This is the first in the series of slides on the GDPR implementation. For all the consultants out there who are implementing GDPR solutions, this is the High Level Definition of the change needed to comply with GDPR.

1. KEY CHANGES INTRODUCED BY GENERAL DATA PROTECTION REGULATION
Policies
• Update Terms and Condi0ons on all agreements with Suppliers (Data Processors and
Customers (agreements, digital assets, apps etc.)
• Update Consent Clauses
• Update Data Privacy No0ces
• Update 3 Lines of Defense model and Data Privacy Frameworks for new roles
• Amend Data Privacy Policy for changes introduced by GDPR
• New Product / Process / Systems to incorporate GDPR requirements by design
Teams
• Introduce new role for a Data Protec0on Officer working independently of business
Processes
• Upgrade Consent Collec0on
• Introduce Data Request Management
• Add Review of Data Processor
• Build Privacy Impact Assessment (Risk Appe0te and Assessment)
• Create Breach No0fica0on Process within 72
Systems
• Website cookie updates based on the new privacy policy
• Automa0c Breach No0fica0on + Automa0c Right to be ForgoVen management system
which can be linked to Privacy Impact Assessment (this will have to be matured in an
agile fashion by building a Proof of Concept for sample data assets and subjects, extend
to Minimum Viable Product with key features and extend to strategic versions aZer the
success of MVP)
GDPR extends the scope to foreign companies processing data of EU residents and harmonizes the data protec0on regula0on throughout EU. It replaces
EU Data Protec0on Direc0ve (95/46/EC), which required member states to achieve data protec0on without enforcing means. The 2 broad changes are
accountability (to be able to demonstrate compliance) and data protec0on by design. Non-compliance can lead upto fines of 4% of annual global
turnover.
Increased territorial scope
GDPR regime extends scope to all companies processing the
personal data of EU residents, regardless of the company’s
loca0on.
Explicit and retractable consent
All personal data must only processed if there is a lawful basis for
it and a specific, intelligible and easily accessible consent must be
provided by data subject in accessible form. It must be as easy to
withdraw consent as it is to give.
Right to access and portability
Data subjects can request confirma0on as to whether or not
personal data concerning them is being processed, where and for
what purpose. Further, the controller shall provide a copy of the
personal data, free of charge, in an electric format.
Mandatory Data ProtecGon Officer
Appointed in certain cases (public authori0es, when monitoring of
data subjects on a large scale and when processing special
categories of data). To facilitate the need for a company to
demonstrate their compliance to the GDPR and compensate for
GDPR no longer requiring the bureaucra0c submission of
no0fica0ons/registra0ons of data processing ac0vi0es or transfers
based on Model Contract Clauses.
Right to be forgoJen
En0tles the data subject to have the data controller erase his/her
personal data, cease further dissemina0on of the data, and
poten0ally have third par0es halt processing of the data
SUGGESTED CHANGES TO OPERATING MODEL