Tools and ideas to prepare you or your organisation to

comply with GDPR implementation

18th October 2017, Grand Hotel, Sofia

GDPR compliance

Time Topic

09:00 - 09:25 Introduction to the Copenhagen Compliance GDPR roadmap

09:25 - 10:30 Plan - General definitions & DPO

10:30 - 10:45

10:45 - 11:15 Plan - Project scope and Data inventory

11:15 - 12:00 Legal issues

12:00 - 12:30

12:30 - 13:30 Do - Accesses, consents & requests

13:30 - 14:20 Do – Transfers & breaches

14:20 - 14:35

14:35 - 15:15 Improve - Privacy Impact Assessments

15:15 - 15:30 Closing remarks and final questions

15:30 – 16:00 Certification Exam Review

Agenda

What will you receive today?

No Data Privacy right in GDPR is absolute. It is subject to

reasonable restrictions both to the data subject, data

controller and data processor, to comply. The individual

restrictions are neither arbitrary nor disproportionate to the

rational for privacy for the data subject, and the GDPR

article(s) that should be protected by the restriction.

Presentation Link; http://www.eugdpr.institute/gdpr-18oct-sofia/

Does the GDPR apply to me?

Does my company offer goods or services to EU residents? Does my company monitor the behaviour of EU residents such as apps and websites? Does my company have employees in the EU?

Introductions

GDPR areas

Organisational

Legal

Technical

Privacy culture

GDPR compliance journey

Organise changes

Theory to practice

Info Security and boards 2017 Security and Privacy Survey by Protiviti

87% of FTSE 100 companies disclosed cyber as a principal risk

Only 33% with a high board engagement in cyber risks Boards are not discussing cyber risks

Directors more prepared for compliance risks than cyber risks

Weak cybersecurity controls and preparedness

38% with all core infosec policies Big impact on security, distinguishing top performers

31% with an excellent understanding of critical information

Many companies unable to identify the most valuable data assets

60% with mandatory training on security to all employees

Copenhagen Compliance GDPR Roadmap & Framework

Pilot

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar

Omprove; controls. implementation & change management

2017 Q1 2017 Q2 2017 Q3 2017 Q4 2018 Q1

Plan Do

Process, procedure

Organisation/People Tool Information, data, documents

Core activity Steering Committee meetings

Project team

kick-off Initial

comms. &

training material

s

Functional kick-

offs

Process &

application

scope

Data flow

mapping

procedure &

template

Project portal & project docume

nt standar

ds

DP management

system reqts.

Data protecti

on strategy

Legal & IS

Assessment

questionnaire

Risk Management

materials

Proof of concept

Core team

training

Data protecti

on policy

DP management

system implemented

Pilot mappin

g & assessm

ent Audit & complia

nce policy

Privacy by

design procedu

res

Data process

or standar

ds & agreem

ents

Breach notificat

ion procedu

re

Incident handling procedu

re

Subject access

procedures

Binding corporate rules

Information

classification

procedure

Compliance

standards

Internal audit

procedures

Due diligence & 3rd parties audit

procedures

Information

management policy

Data collectio

n procedu

res

Data use

procedures

3rd party data

exchange

agreements

Document &

record control policy

Data quality procedu

res

Data disposal procedu

res Public trust

charter

Information

notices procedu

res Enforcement

notices procedu

res

Complaints

procedures

Data flow mapping & Gap and Risk assessment (sprints)

Privacy data

inventory

Revise data processor agreements & contracts (sprints)

Privacy notice

inventory

DP agreem

ent inventor

y

Revise privacy notices & statements (sprints)

Organizational competency assessment

Data protection awareness campaign Recruitment & training

plan Role

based training material

s

Role-specific training (sprints)

Recruitment for needed competences

Gap & risk list

Business

process update plan

Data protection policies, procedures & control implementation (sprints)

Monitoring &

reporting

procedures

Assess inflight projects

DP impact

assessment

procedures

Update business processes (sprints)

Map InfoSec controls to GDPR

Information security policies, procedures & control implementation (sprints)

Readiness reviews & tests

Data portabili

ty procedu

res

GDPR Deliverables Roadmap 1

Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Business org.

Charts

Application

scope

Business

process

scope

Project Team

KO

Risk Review (GAP analysis, identify key risks and control design)

Project Management

Business Kick-

off (top level)

Key Data

Protection

risks

Business

Activity

update plan

DP

agreements

revised

Recruit &

training plan

Role-specific training

Recruitment for needed competences

Governance process implementation

Data Flow

mapping

process &

template

Data Flow Mapping training

Data Flow Mapping (business processes)

Control implementation

Data Protection Awareness

Incident

Handling

Process

Breach notif.

procedure

Data deletion

rules

Risk Mngt.

Materials Data

Processor

agreement

reqts.

Monitoring &

reporting

process

Roles

processes &

procedures

updated

DPO role

reqts.

DPO role in

placeGAP analysis

process &

template

Plan Do Improve; Control, implementation & change management

2016 Q2 Q3 Q4 2017 Q1 Q2

Business

Team defined

Data Flow Mapping (applications)

Assess existing processes requiring amending

Orgainsational competency assessment

Business

Area Plan

Business kick-

off

(process)

Privacy Data

inventory

DPMS tool

reqts. Risk Review (effectiveness of implementation)

Data Flow

mapping

training

materials

Role-based

training

materials

Binding Corp.

rulesPIA process

Control list

Training

needs

analysis

Security/ DP

Board

established

Data

Protection

Strategy

Data

Processor

Agreement

template

Customer

activity

proccesses

Mandate for

Security/ DP

Board

1. training

plan

Governance process implementation

Data

Protection

Policy

DPMS tool

Privacy by

design

guidelines

DP

agreement

reqts. for

projects

Process Organisation/People Technology Information Core activity Steering Committee meetings

BU

SIN

ESS

AR

EA

GR

OU

P P

RO

JEC

T TE

AM

Project Mngt.

