When becoming GDPR compliant, what factors do you need to consider and what methods are you adhering to? This slide deck explores the challenges, best practices and a step-by-step approach to becoming GDPR compliant.

1. THE RIGHT STEPS TO BECOMING GDPR
COMPLIANT
Darshana Gunawardana
Technical Lead, WSO2

2. 2
Mountain View,
New York, London,
Sao Paolo, Colombo
Founded in 2005
Venture backed by
Cisco and Toba Capital
450 Employees;
300 Engineers
350+ Customers,
120 New Customers
in 2016
Profitable
since 2017
About Us
2

3. Introduction to GDPR
3
Introduction to
GDPR

4. 4
What is GDPR?
● GDPR is a new legal framework formalized in the European Union
(EU) in 2016, which effectively replaces the previously used Data
Protection Directive (DPD)
● GDPR will come into effect on May 25, 2018
● GDPR is applicable for any data processing organization that
processes personal data or monitors behavior of individuals
residing in the EU

5. 5
Objectives of GDPR
● Recognizes protection of personal data and control over processing
of personal data as a fundamental right of an individual
● Free movement of personal data within the EU
● Provides business organizations certainty on personal data
processing activities
● Broadens the scope of personal data as Personally Identifiable
Information (PII)

6. Impact of GDPR
● Any business that delivers goods or provides services to
individuals living in the EU is affected, regardless of whether the
business is established in the EU
● Personal data processing organizations that cannot demonstrate
GDPR compliance will be subjected to financial penalties up to
4% of their annual turnover, or €20 million
6

7. 7
Successful
GDPR
Compliance
Strategy

8. Introduction to GDPR
8
Steps for GDPR Compliance

9. 5
6
7
Steps for GDPR Compliance
9
01
1
2
3
4
Build awareness around GDPR
Understand whether your business is affected
Review the impact on your current data
Review your systems and processes
Implement necessary safeguards
Appoint EU representatives and/or a DPO
Revise your documents and policies

10. 10
● First brick towards GDPR compliance
● In-house expertise on every aspect on the regulation
● Should involve every department of the organization
● Could get help from
○ Consultancy firms for quick start
○ Third party services and product vendors involved with the
organization
Build Awareness Around GDPR1

11. 11
● Dealing with EU citizens or residents?
● Process any of their PII?
Understand Whether Your Business is
Affected
2

12. 12
● Does your business directly interact or process such information
● Does your business lead to consuming such information by third
party products or services
● Involve every department of the organization
Understand Whether Your Business is
Affected
2

13. 13
All personal information should have been collected
● With proper consent
● Mentioning the exact processing purposes
Review the Impact on Your Current Data3

14. 14
Identify and map sources with the personal information.
● Personal information may be
○ Directly collected from the customer with their consent
○ Received as a result of a business partnership or acquisition
○ Bought from a marketing list selling company
Review the Impact on Your Current Data3

15. 15
Determine the data has legitimate grounds
Review the Impact on Your Current Data3
Consent from an individual
Contract with an individual
Comply with a legal obligation
Vital interests
Public tasks
Legitimate interests

16. 16
Apply privacy principles.
● Purpose limitation
○ Erase PII that no longer has valid purposes
○ Plan to get consent or erase data collected without proper
consent
Review the Impact on Your Current Data3

17. 17
Apply privacy principles.
● Data minimization
○ Process only PII needed for the business
● Data accuracy
Review the Impact on Your Current Data3

18. 18
● Most crucial step
● Data protection impact assessments (DPIA) on
○ Business operations related to personal information
○ Data processing or storing infrastructures
○ Network infrastructures
○ Staff members who have access to personal information
Review Your Systems and Processes4

19. 19
● Evaluate whether the personal data processing belongs to a
lawful processing means
● Evaluate privacy principles mandated in the GDPR
● Evaluate current mechanisms used to fulfill customer rights
● Evaluate the need of a data protection impact analysis (DPIA)
Review Your Systems and Processes4

20. 20
● Evaluate current policies and contract with the HR and operations
teams
● Evaluate whether all the software systems are in compliance with
GDPR
● Evaluate whether hardware systems and network systems are in
compliance with GDPR
Review Your Systems and Processes4

21. 21
● Set protocols on how to behave during a data breach
● Adhere to any industry specific certification and code-of-conduct
practices
Review Your Systems and Processes4

22. 22
● Adjusting your business process
● Upgrading software, network, and storage systems
● Introducing internal staff training
● Upgrading auditing and monitoring systems
Implement Necessary Safeguards5

23. 23
● Should take correct strategic decisions to cut down the time and
cost
● Examples:
○ Make use of comprehensive consent management system
○ Leverage an IAM system
○ Introduce a user self care portal
Implement Necessary Safeguards5

24. 24
● Appoint a representative within the EU in order to address GDPR
related matters
○ If the business is not established in but offers service/goods
to EU
Appoint EU Representatives and/or a
DPO
6

25. 25
Appointing of a DPO is required if
● Processing is carried out by a public authority except courts
● The nature of data processing requires regular monitoring from
individuals
Appoint EU Representatives and/or a
DPO
6

26. 26
Appointing of a DPO is required if
● Data processing involves large amounts of data categorized as
special or proceeding data related to criminal convictions
● Some other conditions according to the EU/Member state laws
Appoint EU Representatives and/or a
DPO
6

27. 27
Responsibilities of a DPO:
● Inform and advise staff members on data protection regulations
and procedures
● Monitor the compliance with the regulations
● Give advice on data protection impact assessments
Appoint EU Representatives and/or a
DPO
6

28. 28
Responsibilities of a DPO:
● Cooperate with supervisory authorities and act as the point of
contact for supervisory authorities
● Act as the point of contact for individuals related to any data
protection related matters
Appoint EU Representatives and/or a
DPO
6

29. 29
● Implementation of those safeguard measures internally is not
sufficient
● Revise GDPR compliancy of your public materials:
○ Websites
○ Social channels
○ Terms and conditions
○ Privacy policies
Revise Your Documents and Policies7

30. 5
6
7
Steps for GDPR Compliance - Recap
30
01
1
2
3
4
Build awareness around GDPR
Understand whether your business is affected
Review the impact on your current data
Review your systems and processes
Implement necessary safeguards
Appoint EU representatives and/or a DPO
Revise your documents and policies

31. 31
● GDPR compliance is vital for all affected organizations
● 7 pragmatic steps to become a GDPR compliant organization
● Evaluate your current effort and adapt
Summary

32. More Information
● Understanding General Data Protection Regulation (GDPR)
● GDPR events and content from WSO2
● GDPR support in WSO2 Identity Server
● Article on 7 Steps for GDPR Compliance
32

33. THANK YOU
wso2.com