PwC Romania va prezenta principalele provocări cu care marea majoritate a companiilor din România se confruntă, lipsuri și nevoi identificate în urma unor procese complexe de audit. De la concepte teoretice de bună practică, până la procese și funcționalități. De la conștientizarea angajatilor în privința răspunderii lor și până la punerea în aplicare a unor reguli de bază în securitatea informațiilor.

1. GDPR
Experiences…
November 2017
www.pwc.com

2. Mulțumiri sponsorilor și partenerilor
SPONSORI
ORGANIZATOR
PARTENER MEDIA
PARTENER DE IMAGINE
23 NOIEMBRIE 2017 | B UCUREȘTI

3. PwC
Data
Privacy
Companies’
Focus
Data privacy (theory and practice)
3

4. Poor data governance
- No or poor definition
- No or poor standards
- Data flows are rare

5. PwC 5
Data
classification
Main
Types
of
Information
Confidential
Restricted Internal use
Public

6. PwC 6
Internal processes and legal basis
Internal processes
Internal policies and
procedures regarding
personal data are
usually not formally
defined.
Purposes and legal basis
For the personal data
processing that is not based
on prescribed law and
legislation, there is no other
clearly stated legal grounds.

7. PwC 7
Poor data management,
missing Data Retention
Policy, lack of awareness
Data
minimisation
principle is not
being followed
The process &
functionality for
erasure of
personal data is
missing
A lot of
unnecessary
shared excels
are stored on
network
shared drives
Personal data
record is stored
in too many
locations and
formats
Lack of proper
data classification
and data leak
prevention
solution in place

8. PwC 8
Poor data management
Contracts
The contracts regarding processing of
personal data are not sufficiently
detailed and clear.
Restriction
The process and functionality for the
restriction of processing of personal data
is missing.
GDPR requirements
GDPR requirements for obtaining
consent prior to collection or processing
is not observed.

9. PwC 9
Poor data management
The process for notifications of personal
data breach is not defined
Organizations do not keep records of
personal data processing - they should log
main transactions
Last but not least - Insufficient employee
awareness

10. PwC 10
Data is stored, shared and
transferred in an insecure way
(FTP, clear text files (.CSV, .TXT,
.XLSX), and insecure
applications.
A periodic “data discovery”
process is not implemented.
Organizations are not aware of
the volume of personal data
spread and bad habits of using
and sharing.
Volume and storage – No Data
Retention Policy

11. PwC 11
Security and vendor support issues
There is no regular process of testing the security
posture of the organization
When client have some pre-existing tools (e.g. SIEM,
Firewall…) which could help, the monitoring and/or
calibration process is very often not optimal.
Databases and operating systems not
supported by vendors anymore

12. PwC
Project implementation issues
12
Lack of human recources
is evident. Clients strive to
implement some levels of
GDPR compliance,
however GDPR project has
just started with gap
assessment - and it will
not end as long as the
regulation exists.
Human
Resources
There is no clear overview
of the complexity of the
project, nor for real
budgeting for
implementation.
Complexity of
the Project

13. PwC 13
Legal teams and Technical teams need
to support each other
Successful GDPR is a team effort
Expertise - Legal teams alone (both
internal or external) do not realize the
complexity of IT systems and IT processes
involved, therefore they need technical
support. Valid for technical teams
regarding the legal aspects. They need
close legal advisors.
Legal basis - For personal data already
being processed, processing is often not
based on prescribed law and legislation
and very often there is no other clearly
stated legal grounds (e.g. contract
obligation, legitimate interest or written
consent) for personal data processing

14. PwC 14
Third party involvement
Clients do not keep track
of their external
connections (software,
hardware vendors ).
Third party IT vendors
have direct (unlimited,
unmonitored), access to
production and testing
environment.
In PRD environment
personal data are stored
in clear and unmasked
manner
And if they keep they
do not monitor these
activities

15. PwC
Please remember several solutions 1/2
15
Avaelgo GDPR Strategy for Compliance and Transformation - All rights reserved

16. PwC
Please remember several solutions 2/2
16
Accelerate GDPR compliance with the Microsoft Cloud - Version 1.0 © 2017 Microsoft. All rights reserved

17. PwC 17
Thank you for your attention

18. This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its
members, employees and agents do not accept or assume any liability, responsibility or duty of
care for any consequences of you or anyone else acting, or refraining to act, in reliance on the
information contained in this publication or for any decision based on it.
© 2017 PwC. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopersAudit SRL, which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.
Q & A