GDPR Deliverables Roadmap II

GDPR Deliverables Roadmap III

Roadmap

A- Plan

1- Obtain the buy-in from stakeholders

2- Get a team

3- Identify relevant processes and third-party activities

4- Compile a data inventory

5- Clean the house: data minimisation

6- Create a privacy policy

Roadmap

B- Do

1- Limit accesses

2- Review consents

3. Process access requests

4- Validate data transfers

5- Report data breaches

Roadmap

C- Improve

1- Train the staff

2- PIAs for business changes

3- Audits

4- Certifications

ISO 27001 Info Sec Mgmt. Sys

Context

Understand the organisation

Understand needs and expectations

Determine scope

Leadership

Leadership and commitment

Policy

Roles, responsibilities and authorities

Planning

Actions to address risk

Info sec risk assess.

Info sec risk treatment

Info sec plans

Support

Resources

Competence

Awareness

Communications

Documented information

Operation

Operational planning and control

Info sec risk assess

Info sec risk treatment

Performance

Monitoring, measurement, analysis

and evaluation

Internal audit

Management review

Improvement

Nonconformity and corrective actions

Continual improvement

Data protection (ISO 27001) is needed for privacy (GDPR)

• Boards not discussing cyber risks; 350 survey1 – 53% of respondents only receive "some information" – 1/3 receive "comprehensive & informative data“

• 50% have a clear understanding of data assets • 10% not have a cyber incident response plan

– 27% has no defined role in the response to incidents

• 68% had not received incident response training • 6% feel their company is prepared for GDPR • 68% of large UK companies, & 46% had one breach • 2015 information security breaches survey, 90% of large

organisations and 74% of SMEs reported a security breach2.

GDPR and Cyber Security

1. 2. http://www.computerweekly.com/news/4500247376/Cost-of-UK-cyber-breaches-up-to-314m 2. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635605/tracker-report-2017_v6.pdf 3. https://www.out-law.com/en/articles/2017/april/cost-of-cybersecurity-breaches-more-than-just-financial-says-expert-/

A - Plan

How well prepared are we? How can we start? How can we get support? Do we need a DPO? What personal data do we hold? What is it being used for? How secure is it?

Step 1: Obtain the buy-in

Key factor for success

Board members Senior managers

Chief compliance officer Chief risk officer Chief legal officer

Chief information offices Chief security information officer

Fines + Reputation

Step 1: Tips

Educate about GDPR to key stakeholders Explain the privacy risks for their own career Invite them to conferences and training Communicate the link between GDPR and cyber risks

Propose a plan adjusted to the company culture1 Efficient and transparent plan Plan aligned to available resources GDPR project linked to strategies

e.g. better use of data, update marketing databases, protect patents and trade secrets

Share cases about data breaches “Good privacy is good business”

1. Building Blocks of Corporate Culture; https://www.grantthornton.global/en/corporate-governance-2017/

• Document all Data processing activities

• Document and Data inventory

• List of consents

• List of dataprocessors and related agreements

• Risk Analyses

• PIA / DPIA

• Security Policy

• Contingency plans

Step 1: Tips Documentation

Why is GDPR important?

Fines!

20M EUR up to 4% global revenue

in the last year Failure to implement core principles, infringement of

personal rights and the transfer of personal data to countries or organisations

without adequate protection

10M EUR up to 2% global revenue

in the last year Failure to comply with

technical and organisational requirements such as impact

assessment, breach communication and

certification

Reduced with appropriate technical and organisational measures

Why is GDPR important?

Protect the reputation

Organise and control data

Remove unnecessary data

Identify privacy vulnerabilities at an early stage

Focus the client and customer contact lists

Data Privacy as a competitive advantage

It is all about the reputation!

Step 1: Discussion case

Lack of protective and detective measures

Required users to pay USD 19 for deleting their data (which was partially done)

Cybercriminals posted e-mail addresses, credit card numbers and account details of 32 M current and former members

Ashley Madison site enabled extramarital affairs

https://www.theguardian.com/technology/2016/nov/14/adult-friend-finder-and-penthouse-hacked-in-largest-personal-data-breach-on-record

Step 1: Discussion case

Top management allowed not to have:

a security policy

data transparency

a risk assessment

Consequences for the company and users?

https://www.theguardian.com/business/2016/feb/02/talktalk-cyberattack-costs-customers-leave

Step 2: Get a team

One man army?

Implementation team <> Maintenance team Define a clear objective and responsibilities

Be a leader Experience in project management, security,

training and legal Commit time of process subject experts

Document all the project activities

Data protection officer

Get the team early

Core team Lead the implementation efforts Knowledge of GDRP compliance, privacy controls, data security and change management

Subject matter experts IT, compliance, HR, marketing, procurement, customer support

Change management

GDPR Impact

New or amended

policies and record

management

New operational roles and

responsibilities, DPO role

Changes in IT tools, solutions, applications and

infrastructure

Changes in contracts,

agreements, consents, notices

Continuous improvement

Change management

GDPR Impact

Create a protection impact assessment

policy Improve the access management policy

Review processes dealing with personal

information

Identify owners of personal data

Assess key staff skills Create and conduct

learning and awareness programs

Communicate the GDPR changes

Determine the need for PIAs

Follow-up remediation plans for IT solutions Incident management

Document compliance efforts

Get approvals for changes

Metrics for GDPR compliance

https://www.linkedin.com/pulse/gdpr-vital-change-management-discipline-kersi-porbunderwalla?published=t

Step 2: Example

Executive project board Meets quarterly, strategic focus

Group project manager

Project group Risks, security, legal,

audit

Reference

Teams (IT)

Business Line 1 Lead Process owners

Application managers Subject mater experts

Business Line 2 Lead Process owners

Application managers Subject mater experts

Business Line 3 Lead Process owners

Application managers Subject mater experts

Project steering committee Meets monthly, operational focus

IT Core Services Lead Process owners

Application managers Subject mater experts

HR Lead Process owners

Application managers Subject mater experts

External Partners

Customers Consultants & suppliers

Who needs a DPO?

