Upload
truste
View
1.900
Download
2
Embed Size (px)
Citation preview
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Best Practices to Create a Data
Inventory & Meet GDPR Compliance
January 24, 2017
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Today’s Speakers
RAY EVERETT
Principal Consultant (US), TRUSTe
VERONIKA TONRY
President, Privacy Know How, former Global Privacy
Manager at Chevron and Applied Materials
GUY SEREFF
Corporate Counsel, Level 3 Communications
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
•Welcome & Introductions
•Getting Started
•Executing
•Next Steps
•Q&A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Getting Started Scoping, Resourcing, Organizational Buy-In
Guy Sereff, Corporate Counsel, Level 3 Communications
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Determine the organization’s objectives
– Compliance with specific frameworks?
– Developing a new Privacy Program?
– Refreshing an existing Privacy Program?
• Identify logical business units
Scoping the Data Inventory Project
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Identify roles and responsibilities BEFORE any work begins
– Project Manager
– Business Unit Leads
– Subject Matter Experts
• Set realistic expectations for the level of effort required to complete
the project
Resourcing the Data Inventory Project
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Data Inventories can be used throughout the organization
– Legal and regulatory compliance
– Identification of application and storage redundancies
– Guide for developing information security framework
– Introduction or reinforcement of Privacy by Design concept for application
lifecycles
– Identification of new data types and uses
• Compliance with GDPR is going to be difficult without a current Data
Inventory
– Privacy Impact Assessment requirements
– Demonstrable compliance
– Required data processing registries
– Compliance requirements for wholly automated decision making
– Data subject rights
Organizational Buy-In
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Veronika Tonry, President, Privacy Know How
Execution Discovery, Documentation, and Analysis
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
The key to a successful GDPR implementation
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Adapt the discovery to your company culture
• Intake Process
– Do your homework before you interview the organization
– Be clear around expectations and define the terminology
– Have examples of processes ready
– Develop a methodology to execute efficiently
• Document to identify risks and make decisions – Identify high risk processing and evaluate impact
– Classify your data: Individual information elements +
combined data sets
– Develop action plans from the analysis and findings
Best Practices
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Ray Everett, Principal Consultant, TRUSTe
Next Steps Turn Findings into Action, Keeping a “Living” Inventory
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Inventory should point to many action items
– High risk data elements
– Data repositories that need monitoring, controls, policies
– Access and External Transfers that need monitoring, controls, policies
– Vendors/Partners requiring contractual language, reviews/audits, controls
• Maps should point to processes that need regular scrutiny
– Gaps in controls, policies
– Processes that need new/periodic PIAs
– Maps should identify vendors who need periodic audits
• Inventory and Maps should also
– Support the case for resourcing
– Identify your Privacy Committee members
Translating the Data Inventory into Action
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• “Institutionalize” your Map with a Privacy Committee – People ignore documents, they can’t (always) ignore a recurring meeting
– Privacy Committee agenda driven by action items, PIA reviews and Data
Inventory updates
• Inventory Drives Initial & Recurring Actions – Define and build support for action items
– Review progress and results with the Privacy Committee
• Integrate Data Map updates into PIA for products/services/vendors – “Bottom-up” updates
– Changes to flows may ripple across organization in unexpected ways
• Define a Cadence for Review/Refreshment – “Top-down” updates
– Keep all stakeholders informed of strategic changes, impacts to their
business units
“Map Your Team, Team Up on Mapping”
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Questions?
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
For more information on Data Inventory examples, schedule a consultation:
https://www.truste.com/business-products/privacy-consulting/data-inventory-
and-classification/contact-us/
Ray Everett [email protected]
Veronika Tonry [email protected]
Guy Sereff [email protected]
Contacts
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on February 23 “Privacy Shield Self-Certification– What’s Next?”
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series
and past webinar recordings.
Thank You!