1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Best Practices to Create a Data

Inventory & Meet GDPR Compliance

January 24, 2017

2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

Today’s Speakers

RAY EVERETT

Principal Consultant (US), TRUSTe

VERONIKA TONRY

President, Privacy Know How, former Global Privacy

Manager at Chevron and Applied Materials

GUY SEREFF

Corporate Counsel, Level 3 Communications

3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

•Welcome & Introductions

•Getting Started

•Executing

•Next Steps

•Q&A

Today’s Agenda

4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Getting Started Scoping, Resourcing, Organizational Buy-In

Guy Sereff, Corporate Counsel, Level 3 Communications

5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• Determine the organization’s objectives

– Compliance with specific frameworks?

– Developing a new Privacy Program?

– Refreshing an existing Privacy Program?

• Identify logical business units

Scoping the Data Inventory Project

6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• Identify roles and responsibilities BEFORE any work begins

– Project Manager

– Business Unit Leads

– Subject Matter Experts

• Set realistic expectations for the level of effort required to complete

the project

Resourcing the Data Inventory Project

7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• Data Inventories can be used throughout the organization

– Legal and regulatory compliance

– Identification of application and storage redundancies

– Guide for developing information security framework

– Introduction or reinforcement of Privacy by Design concept for application

lifecycles

– Identification of new data types and uses

• Compliance with GDPR is going to be difficult without a current Data

Inventory

– Privacy Impact Assessment requirements

– Demonstrable compliance

– Required data processing registries

– Compliance requirements for wholly automated decision making

– Data subject rights

Organizational Buy-In

8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Veronika Tonry, President, Privacy Know How

Execution Discovery, Documentation, and Analysis

9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

The key to a successful GDPR implementation

10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• Adapt the discovery to your company culture

• Intake Process

– Do your homework before you interview the organization

– Be clear around expectations and define the terminology

– Have examples of processes ready

– Develop a methodology to execute efficiently

• Document to identify risks and make decisions – Identify high risk processing and evaluate impact

– Classify your data: Individual information elements +

combined data sets

– Develop action plans from the analysis and findings

Best Practices

11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Ray Everett, Principal Consultant, TRUSTe

Next Steps Turn Findings into Action, Keeping a “Living” Inventory

12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• Inventory should point to many action items

– High risk data elements

– Data repositories that need monitoring, controls, policies

– Access and External Transfers that need monitoring, controls, policies

– Vendors/Partners requiring contractual language, reviews/audits, controls

• Maps should point to processes that need regular scrutiny

– Gaps in controls, policies

– Processes that need new/periodic PIAs

– Maps should identify vendors who need periodic audits

• Inventory and Maps should also

– Support the case for resourcing

– Identify your Privacy Committee members

Translating the Data Inventory into Action

13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

• “Institutionalize” your Map with a Privacy Committee – People ignore documents, they can’t (always) ignore a recurring meeting

– Privacy Committee agenda driven by action items, PIA reviews and Data

Inventory updates

• Inventory Drives Initial & Recurring Actions – Define and build support for action items

– Review progress and results with the Privacy Committee

• Integrate Data Map updates into PIA for products/services/vendors – “Bottom-up” updates

– Changes to flows may ripple across organization in unexpected ways

• Define a Cadence for Review/Refreshment – “Top-down” updates

– Keep all stakeholders informed of strategic changes, impacts to their

business units

“Map Your Team, Team Up on Mapping”

14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Questions?

15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

For more information on Data Inventory examples, schedule a consultation:

https://www.truste.com/business-products/privacy-consulting/data-inventory-

and-classification/contact-us/

Ray Everett reverett@truste.com

Veronika Tonry veronika@privacyknowhow.com

Guy Sereff guy.sereff@level3.com

Contacts

16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Register now for the next webinar in our 2017 Winter/Spring Webinar Series

on February 23 “Privacy Shield Self-Certification– What’s Next?”

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

and past webinar recordings.

Thank You!