The processor The controller

Business where the

core Activity is to;

Processing is carried out by public authority

Processing operations requiring monitoring of personal data at large scale

Included hospitals for health data, marketing agency for customer web data, surveillance companies

Excluded payroll for a commercial company, heath data by a single doctor

Processing operations requiring monitoring of sensitive personal data at large scale relating to criminal convictions and offences

Required by a national law

Who needs a DPO? IS

YO

UR

CO

MPA

NY

SU

BJE

CT

TO T

HE

EU G

DP

R?

Foster the data protection culture Guide the GDPR implementation and monitor its compliance Make recommendations in meetings where decisions with data protection implications are taken Cooperate and liaison with the supervisory authorities

Independence to ensuring compliance Employee or external consultant based on a service contract Expertise in national and European data protection laws Knowledge of the business sector and of the organisation of the controller Professional ethics and lack of conflict of interests Groups may designate a single DPO

What does a DPO do?

Group discussion

Who can be a DPO? The chief risk officer, the compliance officer, the chief information security officer….

Step 3: Relevant processes

Scope

Understand areas dealing with personal information

3rd parties processing personal information

Get priorities Define deadlines in the roadmap

Business functions

Step 3: Repair or replace

What is personal information?

Any information

natural person

the data subject!

… relating to an

identified or

identifiable …

How data is identifiable?

A Bulgarian +7 M

How data is identifiable?

A Bulgarian female 3.5M

How data is identifiable?

29k A Bulgarian female born in 2000

How data is identifiable?

…. born 8th January 1942 comes from the Rhodope Mountains, born in Arda, Smolyan Province, singing Rhodopean folk songs

1

How data is identifiable?

1 identifier

Name

ID, passport, driver,

social security and tax

numbers

Cookies and online IDs

Phone numbers

Location data

1 or + factors

Physical

Physiological Economic

Cultural Social Mental

Genetic

How data is identifiable?

1 identifier

Pseudonymous

Coded data linked by a

secure and separated

key to re-identify a data

subject

1 or +

factors

Replacing the sensitive data by a random code

Using a table in a separated server to link the random code to the original sensitive data

What is pseudonymisation?

Employee Name

Bank Account

J Hansen DD99234

A Jensen DD99432

Employee Name

Code

J Hansen Kl23!lsw=

A Jensen 45der_f2!

Code Bank Account

Kl23!lsw= DD99234

45der_f2! DD99432

It is an algorithm to scramble and unscramble data

Transforming the original data with an encryption key

What is encryption?

Employee Name

Bank Account

J Hansen DD99234

A Jensen DD99432

Employee Name

Encrypted Info

J Hansen Kl23!lsw=

A Jensen 45der_f2!

Encryption key

Which data is sensitive?

Racial Political

Religion

Trade union

Sex life

Health Biometric Genetic

Special categories → generally cannot be processed, except given explicit consent and necessary for employment and other well defined circumstances

Employee and candidates tables for payroll: address, bank account, health, civil and military status, disabilities, related people, time sheets, tax info….

Customers, prospects and payment: credit card numbers

Suppliers tables: contractors, vendors, partners

In productive and other environments

Backups and legacy systems

Personal data stored in an ERP/CRM?

Website visitors Email servers Marketing databases Customer loyalty programs Patient/client databases Performance reviews Personnel files Legal documents Credit card statements Cameras and fingerprints for access control Phone books End-user apps, downloads, shared folders

Other personal data stored?

Step 3: Scope example

HR Strategy

Analyse trends in requirements

Create recruitment strategies

Plan for staff and development

Recruit

Manage requirements

Post job offers

Manage candidates

Interview candidates

Select candidates

On boarding training

Employee

Maintain HR policies

Create employee records

Create health records

Handle employee cases

Handle exits

Payroll

Negotiate union agreements

Set salary packages

Manage payroll

Manage pension plans

Manage travel and expenses

Calculate benefits

Attendance

Manage time

Manage leaves

Manage absences

Training

Develop training materials

Deliver training

Performance

Maintain the performance program

Manage reviews

Analyse results

In Scope

Step 3: Scope example

In Scope

Employee

Maintain HR policies

Create employee records

Create health records

Handle employee cases

Handle exits

Flow In Flow Out

Group discussion

Which departments hold most of the personal data in your organisation?

What personal data do we hold?

What applications do we have

Where is it?

What is it being used for?

How secure is it?

Step 4: Compile a data inventory

Step 4: Compile a data inventory

Departments to cover by meeting or questionnaire

Commercial, marketing, advertising, customer care, complains system

HR, payroll, health & pension insurance, recruitment

Procurement, A/R and treasury

Legal, including the whistleblowing line

Support: compliance, IT, process experts

Step 4: Compile a data inventory

are the data subjects?

has access to their personal data?

Who

the personal data is stored?

the personal data is transfered?

Where the personal data is under the company control?

Why

the personal data is kept until?

Is shared with third-parties?

When

safety mechanisms and controls are is place?

What

Step 4: Template & Example

Personal data

Purpose Data subject

Retention Owner System Security measures

Employee name, address, phone, date of birth

Identification Employees Ex-employees Candidates

Permanent file

HR SAP HR Personnel filing cabinets

Password, encryption Physical safeguards

Payroll processing

Employee Until end of employment

HR

SAP HR MS Excel files

Password, encryption Protected folder

Performance review

Employee Until end of employment

HR Cornerstone Performance

Password

Step 4: Template & Example

Other information to consider

Technical information of data: format, structure

Storage location: cloud, server, networks, email

Storage medium

Security classification: confidential, restricted

Source: system generated, input

Collected by

Used by

Disclosed to

Retention period

Deletion type

Volume (gigas, records)

Step 4: Let´s practice

Examples from “when” to “what”

When visitors access to the company website IP location, cookies, device information, browser information (e.g. language), behavior information

When clients shop from the company website name, address, email, bank/credit card details

When clients contact the company by website name, address, organisation, phone number

Step 4: Let´s practice

Ideas for the “what”?

