ANALYSIS

11. MARKETING PROCUREMENT HRSUPPORTLEGAL IT
RAISE
AWARENESS
INFORMATION
HELD
CONCENT
INDIVIDUAL
RIGHTS
COMMUNICATING
PRIVACY
CHILDREN'S
DATA
DATA
PROTECTION
OFFICERS
DATA BREACHES INTERNATIONAL
LOCATIONS
Company Horizontals
Factors to check

12. ENTERPRISE RISK MANAGEMENT

13. “The GDPR does not define the notion of “risk”, but the recitals and the
substantive provisions include indications of the types of risks and harms to
individuals to be considered.“
Some of the possible risks are:
- Discrimination
- Identity theft / fraud, financial loss
- Reputation damage
- Loss of confidentiality of personal data protected by professional secrecy
- Processing large amounts of data affecting large numbers of individuals

14. INTERNAL COMMUNICATION

15. EdUCATE EMPLOYEES oN GDPR
● Make sure that decision makers and key people in your organisation are
aware that the law is changing to the GDPR.
● They are likely to identify areas that could cause compliance problems
under the GDPR.

16. OPERATIONAL POLICIES

17. UPDATE OPERATIONAL pOLICIES
Appoint a contact point for the data protection authority (DPA) and data
subjects, and a data protection officer (DPO) to ensure processing
operations are compliant.
Update company operational policies to be GDPR compliant
Create policies and rollout policies is a way that it’s as less disruptive as
possible

18. CHANGE MANAGEMENT

19. CHANGE MANAGEMENT AND
COMMUNICATION
Create a change management plan to incorporate and roll out all the required
policy changes throughout the company
Rollout change in policy to the customers updating them on the changes in
regulations and privacy policy
Update contracts with subcontractors and make sure they follow GDPR
guidelines

20. COMPLIANCE TESTING

21. Fulfill compliance before May 2018
Be compliant as soon as possible to avoid last minute changes.
Makes the organization’s functioning smooth and panic free.
Buffer time would allow the company to perfect the systems and avoid errors
after May 2018.

22. Hypothesis: The questions are asked by a large hospital chain that is validating its GDPR compliance
status.
Questions 1 and 2 based on Consent
1. Is the data subject aware of the personal data we possess?
a. Does the data we hold currently, post consent from the data subject?
b. Are we using the personal data for any other purpose other than what we got consent for?
c. Do we have a system/policy in place to handle consent (communicate, withdraw, update etc)
2. Do we have a system to process children's’ data?
a. Is the data of children below the age of 16 being held post consent from their parents?
b. Is the data used only for the purpose stated in the consent document?
Questions companies should ask

23. Questions 3 and 4 based on Data handling
3. Do we have a process to monitor where the data is being transferred?
a. Is the data transferred to any 3rd party companies like insurance or banks? If so is only the relevant data
transferred to them.
b. Is the 3rd party company that we are dealing with GDPR compliant?
c. Do we have a system in place to check and validate the compliance of the 3rd party companies
d. Is the data sent to any 3rd party applications being monitored and validated?
4. If the data that we have is being processed for any other reason other than stated in the consent
document, do we have a system to communicate that to the data subject?
a. Validate if the information is held for any reasons mentioned in the GDPR document which exempts the
need for consent
Questions companies should ask

24. Questions 5 and 6 based on Security and Data protection officer (DPO)
5. Are ample security precautions taken on storing the personal information?
a. Is the data that is stored encrypted and secure?.
b. Is the access to the data available to only the authorised personnel?
c. Is case of a breach are there systems in place to ensure that the breach does not cause any harm to the
data subject. If these precautions are not there is there a system in place to notify the supervisory board
and the data subject within 72hrs.
d. Is there a checklist to ensure that all the required information is transmitted during such an event?
6. Do we have a DPO who is in charge of looking into all the data?
a. Has the selected DPO contact been communicated to the supervisory board?
b. Does the data subjects have access to the DPO if needed?
Questions companies should ask

25. But it's just a list of
well behaved
kids!!!
Sorry Santa.. It's still
personal information

26. ● http://ec.europa.eu/justice/data-
protection/reform/files/regulation_oj_en.pdf
● http://www.eugdpr.org/eugdpr.org.html
● https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
● https://www.cloudlock.com/blog/eu-gdpr-vs-data-protection-
directive/
● http://viclarity.com/general-data-protection-regulation-gdpr/
REFERENCES