GDPR From the Trenches - Real-world examples of how companies are approaching compliance.
Transcript of GDPR From the Trenches - Real-world examples of how companies are approaching compliance.
GDPR From the TrenchesReal-world examples of how companies
are approaching compliance
Magnus Valmot
Ardoq
SimenBreen
SANDS
PerFranzén
Telia Norge
IanStendera
Ardoq
Ask Questions
Simen BreenSANDS
Seeking legal counsel to help you structure compliance projects and assess risk
Simen Breen | Senior Lawyer | SANDS
How to start working with the GDPR?
The nature of the GDPR
The GDPR is not sector specific and there is no threshold for the applicability
Work in a structured way from the beginning, and prioritize your efforts.
Before you get down to the details of the GDPR you
… need to know what you are doing with personal data
… need to know what to prioritize
There is no easy way out
No one-size-fits-all strategy for GDPR compliance
GDPR does not impact all businesses the same way, and the starting position is different
Most checklists are either incomplete or so vague that they don’t really help.
First steps should be the same:
Establish a project team
A mapping of personal data processing activities
A mapping of compliance with existing requirements on personal data protection and mapping of existing policies, documentation etc.
Establish a project team
• A GDPR compliance project must have sufficient internal resources to succeed
• Including the relevant people in your organization is key
• The project team needs to have basic knowledge of GDPR and the reason for doing the mapping process
• The project manager and the team must be given sufficient time and resources
• The project team should be able to make decisions without time-consuming internal processes
• External advice if necessary; legal and information security
Mapping the processing of personal data
• What types of personal data you process
• What are the purposes of the processing
• What are the legal bases for your processing activities
• What is the source of the data
• Where is the data and what systems are used
• Who is responsible for the processing and the data systems
• How many persons does the processing comprise
• Use of data processors
• Transfer of data out of the EU/EEA
• Activities as data processor
• How to document this?
Mapping of your processing activities is necessary for deciding how to go forward
• Knowing what processing of personal data thebusiness does is necessary to fulfill the requirementsin the GDPR
• Being able to understand which requirements arerelevant for your business
• Being able to concretize the principles etc. to requirements
• Being able to make instructions and procedures thatactually work in practice
Mapping of your processing activities is necessary for deciding how to go forward
• To be able to make priorities (if necessary)
• Priorities should not be made based on assessing the article in itself
• Priorities should be made considering the processing activities and the risks related thereto
• Which processing operations are high risk (to the rights and freedoms of natural persons or legal risk) or business critical
Get it right from the start
• You have to structure your compliance project based on your business
▪ Your data processing is the key
▪ Current compliance status is relevant –depending on jurisdiction
• Even though the legal requirements are the same for everyone, their practical effects vary greatly
• A risk-based approach
Contact
Simen Evensen [email protected]+47 928 20 300+47 22 81 46 24
Per FranzénTelia Norway
Experience from an ‟overwhelmed” projectmanager
Per Franzén, Project Manager
EXPERIENCE FROM A PROJECT MANAGER: OVERWHELMING AMOUNT OF GDPR TERMINOLOGY AND INSTRUCTIONS
Data minimizationIndividual Rights
Purpose limitation
- Where do I start?
- Are there any guidelines?
- How does the GDPR terminology and instructions
relate, or do they?
“REACHING COMPLIANCE LEVEL ON GDPR IS KEY FOR OUR BUSINESS
AND THEREFORE ONE OF OUR TOP PRIORITIES UNTIL
JUNE 2018.”
THIS IS THE GUIDANCE FROM TELIA CORPORATE MANAGEMENT
GEM AMBITION
Business Vision and Drivers - Privacy
GDPR Requirements
NO Legal Requirements
NO Privacy Strategy
Telia Company
Information Asset & Vendormanagement –project,
GSO/ITAT
Processes, services /products and IT
Asset and vendor management
Telia Norge AS
EA and IT Governance –GDPR NO
Business Architecture
Architecture Vision
Information and System Architecture
Technology Architecture
Telia Norge ASTelia Norge GDPR Compliance project
GDPR WORK STREAM(in Group Security & Privacy)
Work stream management
Employee privacy
Awareness and com.