When candidates apply for a job name, address, email, phone, age, places of employment

When employees are hired name, date of birth, address, SSN, bank details, salary, vital records, photo, family details, health, tax and retirement number, passport, car license plate

When clients take part in a prize draw name, phone

Step 4: Let´s practice

Ideas for the “what”?

When visitors are video monitored at the lobby

Images, activity

When fingers are scanned for door access

fingerprints (biometric)

When visitors follow company social media

data according to Facebook or LinkedIn policies

Step 4: Let´s practice

Ideas for the “what”?

When suppliers are created Names, phones, addresses, emails, executives, transaction records, tax number, financial data

When employee users are created PC IP address, mobile device, activity, password

When visitors get a company parking permit license plate, name

Step 4: A bad example

• GDPR articles can reveal unknown data processing issues

• Is data used for the right purpose?

– map the data flow of the process

• Article 30; controller maintains record of process/actions

• Organise process records around purpose

– rather than data flow

• Mistake; create registers on each object in dataset

• Using data for specific purposes under article 5 (Principles relating to processing of personal data)

• Therefore know the 3 P's (path, processing & payload)

Path, Processing and Payload

The GDPR is an opportunity to improve data practices De-risk! Start clean!

Create an inventory of data and documents Stop asking for personal data which is not needed Delete personal data after it is no longer needed Restructure databases to avoid redundancies in personal data Centralise channels to receive personal information Anonymise data, erasure copies and links Opt out in email lists Remove duplicate, out-of-date or inaccurate records Be conservative: there are no fines for over-deleting

Step 5: Clean the house!

Step 5: Discussion case

UK pub chain deleted their customer emails from marketing database in Jun 2017 Contacts are now by Twitter and Facebook They suffered a breach of 665k emails in 2015

Step 5: Discussion case

Pros

Less intrusive?

No need to keep track of consents?

Cons

Communication of offers

Step 5: An example

Best practices based on the ISO 27001 Set the information security objectives

provide access of information only to authorised employees and 3rd parties protect the confidentiality, availability and integrity of information assets implement annual information security awareness training

Support from upper management Policy approved by CEO, IS compliance reports to board

Responsibilities to data owners, data users, IT, risk management and internal audit Communicated across the company and to 3rd parties Regularly updated

Step 6: Create a privacy policy

Recommended chapters Company privacy vision Define data categories Organisation of applicable policies

Data retention, information security, recognise GDPR rights

Define general principles and roles to limit: the collection

how the consents are ensured, when risk impacts are conducted

the use how data is secured and given access to

the disclosing define circumstances for disclosure, complaints and requests, notification of breaches

Step 6: Create a privacy policy

Policy on Privacy Management

Supporting policies on

Hie

rarc

hy

data breach incident management

duty of disclosure

classification and acceptable use of information assets

backup & business continuity

access control y password

handling international transfers

clear desk and clear screen policy

use of network services

software development

data processing agreements

Step 6 : Create a privacy policy

Organisational

Operational

Privacy policy

Security strategy Part of the business ethics Risk tolerance based on the customer trust

Data security policy

Objectives

Privacy policy

Privacy program

Supporting policies

Step 6: Create a privacy policy

Privacy policy template by the GDPR Institute

Please ask us if you need further templates for additional policies

records retention

access control and delegation of access to employees' company e–mail accounts (vacation, termination) acceptable collection and use of information resources incl. sensitive personal data obtaining valid consent collection and use of children and minors’ personal data secondary uses of personal data maintaining data quality destruction of personal data the de–identification of personal data in scientific and historical researches

use of cookies and tracking mechanisms telemarketing, direct and e–mail marketing digital advertising (online, mobile) hiring practices and conducting internal investigations use of social media Bring Your Own Device (BYOD) practices for monitoring employee (CCTV/video surveillance) use of geo–location (tracking and or location) devices e–discovery practices practices for disclosure to and for law enforcement purposes

Supporting policies S

pecif

ic p

olicie

s

Po

licie

s t

o a

dd

pri

va

cy c

on

tro

ls

Step 6: Removable media

Removable media is a common route for the introduction of malware and the accidental or deliberate export of sensitive data

Employees should not use removable media as a default mechanism to store or transfer information → offer alternatives

Media ports should be approved for few users

All removable media should be provided by the company

Sensitive information should be encrypted at rest on media

Educate employees to maintain awareness

Step 6: Discussion case

B - Do

How we implement the project? How to manage changes?

https://www.linkedin.com/pulse/gdpr-vital-change-management-discipline-kersi-porbunderwalla?published=t

Ensure the minimum access based on the employees' need to know to perform their job

May require to up-date the access control policy

Restrict the rights to enter, display, alter and remove personal information

Include any cloud hosted files

Access management solutions and using controls access roles are useful

Limit super user roles, DBAs and third parties

Single sign-on, control under the active directory

Step 1: Limit access

Step 1: Limit access

Level Scope Access

Confidential Sensible information, bank details, payroll data, passwords, large directories with names, addresses and phone numbers, Also: board reports, business plans and budgets

Significant scrutiny

Restricted Personal data, reserved reports and papers, ERP/CRM systems

Approved by data owners

Internal use Internal emails and communication Employees and contractors

Public Intranet, public reports

Keep all user credentials secure and centralised

Enforce strong, unique and often-changed passwords

Implement dual controls for key personal information

Closely restrict access for 3rd parties and monitor their activity

Audit all access to privileged accounts

Eliminate hard-coded credentials in scripts and application

Login security and log sessions for forensic audits

Step 1: Tips

6 Principles

Processed lawfully, fairly and transparently

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary

Kept for no longer than is necessary

Processed in a manner that ensures appropriate security

Accurate and, where necessary, kept up to date

the controller be able to demonstrate accountability

Principles

Being able to demonstrate best efforts to comply with the GDPR principles Proactive approach to properly manage personal data and to address privacy risks by a structured privacy management program

Proportionality

processing only if necessary for the attainment of the stated purpose

Principles

Personal data must be adequate, relevant and not excessive in relation to the purposes By the data processor and controller Requires to use the less intrusive means of processing

Data subject gives consent for one or more specific purposes Processing is necessary to meet contractual obligations entered into by the data subject Processing is necessary to comply with legal obligations of the controller Processing is necessary to protect the vital interests of the data subject Processing is necessary for tasks in the public interest or exercise of authority vested in the controller Purposes of the legitimate interests pursued by the controller

When is processing lawful?

