How to Build a GDPR Implementation Plan

00:00

Tord on the right of your screen you can

00:03

use that to ask questions throughout the

00:05

webinar just drop them into the question

00:07

section of the dashboard

00:10

our presentation today should run a

00:12

roughly about thirty minutes and we'll

00:13

follow that up with a 15 minute Q&A if

00:16

you have specific questions about your

00:18

your DDP our plans will also be happy to

00:21

take those conversations offline as well

00:24

okay so before we get started I would

00:28

like to introduce our panelists for this

00:30

afternoon our first time is today is

00:33

Eric Dietrich Eric is built focal points

00:36

data privacy practice from the ground up

00:38

and today runs the practice nationally

00:40

is one of the earliest voices providing

00:43

thought leadership on the gdpr

00:44

transition helping many Fortune 500

00:47

companies build GDP our transition plans

00:49

shortly after its passage is a frequent

00:52

speaker at industry conferences and

00:54

events across the country asking the

00:56

biggest profit that the biggest topics

00:59

in privacy today of course including GDP

01:02

are also on the panel today is Francesca

01:05

Sanabria Francesca or Fran leads many a

01:09

focal points largest GDP our projects

01:12

and is a respected speaker and innovator

01:14

in international data privacy

01:16

regulations as a principal in the

01:18

privacy practices especially developed

01:21

in implemented privacy programs for many

01:23

a focal point societies clients she is

01:25

also the ia PP knowledge net chairperson

01:28

in South Florida and regularly presents

01:31

at privacy and security conferences

01:33

around the country and our third

01:36

panelist is Katherine kill Katherine is

01:39

a gdpr specialist at focal point and as

01:41

being closely tracking GDP our since its

01:44

passage she brings a unique perspective

01:46

to our privacy team having previously

01:50

served as attorney investigator at the

01:52

US Department of Health and Human

01:54

Services office for civil rights

01:56

she holds a JD and is a fellow in

01:59

information privacy holding both C IPP

02:01

and CIPM designations so I'd like to

02:05

thank all three for speaking with us

02:07

today so I know we had some folks on

02:10

there first focal point webinar today so

02:13

I'd like to very briefly introduce who

02:16

we are and where we came from the focal

02:20

point

02:21

was founded in 2005 as a technology

02:24

focus risk management firm we have a

02:27

little over 400 full-time employees

02:29

working in 17 offices across the United

02:31

States in Canada and today with the

02:34

largest pure-play data risk firm in the

02:36

United States we're agnostic to any

02:39

industry and work with companies from

02:41

tech startups to some of the world's

02:43

largest global organizations we're

02:46

focusing primarily on cybersecurity data

02:48

privacy identity governance and data

02:52

analytics but as you can see on the

02:54

right of your screen there that's our

02:56

full range of service offerings and we

02:59

feel privileged to have the opportunity

03:01

to speak with you today and hope you get

03:03

some insights here that help you put

03:05

together a gdpr plan the works for your

03:07

organization so just again for those

03:10

late join us just a quick reminder to

03:12

drop your questions into the questions

03:14

section of your GoToWebinar dashboard

03:16

and our panelists will answer as many

03:19

questions as we can in order to receive

03:21

them during the Q&A portion at the

03:23

webinar at the end so I think with that

03:26

I'll turn over to Eric who can walk us

03:29

through today's agenda

03:30

Eric Thank You Lee appreciate everyone

03:34

joining today so just a quick

03:38

introduction to the topics we'll be

03:39

talking about through our presentation

03:41

and then as we mentioned we'll also be

03:43

opening up for a Q&A session at the end

03:47

and hopefully leaving plenty of time for

03:49

questions so just three key points that

03:52

we wanted to cover just spend a few

03:53

minutes on the current GDP our landscape

03:55

through the lens of our clients and

03:58

through other relationships we have

04:00

across the industry across industries we

04:03

want to highlight some of the common

04:05

pitfalls we see when designing a gdpr

04:09

implementation plan and working towards

04:11

implementing enhancements throughout

04:14

your organization's to further align

04:16

with the requirements of the gdpr

04:18

and then talk a little bit about some

04:22

some methods that could be leveraged for

04:25

building and communication of those

04:27

implementation plans throughout your

04:29

organization as we know a common theme

04:31

here today will be the cross function

04:33

cross-functional nature

04:35

of the gdpr and in the implications it

04:38

has across many departments so as we

04:42

jump into the activities here we just

04:45

wanted to give a snapshot of kind of

04:47

where we're at today with just under ten

04:50

months to go we see a few common themes

04:53

and transforming through our experiences

04:58

we've been fortunate enough to be

05:00

involved with with quite large and even

05:02

small GDP our projects for over a year

05:05

now very much starting almost

05:08

immediately after the passage of the

05:10

regulation and have had great insight

05:14

into to some of the challenges some of

05:17

the strategies organizations are using

05:19

for implementing various enhancements

05:22

across the organization want to share

