GDPR From the TrenchesReal-world examples of how companies

are approaching compliance

Magnus Valmot

Ardoq

SimenBreen

SANDS

PerFranzén

Telia Norge

IanStendera

Ardoq

Ask Questions

Simen BreenSANDS

Seeking legal counsel to help you structure compliance projects and assess risk

Simen Breen | Senior Lawyer | SANDS

How to start working with the GDPR?

The nature of the GDPR

The GDPR is not sector specific and there is no threshold for the applicability

Work in a structured way from the beginning, and prioritize your efforts.

Before you get down to the details of the GDPR you

… need to know what you are doing with personal data

… need to know what to prioritize

There is no easy way out

No one-size-fits-all strategy for GDPR compliance

GDPR does not impact all businesses the same way, and the starting position is different

Most checklists are either incomplete or so vague that they don’t really help.

First steps should be the same:

Establish a project team

A mapping of personal data processing activities

A mapping of compliance with existing requirements on personal data protection and mapping of existing policies, documentation etc.

Establish a project team

• A GDPR compliance project must have sufficient internal resources to succeed

• Including the relevant people in your organization is key

• The project team needs to have basic knowledge of GDPR and the reason for doing the mapping process

• The project manager and the team must be given sufficient time and resources

• The project team should be able to make decisions without time-consuming internal processes

• External advice if necessary; legal and information security

Mapping the processing of personal data

• What types of personal data you process

• What are the purposes of the processing

• What are the legal bases for your processing activities

• What is the source of the data

• Where is the data and what systems are used

• Who is responsible for the processing and the data systems

• How many persons does the processing comprise

• Use of data processors

• Transfer of data out of the EU/EEA

• Activities as data processor

• How to document this?

Mapping of your processing activities is necessary for deciding how to go forward

• Knowing what processing of personal data thebusiness does is necessary to fulfill the requirementsin the GDPR

• Being able to understand which requirements arerelevant for your business

• Being able to concretize the principles etc. to requirements

• Being able to make instructions and procedures thatactually work in practice

Mapping of your processing activities is necessary for deciding how to go forward

• To be able to make priorities (if necessary)

• Priorities should not be made based on assessing the article in itself

• Priorities should be made considering the processing activities and the risks related thereto

• Which processing operations are high risk (to the rights and freedoms of natural persons or legal risk) or business critical

Get it right from the start

• You have to structure your compliance project based on your business

▪ Your data processing is the key

▪ Current compliance status is relevant –depending on jurisdiction

• Even though the legal requirements are the same for everyone, their practical effects vary greatly

• A risk-based approach

Contact

Simen Evensen Breenseb@sands.no+47 928 20 300+47 22 81 46 24

Per FranzénTelia Norway

Experience from an ‟overwhelmed” projectmanager

Per Franzén, Project Manager

EXPERIENCE FROM A PROJECT MANAGER: OVERWHELMING AMOUNT OF GDPR TERMINOLOGY AND INSTRUCTIONS

Data minimizationIndividual Rights

Purpose limitation

- Where do I start?

- Are there any guidelines?

- How does the GDPR terminology and instructions

relate, or do they?

“REACHING COMPLIANCE LEVEL ON GDPR IS KEY FOR OUR BUSINESS

AND THEREFORE ONE OF OUR TOP PRIORITIES UNTIL

JUNE 2018.”

THIS IS THE GUIDANCE FROM TELIA CORPORATE MANAGEMENT

GEM AMBITION

Business Vision and Drivers - Privacy

GDPR Requirements

NO Legal Requirements

NO Privacy Strategy

Telia Company

Information Asset & Vendormanagement –project,

GSO/ITAT

Processes, services /products and IT

Asset and vendor management

Telia Norge AS

EA and IT Governance –GDPR NO

Business Architecture

Architecture Vision

Information and System Architecture

Technology Architecture

Telia Norge ASTelia Norge GDPR Compliance project

GDPR WORK STREAM(in Group Security & Privacy)

Work stream management

Employee privacy

Awareness and com.