Rights

To access data request access to personal data to verify lawfulness of processing

To rectify and be forgotten when no longer necessary or consent is withdrawn

To restrict processing limiting the data use or transfer

To limit profiling right to not be subjected to automated individual decision making

To data portability common format, even directly transmitted between controllers

To object by controller when unjustified by either "public interest" or "legitimate interests

Discussion case

ABC contacted via text message a number of former employees of subcontractor XYZ, who represents ABC as their customer service. ABC wanted to recruit employees who have been terminated or resigned at XYZ, after the company has chosen to move offices from the city where ABC has its headquarters. The employees have been contacted directly by text message ABC, despite having not been employed by the group.

Discussion case

Has ABC complied with the GDPR by using contact information on employees of a subcontractor in this context? Can personal information given in another context be used to ensure terminated employees a job opportunity?

Discussion case

If ABC has obtained the information on legitimate terms in relation to their cooperation with XYZ, can ABC use employee data and commitments that are submitted in a different context and be in conflict with GDPR rules?

Discussion case

How could ABC have used personal data given for other purposes to be GDPR compliant? Let´s discuss other alternatives than to invite the employees to a meeting where the employees could sign up

Discussion case

Can a company contact former employees of a subcontractor directly when the company has daily cooperation with and is in daily contact with the employees and thus has contact information on them? Let´s discuss the overall principles in relation to GDPR, the company must ask its subcontractors and partners they cooperate with, but where the daily management lies the partners/subcontractors.

Difference

Privacy notices Consents

Data subject right to be informed on fair processing Legal basis, type of information, 3rd parties recipients and retention period

Formal permit to

process

personal

information by

the data subject

Step 2: Review consents How consents should be given?

Opt-Out

Genuine choice to withdraw any time

Affirmative actions: silence, pre-ticked boxes and inactivity are inadequate

Plain language

Explicit purpose of processing

Scope and consequences

List of rights

Separated from other

Updated

Reviewed when the use of data change

When the data controller changes (or the contact details)

Being able to demonstrate

Minors

Parental authorisation for children bellow the age of 16

Reasonable means to verify parental consent

Step 2: Review consents How consents should be given?

clicking an opt-in button or link online

signing a consent statement on a paper

ticking an opt-in box on paper or electronically

(no pre-ticket)

responding to an email requesting consent

selecting from equally prominent yes/no

options

choosing technical settings or preference

dashboard settings

Step 2: Tips

Focus on ‘explicit consents’ for sensitive data and international transfers

Link the consents to the personal data inventory

Confirm that the consents are given freely, are clear and transparent

Update the data subject rights

Audit how the consents are documented and retained

Audit if the op-outs are processed on time

http://www.copenhagencompliance.com/news/issueXXXVI/Consent-the-GDPR-way-is-free-accurate-informed-and-unambiguous-approval-to-process-personal-data.php

Step 2: Review consents

• Do you agree to the consent declaration below?

When submitting your information to [The Company] you accept and consent to the following: Collection of Personal Data [The Company] is an equal opportunity employer and makes all employment-related decisions entirely on merit and qualifications. Consequently, you should only include information relevant for the review of your application and not include information about your race or ethnic origin, religion or belief, political opinion or sexual orientation or your union memberships. Please do also not include your social security number. Personal Information held by [The Company] The personal information is held on an externally hosted database in the United States. Personal information is also held in manual form and on other computer systems. Personal information includes all information submitted by you. Purposes for which Personal Information is used by [The Company] Personal information about you may be held and processed by [The Company] for the purpose of recruitment.

Step 2: Consent example

Disclosures of Personal Information Personal information will be disclosed only in the following circumstances: • Personal information will be disclosed to the extent required for the purposes listed above to [The

Company]’s affiliates worldwide, including affiliates located in countries outside of Europe. • Personal information may be disclosed to public authorities and law enforcement agencies as

permitted by law.

Security Measures [The Company] ensures that adequate security measures to safeguard your information are in place throughout [The Company], its affiliates and vendors, and also ensures that adequate safeguards are in place to protect your personal information if it is subsequently transferred to other [The Company] entities or third parties. Accurate Information and Deletion [The Company] is committed to keeping data about you accurate and up to date. Therefore please advise [The Company] of relevant changes to your details. [The Company] will erase all information after 2 years. Your rights You may access the personal information held about you by or on behalf of [The Company] in order to review, edit, erase or to ascertain the purposes for which it is processed subject to certain criteria being met. Please contact [The Company] HR for further information if you wish to obtain insight in your personal information. Statistics Your information may be used for anonymous statistics for internal purposes in which case the information will be used collectively. All personal data will be anonymised. Further information For further information on [The Company]’ Disclaimer and Privacy Policy please visit: www.novonordisk.com/utils/disclaimer.html

Step 2: Consent example

1 month to comply with requests from data subjects Many requests are received → extended to additional 2 months Flood of data requests post-GDPR? Request is a key part of the implementation strategy

Prepare a protocol, train caseworkers and test how it works Tool to copy insulated personal data in standard format

All info: electronic + on paper + archived data Understandable format

Structured, common and machine-readable → CVS, HTML, PDF, MPEG/videos, TIFF Add reference tables when parameters and codes are used

Format “in writing” Letter, email, customer contact, social media → use a standard form

Reasonable requests → free Repetitive or unreasonable requests → fee-based on administrative costs Disproportionate or expensive requests (proven) → refuse

Step 3: Prepare to deal with requests

Before acting, control that data requests are accurate and fully completed,

fees are paid, and

The identity of data requesters (representative) is/are validated

Once controlled, act promptly In particular, when third parties have personal data

Refine the scope: offer to focus the research when the request is extremely wide and involve large volume of data

Centralise and prioritise requests according to complexity

Use a document management system

Step 3: Tips

Flows-in the organisation

• Who input the personal information

• Collected personal data fields

• Storage location

Flows-out (data transfer or display)

• Categories of recipients in EU or non-EU countries

• Security measures on the transfer (e.g. encryption standard)

Step 4: Validate data transfers

How is personal data processed?