05:23

some of those with you today for the

05:25

first one would be around strategy so

05:28

anytime we talk about regulations and

05:31

end or compliance and we think about a

05:33

risk-based approach we somewhat get a

05:38

little nervous as we know as a

05:40

regulation we need to comply with all

05:42

that we need to ensure we're aligned

05:44

with all those details but as we

05:47

continue to hear from from a lot of

05:49

organizations out there achievement or

05:52

alignment of a hundred percent is

05:54

probably not at the practical approach

05:56

we should strive for that hundred

05:59

percent but but some of the those

06:02

details and elements might come past

06:05

that may 25th deadline so I'm trying to

06:11

design a strategy that's taking a

06:13

risk-based approach that's going to

06:16

limit our exposure to the best that we

06:17

can is a practical approach that we see

06:21

being implemented quite often with a

06:24

strategy being developed to to address

06:28

those those higher risk processes higher

06:30

risk systems making sure we know who are

06:33

a processor and some processors are and

06:35

so forth them but but that strategy is

06:37

is really you know evolved to that

06:40

risk-based approach what we'll talk a

06:41

little bit more about some of those

06:42

elements later on and the focus if we if

06:46

we if we play the

06:48

we went back in time a little bit and we

06:50

looked at the focus of GDP our readiness

06:54

six 12 months ago it was very much in

06:57

the heavy heavier readiness phase I'm

07:00

really trying to understand how we align

07:03

with each requirement each article and

07:06

and so forth and spending quite a good

07:10

amount of time understanding that the

07:12

processing activities that we do with

07:14

personal data both on the employee

07:16

customer consumer or client side

07:19

whatever might be involved there but now

07:21

we definitely see a shift for okay

07:24

what's draw that line din assent with

07:27

our readiness and let's really focus in

07:29

on the implementation aspect and really

07:32

work on defining those baseline

07:34

standards let's make sure we have

07:35

workflows processes and technology to

07:37

support those privacy operations that we

07:40

need to have in place by May 25th so so

07:43

definitely something we've seen a

07:44

continuous shift and especially over

07:47

over this last quarter here we see that

07:50

pendulum is shifting much more into the

07:52

implementation side rather than the

07:54

readiness but but there's still some

07:56

readiness activities going on there so

07:58

so if you haven't done anything yet you

08:00

know we would say a little bit behind

08:02

the curve but but not too late to catch

08:04

up as of yet so so two challenges we

08:07

want to highlight and these will be

08:09

somewhat of themes through throughout

08:11

our presentation here and discussion

08:13

will be around the challenges that we

08:15

continue to see one being around the

08:18

kind of the interpretations the

08:21

inconsistent interpretations or just a

08:23

room for interpretation around the

08:25

various articles how they should be

08:27

apply for organizations and all the

08:31

different scenarios that could play out

08:32

around the different use cases on how

08:35

you're collecting processing storing and

08:37

potentially transmitting those personal

08:40

data but but we do see that that tide

08:44

shifting a little bit and we do see a

08:46

little bit more of alignment on a lot of

08:49

those areas around right to erasure data

08:52

portability some areas that they had a

08:54

lot a lot of gray and then determination

08:57

we seem to be narrowing in on a little

09:01

bit

09:02

and clear direction to take part there

09:04

any other major challenge what we see

09:06

and what we'll talk like I said we'll

09:08

talk about this one more is the lack of

09:10

prioritization and ownership of those

09:13

activities and and it's really due to

09:16

the cross-functional nature which always

09:19

makes it challenging especially for a

09:21

large international global organizations

09:25

creating these these cross-functional

09:27

teams to manage and drive home and

09:30

deliver certain deliverables tasks

09:33

workflow design and so forth is a

09:36

challenging challenging area so we often

09:38

see a lot of activities going into the

09:41

readiness we see some some plans being

09:44

designed but then we also we see a lot

09:47

of time being taken on who's going to

09:49

own this who's going to do it who has

09:51

time when we're going to leverage

09:53

external work we do internal so this

09:55

prioritization often is starting to

09:57

absorb a good amount of time so you know

10:00

there's certain things that hopefully

10:02

will highlight today as we have

10:04

continued our discussion that will help

10:07

alleviate and maybe manage some of those

10:09

risk as well so just jumping into the

10:14

what we're going to call pitfall number

10:16

one and this would be around the

10:18

definition of personal data as mo CEO or

10:22

probably familiar now that the

10:24

definition has changed under the gdpr

10:26

and it has become much broader a little

10:30

bit murkier that can be interpreted in

10:32

many different ways that makes this this

10:37

very complex when especially when when

10:40

you're dealing with more the the

10:42

technical teams dealing with more of the

10:44

operational teams that just want to know

10:46

where do those data elements that

10:48

constitute personal data and while I

10:51