IT and enterprise architecture

Stakeholders

DPO Norway

PSG GDPR Norway

Projects and activities

Project Vega - Security

NO IT EA Governance

NO IT Architecture project

Digital Telco initiative

Development

Trust as a Service

System Dev Teams

Line org

Ord

er chan

ge

Project Management and business readiness

Run Project and coordinate with Group

Align with other Projects and activities in Norway

Prepare business to operate new GDPR requirements

Transition planning and execution

Opportunities and solutions

Migration planning

Implementation Goverance

Accountable (business)

B2B Management

B2C Management

OneCall Management

MyCall Management

Chess Management

HR Management

Procurement Management

Legal / Privacy Management

Technology Management

Security Management

Privacy Policies and Objectives

Input change (EPICs) - Observations

PrivacyRequirements

Guidance

Plans

Architecture principles

GSO

Deliverables

IN JANUARY 2017 I STARTED STRUCTURING THE PROJECT, AFTER WHICH WE SPENT 2 MONTHS ON THE AS-IS ANALYSIS, AND 1 MONTH ON GAP ANALYSIS

GD

PR

IT Pro

ject

AFTERWARDS I REALIZED THAT GDPR RIGHTS AND PRINCIPLES ARE BASED ON THE MANAGEMENT OF CUSTOMER AND EMPLOYEE PERSONAL DATA

Resources

OSS

BSS

Portal

Employee

Customer

Po

rtal

GDPRIndividual rights

Authority

CLI

Dat

a B

ase

Pri

vacy

Dat

a

Goverance

Data protection principles

Telia Norge AS

PartnersData Processors

Employee

Accountability

BUSINESS ARCHITECTURE – HOW DOES GDPR RELATE TO TODAY’S OPERATIONS?

Accountability

Purposes

Legalgrounds

CustomerEmployee

PrivacyData - BO

Business Process Roles

Processes

Systems

OSS

BSS

PortalIT System Roles

GDPR Individualrights functionality

GDPR Data protection principles functionality

Legal requirement

TM ForumeTOM L3 Performance of

contractLegitimateinterests

Individual’sconsent

IT System Rolesin IdM

GDPR PrivacyData

Will be defined by GDPR Project

Will be defined by GDPR Project

Will be defined by GDPR Project

Privacy by Design -Policies

ACCOUNTABILITY IS CENTRAL –TARGET ARCHITECTURE QUALITY SYSTEM (NOW BUILT IN ARDOQ)

Common Information Model

Management Data (AS-IS)

Accountability GDPR

GDPR law

Single consistent representation for all management data

Management Data (TO-BE)

Controls (Gap)Observations

THE MODEL WE USE FOR WORKING IN ARDOQ

AS-IS

GDPR

compliance

TO-BE

TO-BE

TO-BE

Observations

OUR COMMON INFORMATION MODEL (CIM) IS CENTRAL (WORK IN PROGRESS)

SOME EXAMPLE MODELS – EVERYTHING IS CONNECTED IN OUR CIM

HOW WE LINK THE REGULATION TO TELIA NORGE’S DAILY OPERATIONS

WHY DO WE USE ARDOQ AND NOT EXCEL?1. Value adding

• When we first gather so much information, it should be useable across the organization

• Our IT solution to provide automated GDR Individual rights and related GDPR Data protectionprinciples are using Ardoq as a Policy/Rule engine

2. Maintenance – keeping information up-to-date continuously• Ardoq has support for automating via integrations (input and output) and simplifies manual documentation

• We can automate Controls (Gaps) to verify compliance to GDPR (Observations)

• GDPR Training for Personell will be using data from Ardoq – will be personalized

3. Traceability• We need to be able to trace how everything is connected and how they impact each other

• We now have an AS-IS status of the relations between data elements in the CIM and can run predefined queries

Ian StenderaArdoq

Lessons Learned

Ian StenderaVP of Customer Development at Ardoq

Lessons Learned

• Compliance is continuous

• Define realistic scope

• Think structured

Continuous Compliance

✓ ✓✓✓

May

2018

NOV

2018

May

2019

NOV

2018

Risk

Continuous Compliance

Document

Optimize

Implement

Analyze

Define Scope

Define Scope

Think Structured

VS

Think Structured:handling attendees’ personal data

Org UnitPersonal

Data Captured

Sensitive Data?

Processing Purpose

SourceLawful Basis

Systems handling personal

data

System Owner

# of Data Subjects

Transferedexternally?

Handled outside of

EU?

Marketing

Name, Email, Telephone (optional), company

NoManage Attendee

Registration

Eventbrite webform

ConsentEventbrite,

Prosperworks, Excel

Marketing / Sales

50

Yes, systems are cloud

SaaS solutions

No

Marketing

Name, Email, Telephone (optional), company

NoSend Thank You

and Presentations

Eventbrite webform

? MailChimp Marketing 50

Yes, systems are cloud

SaaS solutions

No

Marketing

Name, Email, Telephone (optional), company

NoRegister for

WebinarEventbritewebform

Consent Eventbrite Marketing 50

Yes, systems are cloud

SaaS solutions

No

Our mission:

Transform compliance

from a cost

To a

Value-adding process

Thank youThat’s all folks!

Questions?

Magnus Valmot

Ardoq

SimenBreen

SANDS

PerFranzén

Telia Norge

IanStendera

Ardoq

Thanks!Stick around for

a Live Ardoq demo