Collect Use Destroy

Transmit

Change

Display

Record Restrict

Electronically Manually

GDPR covers personal information processed wholly or partly by automated means

… but, by who?

Controller Processor

Who decides

why the personal

data is needed

Who processes

the data Service provider, cloud

services, outsourcing firms,

e-commerce platforms

Natural or legal person

including the government

Group discussion

Are you a data processor or a data controller?

… but, where?

in the EU ouside the EU

When personal

data of

individual living

in the EU (citizens

or not) is

processed

When personal data of EU citizen is processed by a non-EU company offering goods and services in the EU (not paid in the EU)

Extra-territorial application

Views on privacy

International transfers

In all cases of transborder dataflow, regardless of the conditions on which they are carried out, the data controller must register the transborder dataflow with the Commission as a change in its effective status as data controller (to that of data exporter) prior to initiating such dataflow (unless the data controller has already registered its status as a data exporter and the respective transborder dataflow).

Contract between group companies to transfer information, covering:

specify the purposes of the transfer and affected categories of data

reflect the requirements of the GDPR

confirm that the EU-based data exporters accept liability on behalf of the entire group

explain complaint procedures

provide mechanisms for ensuring compliance (e.g., audits)

Model pre-approved clauses to reduce compliance burden

Binding Corporate Rules

Binding corporate rules

BCR model clauses issued by EU DP Commission http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

Although Bulgaria is listed as a member of the mutual recognition club for binding corporate rules, on 31 October 2013, the Commission officially stated that it does not approve and does not recognise the use of binding corporate rules as valid grounds for transfer of personal data to third countries. https://clientsites.linklaters.com/Clients/dataprotected/Pages/Bulgaria.aspx

Group discussion

How would you link the dataflow map with the cross-border transfers?

Step 4: Review contracts

Controller

Processor Data exporter when processing is

outside de EU

Review data processing agreements: clear responsibilities and use of sub-contracts

Audits and certifications There are “model clauses” for data exports

Negotiate the cost of GDPR compliance in fees Foresee dispute resolutions and compensation clauses

• able to demonstrate compliance with the GDPR • ensure personal data is:

processed fairly and lawfully and in accordance with the principles of the GDPR is carried out under a contract processed by the data processor only on clear and lawful instructions based on the contract

• exercise overall control – Data protection by design and by default

• notify breaches

Data controller responsibilities

• process personal information on behalf of the data controller client

• act only on instructions from the data controller – comply with a clear standard – impose a confidentiality obligation to its employee dealing with

controller`s information

• provide sufficient guarantees to demonstrate compliance – in respect of the technical and organisational security measures

governing the processing

• Allow a data controller audits – on premises, systems, procedures, documents and staff

• Delete or return data at the end of the contract

Data processor responsibilities

Step 5: How to notify a data breach?

When to notify

Not latter than 72 hours after having become aware of it

Undue delays should be justified

Data breach

Accidental or unlawful…

unauthorised disclosure or access + destruction, loss, alteration …

of personal data transmitted, stored or processed

What to notify

Type and number of data records and subjects compromised (aprox)

DPO contact info

Likely consequences and mitigation measures

Whom to notify

Supervising authority

Each data subject is likely to result in a high risk for the right of unencrypted data

Step 5: How detect a data breach?

Indication of compromise notification from public authorities

FBI knocks at the door

from users oops, I opened a “funny attached file”

alerts from 3rd parties hosting vendor informed they had a malware

continuous monitoring solutions this server is transferring out a lot of amount of data

Incident response protocol Investigate “when” the breach was done Get the investigation team Investigate the level of compromise

Data breach scenario planning

Before After

• Managing IT risk

and vulnerabilities

• How to improve breach prevention, detection and response

• What to expect in the future

• What can we

do to contain

the damage

• How can we

move on from

this breach

http://ptac.ed.gov/sites/default/files/checklist_data_breach_response_092012.pdf

Step 5: Data security program

Security measures

Ongoing review (e.g. access audis)

Importance of two-factor authentication, ISO 27001, compartmentalisation and firewalls

Patches for malware & ransomware

Encryption of personal data

Key element in GDPR standard

No always feasible: depending on costs and risks, impact on performance

Encryption of stored (eg. hard disk) and in transit data (e.g. calls)

Resilience

Restore data availability and access in case of breach

Redundancy and back and facilities

Incidence response plan

Regular security testing

Assessment of the effectiveness of security practices and solutions

Penetration, network and application security testing

Step 5: Discussion case

C - Maintain

What training is needed? How can I detect and mitigate new privacy risks? What people should be consulted on privacy risks? How to audit GDPR compliance? Do I need a certification?

Employees from the top to the bottom Clear message: there are disciplinary actions for mishandling personal information Face to face or on-line? How repetitive? Security and/or fraud risks?

Privacy awareness campaigns Promote the privacy culture

Explain how to deal with personal data for specific purposes How employees can detect and prevent a data breach Be relevant to each target audience, how the GDPR changed privacy practices to each group Avoid legal terms of the GDPR , allow questions Discuss real life cases: I missed a memory stick, I sent an email to the wrong person, my laptop was stolen, I received a call from the “insurance company” asking for a HR database (phishing), I received a “google” request to install an app (virus prevention)

Both electronic and on paper

Step 1: Train your people

http://www.eugdpr.institute/wp-content/uploads/2017/10/GDPR-Staff-Awareness-Introduction.pdf

Step 1: Train your people

Step 1: Discussion case

Step 1: Discussion case

How could you develop training for this risk?