think there will be this shift away from

10:54

from the term PII

10:55

that we were all so accustomed to under

10:57

current and the current privacy

11:02

landscape globally right now and moving

11:05

more to a broader term like personal

11:07

data it's going to create challenges for

11:09

organizations organizations always like

11:11

to say hey here the 1520 data elements

11:14

that rip

11:15

present was PII so let's just make sure

11:18

we're applying our controls our

11:20

safeguards and we're managing our data

11:25

subject rights accordingly for those

11:27

those those data elements it's a much

11:29

easier test and then where we're at

11:31

today with a much broader view of

11:33

personal data so so we just wanted to

11:35

highlight that understanding how broad

11:38

personal data can be in certain

11:40

organizations depending on the industry

11:42

depending on the product or service

11:44

you're offering to your customer base

11:46

it's something we you know you need to

11:48

consider and don't want to fall down the

11:50

trap on trying to identify certain data

11:52

elements but rather the the context of

11:55

how information is being collected how

11:57

it's being used now it's being

11:59

transferred in those processing type of

12:01

activities is much more important than

12:04

specific data elements now sure we want

12:07

to apply certain security controls and

12:09

certain mitigating safeguards to

12:14

mitigate the certain risks with certain

12:15

data elements but looking at it more at

12:17

the processor activity often helps with

12:21

a lot of the activities as you prepare

12:23

for gdpr the next area we want to talk

12:26

about is we all know how complex if you

12:29

look at all the articles sub articles

12:31

and the recitals that help provide

12:34

guidance into the various or sub

12:37

articles so we all know this is the 99

12:41

articles that make it up but but also

12:43

traditionally for a controller processor

12:45

roughly about 36 articles plus or minus

12:49

a few in either direction depending on

12:51

your specific industry are traditionally

12:55

relevant for organizations acting in

12:57

capacity as a controller and or a

12:59

processor so something that that we

13:02

often find organizations get a little

13:06

bit caught up in is more of a checklist

13:08

mentality where they go through and they

13:11

try to look at each article or sub

13:14

article individually try to understand

13:16

what they've done as an organization or

13:18

what they need to do as an organization

13:19

to achieve alignment to the respective

13:22

article but but that's not always the

13:25

best way to think about it right a lot

13:27

of these concepts around

13:29

and here are two examples on collection

13:31

and consent a lot of these are very

13:35

common privacy concepts that have been

13:38

around for a long time there's things

13:41

that are very relevant and easy to

13:43

understand from a business perspective

13:44

from a technology perspective so one

13:47

thing that that we we suggest them as an

13:51

option to help further clarify how to go

13:57

about and how to bring these back to a

14:00

meaningful use as you start talking to

14:03

the business and IT and operations and

14:06

so forth on what they need to do and

14:08

also from an efficiency standpoint in

14:11

the execution of your readiness and the

14:13

building of your implementation plan is

14:14

group these by related topics so if you

14:19

group these your often left with you

14:21

know just over a dozen maybe 15 17

14:24

depending on how broad of a group you

14:28

create but then it comes back to those

14:30

very relevant topics and related areas

14:33

that that will help with the overall

14:35

implementation help streamline the

14:38

efficiency of it and then also reduce

14:41

some of the complexity now you don't

14:42

want to lose sight of the sub articles

14:44

or the specific articles that you might

14:46

have grouped together but but having

14:48

them in those like topics or like

14:50

buckets provides for those efficiency

14:53

gains throughout your exercises and even

14:55

beyond as you start to work on the

14:58

implementation phase which leads us into

15:01

what we're seeing from from a sequence

15:04

of events to where some organizations or

15:07

where we see based on our direct insight

15:11

and also through kind of our indirect

15:13

context that we have at various

15:14

organizations across industries as it

15:17

relates to privacy so as many this might

15:22

be very familiar for many starting off

15:24

with that readiness benchmarking

15:26

activity understanding where we might

15:28

have some gaps and we need to create a

15:30

new process enhance existing processes

15:33

enhance our technology to support those

15:36

processes and really designing that that

15:39

roadmap or that implementation plan of

15:41

those specific

15:42

acet need to be accomplished in order

15:44

for our organization to further align

15:46

with those articles within the GPR and

15:49

I'm moving into that implementation

15:51

enhancement activities for a higher risk

15:53

process so we'll talk a little bit more

15:55

about how you could kind of separate up

15:58

or break your various tasks into these

16:02

groups of high or moderate or lower risk

16:04

activities so so you can see there's

16:07

kind of three shaded in green here those

16:10

are to represent where we see most

16:13

organizations today either working in

16:15

one or all three of those buckets and

16:17

then the gray circles representing areas

16:21

