SETTING UP

GDPR-PROOFPRIVACY COMPLIANCE

Dr. Igor Máté

DATA PROTECTION IS ON AGENDA NOWWHY

Oh, my God!

You are insecure,because

your data isunsecured

?

DATA PROTECTION IS ON AGENDA NOWWHYBUSINESS

PUBLIC

LAW

?

PIE: value of data of European citizens increase by 1 trillion EUR by yearcorporate reputationemployer brandingoverall governance

Privacy ShieldBCR

NEW! EU GENERAL DATA PROTECTION REGULATION

Austrian student attacked

Facebook > ECJ nullified EU-US privacy

regime

Yahoo data breach

TODAY

TOMORROW

THE SCALE ASTRONOMIC

Sun Earth TODAY 200k EUR *

TOMORROW 200m EUR **

* RECENT MAXIMUM FINE (average EU) ** NEW MAXIMUM: 4% OF GLOBAL TURNOVER

(taking a global company as example)

THE NAME OF THE GAMEGDPREU REGULATION

regulation

single, unified regime

effective outside of Europe

May 25, 2018

multiple enforcement

significantly higher consequences of non-compliance

extended & enlargedobligations

EU General Data Protection Regulation

KEY NEW FEATURES OF GDPRACCOUNTABILITY

DATA PROTECTION

BY DESIGN& BY DEFAULT PIA

INDIVID

UALS’ R

IGHTS

right to be informed

recipien

ts of

personal data

Data Protection

Officer

Privacy

Impact

Assessment

BREACH NOTIFICATION

DPO processes & policies

documentationfostering tolive the rights

CORPORATE RESPONDS&ACTIONS

GROUP DATA PROTECTION FRAMEWORK

SINGLE UNIFIEDCENTRALIZED

SCALE CHANGE BOARDROOM ISSUE

SPECIAL PROFESSIONALTIMELY SOLUTION

IMPLEMENTATION

CHALLENGES

NEW DIMENSIONPRIVACY FUNCTION

MULTIPLE DEPARTMENTSCONCERNED

KEY ELEMENTS OF FRAMEWORK 4W

WHY?

WHAT?

WHERE?

WHO?

business purpose:processes/actions

type of data

systems, files

delicatedistinctionre access

KEY STAKEHOLDERS

DATA USERS (PROCESS / INFORMATION OWNERS)DATA PROCESSORS

HR

Sales / Marketing / CRM

Communications / CSR

PurchaseITIT SecuritySecurity

ACTIONS IN COOPERATION WITH STAKEHOLDERS

2016 2017 2018Q1 Q1 Q2 Q3 Q4 March 31

Data protectionfitness survey

Developing manuals,training materials

Training of stakeholders(process owners)

Briefing (local)management

Nominating Local DataProtection Coordinators

Workshops withstakeholders

(Basic self-compliancecheck with nationallegislation)

DATA MAPPINGAND INVENTORY

GDPR-PROOF GROUP PRIVACY FAMEWORK

1

2

34

dataMAPPINGpurpose

deletion

rights of datasubjects

(consent, SAR)

data categories

processes

access rightsand recipients

transfer(outsourcing)

quality (accuracy)assurance

storage andsafeguarding(security)

backup actions(breach/incident)

BRIEFINGS, WORKSHOPS, TRAININGS

AWARENESSAPPROACHATTRIBUTE

OF PERSONAL DATA PROTECTIONAS CORPORATE FUNCTION

Constitutional Right“CONSUMER TRUST IS ESSENTIAL TO ACHIEVING GROWTH.”

Code of Conduct„WHATEVER DIRECTION YOU’RE TAKING WITH PEOPLE’S INFORMATION; YOU’RE TAKING THOSE PEOPLE WITH YOU.”

Accessory„YOU NEED TO BUILD THE CONSIDERATIONS FOR PRIVACY INTO YOUR PROJECTS RIGHT FROM THE BEGINNING TO MAKE IT WORK.”

DATA PROTECTION WILL BE ON AGENDAWHY?

INTERNALLY EXTERNALLY OTHERS

PRIVACY BY DESIGN / PRIVACY RISK ASESSMENT

OUTSOURCING (TRANSFER)

EDUCATION AND TRAINING

REVIEW / CONTROL

INCIDENT MANGEMENT

SARs

DOCUMENTING AND REPORTING COMPLIANCE

DPA AUDITS

BREXIT

PRIVACY SHIELD

DUE DILIGENCE

TAKEAWAYSPERSONAL DATA PROTECTION VERY MUCH IN FOCUS

TOUGHER REGULATIONS AT THE DOORSTEP

RISKS EVOLVE

NON-COMPLIANCE MAY BRING SEVERE IMPLICATIONS

NEW STAKE OF INTERNAL ACTIVITY NEEDED

DEDICATED CORPORATE FUNCTION TO SET UP

375, 374, 373, 372, 371, 370, 369... BUSINESS DAYS

QUESTIONS

THANK YOU!

Dr. Igor Máté

https://no.linkedin.com/in/igormate