How could you document your training efforts?

Process to identify, analyse, evaluate, consult, communicate and plan the treatment of potential privacy impacts with regard to the processing of personal information (ISO 29134:2017 Guidelines for PIA) → Goal: avoid a data breach

Framed within the general risk management framework of the organisation

Mandatory for the data controller to early identify required control measures

Only for new and high-risk activities or projects in processing personal data:

large sensitive data, e.g. healthcare providers and insurance companies

extensive profiling, or e.g. financial institutions for automated loan approvals, e-recruiting, online marketing companies, and search engines with target marketing facilities

monitoring public places e.g. local authorities, CCTV in all public areas, leisure industry operator

One PIA for each type of processing

Step 2

Privacy Impact Assessment

Early before new projects or revision of existing processes for example, when considering a

new system to store personal data change the use of already collected personal data new video surveillance system new database consolidating tables with personal information from other systems new algorithm to profile a particular type of client proposal to share personal data with a business partner Impact of a new legislation

Existing processes → Recommended initial assessment Doubts if needed → consult the Supervisory Authority

1 – Identify the need

Process map start from the process or project documentation

2 – Identify the flows

Identify personal information in the process map

Consult with experts how personal information is collected, transferred, used and stored

for existing and future purposes

3- Consult on risks and controls

Consult all involved parties to have a 360º view, link risks to owners

Include current controls in the process map

Assess the impact and frequency in a heat map (recommended), risk assessment in ISO 27001 (under 29100)

Impact: fines, business continuity costs, loss of clients, reputational damage

Data protection officer (usually leading the PIA) Project management leaders and developers CIO, CISO and other IT experts Compliance officer Legal department Internal audit executive Risk management officer Future or current users Senior managers

People to consult

Internal

External

Potential data processors and vendors

Experts

Inve

nto

ry

Sco

pe

Tips for risk identification

GDPR rights Access

Rectification Restriction Portability Objection

Profiling limitation

Other factors Contractual obligations

Code of conduct Privacy policy

Know vulnerability

Store

Use

Transfer

Destroy

Collect Consequences

Impact Quantitate Qualitative

Most probable scenario

Causes Frequency

Probability of occurrence in a

defined time horizon Previous breaches

Generic risks and controls

Objective Risk Lifecycle Component Controls

Availability Loss, theft or authorized removal Loss of access rights

Processing Transfer

Data, systems, processes

Redundancy, protection, repair & back ups

Integrity Unauthorized modification

Processing Transfer

Data Compare hash values

Systems Limit access, access review

Confidentiality Unauthorized access Storage

Data, systems Encryption

Processes Rights and roles, training, audits

Ensuring unlinkability

Unauthorized or inappropriate linking

Processing Data Anonymity, pseudoanymity

Processing Systems Separation of stored data

Compliance Excessive or authorised collection

Collection Data Purpose verification, opt-out, data minimization, PIAs

Processing, sharing or re-purposing without consent

Processing Data Review of consents, logs workflow for consent withdrawals

Excessive retention Storage Data Data retention policy

Example of risk registry

Event Root cause Consequences Impact Probability Treatment Monitoring Owner and due date

Customer personal information breached

Failures to design privacy in CMS applications Espionage Lack of maturity in privacy program

Loss of clients GDPR enforcement Business interruption Requests to delete data Loss of commercial opportunities

High 100 M EUR

Medium 15% in 3 years

Insurance policy Training Security scanning MS integrations project

Action plan progress

Noah Nilsen Mkt Director Q3 2017

Let`s play… add controls to risks

Over collection of personal data

assign a data owner, inventory

Incorrect or outdated personal data

validation campaigns, data audits, interface controls

Unauthorised use or export by users

minimum access, training

Unauthorised use or export by third parties

liability clauses, security requirements

Let`s play… add controls to risks

Missing consents / data subjects unaware of uses compulsory consent notices, process review

Data subject cannot access or rectify their info protocol for requests, forms on line

Fragmented systems cannot retrieve or update all the data

updated inventory

Personal data is hacked network activity monitoring, firewall

Personal data is kept longer than intended automated deletion processes when data is flagged for deletion

4 - Identify new measures

Prioritise according to a tolerance to privacy risks, link to data classification policy, risks can be accepted

Devise solutions such as new controls and technologies according to the cost/benefit for the risk

Create an action plan and sign off the document by the manager in change of type of information involved

5 – Follow-up

Communicate to stakeholders, bottom-up and top-down

Advance with action plans and document implementation measures

Regular post-implementation reviews to assess if risks are mitigated and to ensure that solutions identified have been adopted

Toolbox

Data Protection Impact Assessment template by the GDPR Institute

Please ask us if you need further templates for additional policies

Privacy…

By design

Privacy and data protection must be a key consideration in the early stages of any project and then throughout its lifecycle

Proactively control adherence to GRPD principles when designing for new products, services or business processes

Appropriate technical and organizational measures

Design compliant policies, procedures and systems

By default

The protection of personal data must be a default property of systems and services

Strictest privacy settings automatically must be applied once a customer acquires a new product or service

Personal information must by default only be kept for the amount of time necessary to provide the product or service

Group discussion

What privacy by default and by design means to you?

