gdpr implementation basics_igor mate_2016 cee gc summit_istanbul
TRANSCRIPT
SETTING UP
GDPR-PROOFPRIVACY COMPLIANCE
Dr. Igor Máté
DATA PROTECTION IS ON AGENDA NOWWHY
Oh, my God!
You are insecure,because
your data isunsecured
?
DATA PROTECTION IS ON AGENDA NOWWHYBUSINESS
PUBLIC
LAW
?
PIE: value of data of European citizens increase by 1 trillion EUR by yearcorporate reputationemployer brandingoverall governance
Privacy ShieldBCR
NEW! EU GENERAL DATA PROTECTION REGULATION
Austrian student attacked
Facebook > ECJ nullified EU-US privacy
regime
Yahoo data breach
TODAY
TOMORROW
THE SCALE ASTRONOMIC
Sun Earth TODAY 200k EUR *
TOMORROW 200m EUR **
* RECENT MAXIMUM FINE (average EU) ** NEW MAXIMUM: 4% OF GLOBAL TURNOVER
(taking a global company as example)
THE NAME OF THE GAMEGDPREU REGULATION
regulation
single, unified regime
effective outside of Europe
May 25, 2018
multiple enforcement
significantly higher consequences of non-compliance
extended & enlargedobligations
EU General Data Protection Regulation
KEY NEW FEATURES OF GDPRACCOUNTABILITY
DATA PROTECTION
BY DESIGN& BY DEFAULT PIA
INDIVID
UALS’ R
IGHTS
right to be informed
recipien
ts of
personal data
Data Protection
Officer
Privacy
Impact
Assessment
BREACH NOTIFICATION
DPO processes & policies
documentationfostering tolive the rights
CORPORATE RESPONDS&ACTIONS
GROUP DATA PROTECTION FRAMEWORK
SINGLE UNIFIEDCENTRALIZED
SCALE CHANGE BOARDROOM ISSUE
SPECIAL PROFESSIONALTIMELY SOLUTION
IMPLEMENTATION
CHALLENGES
NEW DIMENSIONPRIVACY FUNCTION
MULTIPLE DEPARTMENTSCONCERNED
KEY ELEMENTS OF FRAMEWORK 4W
WHY?
WHAT?
WHERE?
WHO?
business purpose:processes/actions
type of data
systems, files
delicatedistinctionre access
KEY STAKEHOLDERS
DATA USERS (PROCESS / INFORMATION OWNERS)DATA PROCESSORS
HR
Sales / Marketing / CRM
Communications / CSR
PurchaseITIT SecuritySecurity
ACTIONS IN COOPERATION WITH STAKEHOLDERS
2016 2017 2018Q1 Q1 Q2 Q3 Q4 March 31
Data protectionfitness survey
Developing manuals,training materials
Training of stakeholders(process owners)
Briefing (local)management
Nominating Local DataProtection Coordinators
Workshops withstakeholders
(Basic self-compliancecheck with nationallegislation)
DATA MAPPINGAND INVENTORY
GDPR-PROOF GROUP PRIVACY FAMEWORK
1
2
34
dataMAPPINGpurpose
deletion
rights of datasubjects
(consent, SAR)
data categories
processes
access rightsand recipients
transfer(outsourcing)
quality (accuracy)assurance
storage andsafeguarding(security)
backup actions(breach/incident)
BRIEFINGS, WORKSHOPS, TRAININGS
AWARENESSAPPROACHATTRIBUTE
OF PERSONAL DATA PROTECTIONAS CORPORATE FUNCTION
Constitutional Right“CONSUMER TRUST IS ESSENTIAL TO ACHIEVING GROWTH.”
Code of Conduct„WHATEVER DIRECTION YOU’RE TAKING WITH PEOPLE’S INFORMATION; YOU’RE TAKING THOSE PEOPLE WITH YOU.”
Accessory„YOU NEED TO BUILD THE CONSIDERATIONS FOR PRIVACY INTO YOUR PROJECTS RIGHT FROM THE BEGINNING TO MAKE IT WORK.”
DATA PROTECTION WILL BE ON AGENDAWHY?
INTERNALLY EXTERNALLY OTHERS
PRIVACY BY DESIGN / PRIVACY RISK ASESSMENT
OUTSOURCING (TRANSFER)
EDUCATION AND TRAINING
REVIEW / CONTROL
INCIDENT MANGEMENT
SARs
DOCUMENTING AND REPORTING COMPLIANCE
DPA AUDITS
BREXIT
PRIVACY SHIELD
DUE DILIGENCE
TAKEAWAYSPERSONAL DATA PROTECTION VERY MUCH IN FOCUS
TOUGHER REGULATIONS AT THE DOORSTEP
RISKS EVOLVE
NON-COMPLIANCE MAY BRING SEVERE IMPLICATIONS
NEW STAKE OF INTERNAL ACTIVITY NEEDED
DEDICATED CORPORATE FUNCTION TO SET UP
375, 374, 373, 372, 371, 370, 369... BUSINESS DAYS
QUESTIONS
THANK YOU!
Dr. Igor Máté
https://no.linkedin.com/in/igormate