IT and enterprise architecture
Stakeholders
DPO Norway
PSG GDPR Norway
Projects and activities
Project Vega - Security
NO IT EA Governance
NO IT Architecture project
Digital Telco initiative
Development
Trust as a Service
System Dev Teams
Line org
Ord
er chan
ge
Project Management and business readiness
Run Project and coordinate with Group
Align with other Projects and activities in Norway
Prepare business to operate new GDPR requirements
Transition planning and execution
Opportunities and solutions
Migration planning
Implementation Goverance
Accountable (business)
B2B Management
B2C Management
OneCall Management
MyCall Management
Chess Management
HR Management
Procurement Management
Legal / Privacy Management
Technology Management
Security Management
Privacy Policies and Objectives
Input change (EPICs) - Observations
PrivacyRequirements
Guidance
Plans
Architecture principles
GSO
Deliverables
IN JANUARY 2017 I STARTED STRUCTURING THE PROJECT, AFTER WHICH WE SPENT 2 MONTHS ON THE AS-IS ANALYSIS, AND 1 MONTH ON GAP ANALYSIS
GD
PR
IT Pro
ject
AFTERWARDS I REALIZED THAT GDPR RIGHTS AND PRINCIPLES ARE BASED ON THE MANAGEMENT OF CUSTOMER AND EMPLOYEE PERSONAL DATA
Resources
OSS
BSS
Portal
Employee
Customer
Po
rtal
GDPRIndividual rights
Authority
CLI
Dat
a B
ase
Pri
vacy
Dat
a
Goverance
Data protection principles
Telia Norge AS
PartnersData Processors
Employee
Accountability
BUSINESS ARCHITECTURE – HOW DOES GDPR RELATE TO TODAY’S OPERATIONS?
Accountability
Purposes
Legalgrounds
CustomerEmployee
PrivacyData - BO
Business Process Roles
Processes
Systems
OSS
BSS
PortalIT System Roles
GDPR Individualrights functionality
GDPR Data protection principles functionality
Legal requirement
TM ForumeTOM L3 Performance of
contractLegitimateinterests
Individual’sconsent
IT System Rolesin IdM
GDPR PrivacyData
Will be defined by GDPR Project
Will be defined by GDPR Project
Will be defined by GDPR Project
Privacy by Design -Policies
ACCOUNTABILITY IS CENTRAL –TARGET ARCHITECTURE QUALITY SYSTEM (NOW BUILT IN ARDOQ)
Common Information Model
Management Data (AS-IS)
Accountability GDPR
GDPR law
Single consistent representation for all management data
Management Data (TO-BE)
Controls (Gap)Observations
THE MODEL WE USE FOR WORKING IN ARDOQ
AS-IS
GDPR
compliance
TO-BE
TO-BE
TO-BE
Observations
OUR COMMON INFORMATION MODEL (CIM) IS CENTRAL (WORK IN PROGRESS)
SOME EXAMPLE MODELS – EVERYTHING IS CONNECTED IN OUR CIM
HOW WE LINK THE REGULATION TO TELIA NORGE’S DAILY OPERATIONS
WHY DO WE USE ARDOQ AND NOT EXCEL?1. Value adding
• When we first gather so much information, it should be useable across the organization
• Our IT solution to provide automated GDR Individual rights and related GDPR Data protectionprinciples are using Ardoq as a Policy/Rule engine
2. Maintenance – keeping information up-to-date continuously• Ardoq has support for automating via integrations (input and output) and simplifies manual documentation
• We can automate Controls (Gaps) to verify compliance to GDPR (Observations)
• GDPR Training for Personell will be using data from Ardoq – will be personalized
3. Traceability• We need to be able to trace how everything is connected and how they impact each other
• We now have an AS-IS status of the relations between data elements in the CIM and can run predefined queries
Ian StenderaArdoq
Lessons Learned
Ian StenderaVP of Customer Development at Ardoq
Lessons Learned
• Compliance is continuous
• Define realistic scope
• Think structured
Continuous Compliance
✓ ✓✓✓
May
2018
NOV
2018
May
2019
NOV
2018
Risk
Continuous Compliance
Document
Optimize
Implement
Analyze
Define Scope
Define Scope
Think Structured
VS
Think Structured:handling attendees’ personal data
Org UnitPersonal
Data Captured
Sensitive Data?
Processing Purpose
SourceLawful Basis
Systems handling personal
data
System Owner
# of Data Subjects
Transferedexternally?
Handled outside of
EU?
Marketing
Name, Email, Telephone (optional), company
NoManage Attendee
Registration
Eventbrite webform
ConsentEventbrite,
Prosperworks, Excel
Marketing / Sales
50
Yes, systems are cloud
SaaS solutions
No
Marketing
Name, Email, Telephone (optional), company
NoSend Thank You
and Presentations
Eventbrite webform
? MailChimp Marketing 50
Yes, systems are cloud
SaaS solutions
No
Marketing
Name, Email, Telephone (optional), company
NoRegister for
WebinarEventbritewebform
Consent Eventbrite Marketing 50
Yes, systems are cloud
SaaS solutions
No
Our mission:
Transform compliance
from a cost
To a
Value-adding process
Thank youThat’s all folks!
Questions?
Magnus Valmot
Ardoq
SimenBreen
SANDS
PerFranzén
Telia Norge
IanStendera
Ardoq
Thanks!Stick around for
a Live Ardoq demo