Ensure that data protection processes and procedures are being adhered to

Implement the management reviews

Simulate incidents (e.g. data breach) to audit protocols

Independent testing and quality assurance

Formalise non-compliance and remediation

Escalate concerns and risks

Identify compliance metrics and trends

Step 3: Audit compliance

Step 3: Audit compliance

Process KPI example

Training % of staff (or hours) trained on privacy policies (participated/passed, type of program, levels)

Incident # of privacy incidents (by system, location, repeated or new) # reported data breaches

Audits # non conformities # action plans on-going (and past due)

Consents % consents obtained

Access control % of credential validated

Compliance # requests # complains # new projects with PIA

Platform for data controllers, processors and stakeholders

to ensure a structured and efficient means for GDPR compliance

Significant administrative and documentation burdens

Establish and maintain compliance with code of conduct or earning certification status

These costs can be offset by reducing

audit costs and automation

Step 4: Code of conduct & certification

Certification can serve as marketing tool, allowing data subjects to choose controllers to signal GDPR compliance

Plays a significant role in facilitating cross-border data transfers

Certification mechanisms can create business opportunities for new third party administrators and programs as effective means for determining binding promises by controllers and processors

Step 4: Code of conduct & certification

Competent on their own state

Single contact point: one-stop-shop

Contribute to consistent application of the GDPR

Powers exercised impartially, fairly and with a reasonable time

Able to impose a limitation (or ban) on data processing

Power to conduct investigation

National Supervisory Authorities

Bulgarian data protection authority Www.cpdp.bg

In general. GDPR Compliance

•The legal basis of IT and cyber security compliance •How is data collected, used, abused or misused? •Use of data exactly for the purpose it was collected •Consent from data subjects for secondary processing •Review change processes in processing personal data •Address violations, and remedies for correction •Regular reviews of data flow mapping, audits, risk assessments to ensure the legal basis has not changed

•GDPR is not privacy by choice, follow the privacy data! •Does not give the individual full control over the data •The reform simplifies and adds compliance complexity •The code-of-conduct and certification mechanism provides a platform for data controllers and processors to ensure structured & efficient means for compliance.

•https://www.linkedin.com/pulse/how-challenge-compliance-issues-while-implementing-porbunderwalla

Roadmap

Key definitions Clarify the bands of penalties and range of awards for breaches Review the timeline to reflect the application of GDPR Role of the DPO (data protection officer) Six data protection principles, lawfulness and consent Define sensitive data Rights of data subjects (a number of national deviations) Controllers and processors Data protection by design Securing personal data Procedure on reporting data breaches Transferring personal data outside the EU How to perform a DPIA (data protection impact assessment) Powers of supervisory authorities Lead supervisory authority Role of the EDPB (European Data Protection Board) Importance of certifications

General provisions Chapter 1 (Art. 1 – 4)

Principles Chapter 2 (Art. 5 – 11)

Data subject rights Chapter 3 (Art. 12 – 23)

Controller and processor Chapter 4 (Art. 24 – 43)

Transfers Chapter 5 (Art. 44 – 50)

The GDPR Law

Supervisory authorities Chapter 6 (Art. 51 – 59)

Cooperation and consistency Chapter 7 (Art. 60 – 76)

Remedies, liability & penalties

Chapter 8 (Art. 77 – 84)

Specific processing situations Chapter 9 (Art. 85 – 91)

Other rules Chapters 10/11 (Art. 92 – 93)

Direct obligation

Meta rule https://gdpr-info.eu

52 articles leave room for national legislation

GDPR rules apply today with ‘low’ level of fines

• CPDP – the Bulgarian Data Protection Authority

– The only public authority whose main task is to ensure privacy and personal data protection in Bulgaria.

• an office of over 80 people, the main activities are;

• adequate prevention and effective control. – The CPDP will host an international conference of data protection

authorities in 2018 within the framework of the Bulgarian Presidency.

– https://www.cpdp.bg/en/index.php?p=news_view&aid=756.

Bulgaria: as is or to be

Summary

Objectives bit extra on the top or overhaul of IT platforms, processes & data protection

GDPR Compliance Framework Change

Management

Implementation

Controls & Policies

GAPS and Risk Assessment

Duties

Rights

Disclosure

Inform

Security

Guarantees

Assessment Enforcement

Project Scope Territorial and Material

Compliance

Have you received?

Copenhagen Compliance

Copenhagen Compliance® is the global Governance, Risk Management, Compliance and IT Security (GRC) think tank. As a privately held professional

services firm, the mission is the advancement of the corporate ability to govern across the borders, sector, geography, and constituency. The primary

aim is to help companies and individuals achieve integrated GRC management that unlocks the company ethics, cultures and value by optimising GRC issues to IT-Security & automation thru templates,

roadmaps, & frameworks.

Copenhagen Compliance provides global end-to-end GRC platform, with a comprehensive & proven advisory based on; giving priority to transparency, accountability and oversight issues. Our focus is on GRC Intelligence, Internal

Controls, Audit, CSR, Compliance & Policy Management, IT-GRC, Sustainability Management, Bribery Fraud, Corruption (BFC), IT &- Cyber

Security Issues

Copenhagen Compliance® has dedicated resources for consultancy and research in Good Governance, Risk Management and Compliance issues

involving corporations, universities and business schools and GRC

organisations on four continents. info@copenhagencompliance.com

• 18th October 2017 Exam link

• http://www.eugdpr.institute/gdpr-fas/

Certification exam

• https://www.privacyshield.gov/article?id=Privacy-Policy-FAQs-1-5

• GDPR Official Text (English, pdf) http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

• EU GDPR Home Page http://ec.europa.eu/justice/data-protection/

• Working Party 29 Guidance • WP29 Home Page

http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 • Guidelines on “Right to Portability” (pdf)

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf • Guidelines on Data Protection Officers (pdf)

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf • Guidelines for identifying a controller or processor’s lead supervisory authority (pdf)

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf

• Bulgarian data protection authority Www.cpdp.bg • UK ICO – 12 Steps to take now (pdf)

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf • EUGDPR INSTITUTE

http://www.eugdpr.institute/faq/ http://www.eugdpr.institute/gdpr-thought-leadership/

Useful GDPR links

The IP and copyright© of this presentation belongs to Copenhagen Compliance®. None of this presentation, either in part or in whole, in any manner or form, may be copied, reproduced, transmitted, modified or distributed or used by other means without explicit permission from Copenhagen Compliance®. Carrying out any unauthorized act in relation to this copyright notice may result in both a civil claim for damages and criminal prosecution.

info@copenhagencompliance.com

As ever, always have your legal advisors review and advise on any contractual obligation. EUGDPR Institute is neither a Law Firm nor are we licensed to provide legal advice.

Copyright notice