that I think unless you're very mature

16:23

down the scale but I think it's rare at

16:25

this point to see organizations already

16:28

focused in and have completed their

16:30

high-risk processes I've worked through

16:33

those have built a lot of the privacy

16:36

program functions that will need to be

16:37

created enhance those systems so forth

16:41

and now I've transitioned into to the

16:44

lower risk activities and then

16:46

operationalizing those so just to give a

16:49

little bit of a picture we wanted to

16:51

demonstrate this as we say most

16:53

organizations are in one of those three

16:56

buckets with the the migration over the

16:58

last couple months I think having a good

17:00

amount of organizations working in that

17:03

in that middle bucket there as we

17:08

proceed into pitfall number three would

17:11

be around scoping activities so as we

17:13

say here kind of that that pitfall of

17:16

not accurately scoping out what needs to

17:19

be evaluated what do we need to think

17:21

about from an overall GDP our landscape

17:24

and how it applies to our organization

17:27

so the first thing would be deciding the

17:31

the buckets of personal data that might

17:33

be relevant so are we most organizations

17:37

if you have operations in you you're

17:40

going to need to be considering employee

17:42

personal data and often those processes

17:45

vary quite differently from how you

17:47

process collect and transfer your

17:50

customer data so treating those as

17:52

almost distinct but parallel

17:56

for which you're going to do your

17:57

readiness activities is something to

18:00

consider and then another area that we

18:03

often see organizations get tripped up

18:06

is in the scoping as it relates to

18:09

geographic locations the department's

18:11

the systems that support it as we know

18:13

as organizations tend to grow through

18:14

acquisition grow very fast organically

18:17

or have been around for a really long

18:19

time and there's a lot of legacy

18:20

processes all those elements could lead

18:23

to challenges when trying to determine

18:25

where are we recapturing this personal

18:28

data how we processing this personal

18:30

data what what functional teams are

18:33

involved in those services or product

18:36

where those teams located it's all very

18:40

common to have dozens and dozens if not

18:42

hundreds of global locations but maybe

18:45

there is a reason we could scope some

18:48

out maybe there's a reason we need to

18:49

scope them all in which leads to two

18:52

common approaches that we traditionally

18:54

see and these would be around taking

18:56

that targeted based approach so let's

18:58

say we're very keen on our operational

19:01

practices we have a very good at least

19:04

conceptual understanding of our

19:06

processing activities so we could do a

19:08

much more targeted discovery whether

19:10

through questions or in-person

19:12

interviews or over the phone where we're

19:14

going to really refine our understanding

19:17

as an organization around some of those

19:19

critical processes that are involved in

19:22

the collection of our processing of that

19:24

personal data either on the employer

19:26

customer side so taking a very targeted

19:28

based approach compared to where we see

19:31

organizations where maybe they don't

19:34

have that that great of a picture

19:35

because they haven't gone through an

19:36

information mapping exercise they

19:38

haven't done an evaluation around on

19:41

where their personal information resides

19:43

so maybe that those types of

19:45

organizations need to take a broad

19:47

stroke so maybe sending out some type of

19:49

questionnaire survey to hundreds if not

19:52

thousands of employees that help refine

19:54

their understanding of those processing

19:56

activities so then you could further

19:58

narrow down where you're going to focus

19:59

your efforts from a gdpr readiness and

20:01

GPR implementation and that could also

20:04

help with the identification of those

20:06

higher risk processes so there might be

20:08

you know

20:09

or set of we'll just make up a number of

20:12

a hundred processing activities that are

20:13

occurring maybe there there is only 20

20:17

that are heavily involved in person they

20:18

assure there might be ancillary personal

20:21

data located in those other areas but

20:23

you know what

20:24

let's go focusing on those 20 and we'll

20:26

we'll try to finish everything by May

20:28

25th but if we got a really focusing on

20:30

20 so that's where you can start

20:32

implementing that that risk based

20:33

approach and then the other area where

20:37

I'm sure all the listeners on the phone

20:39

today could relate to is is some element

20:44

of this is it an IT issue were brought

20:48

in to many organizations where GPR for

20:51

some reason is thought to be an IT issue

20:53

or even just solely a legal issue and

20:57

those are the organizations that tend to

20:59

miss some of the other elements that

21:01

really are applicable from a GPR

21:03

standpoint so we wanted to reinforce

21:05

eyes as we all know not just an IT

21:08

effort IT is is greatly involved in a

21:11

very vital department to helping

21:13

implement and and align with the various

21:16

gdpr articles but but but but it's

21:20

definitely not solely an IT issue same

21:22

with legal the legal opinion needed to

21:25

ensure appropriate implementation of GDP

21:27

our program is vital to the success and

21:30

extremely important for risk mitigation

21:32

standpoint if you are going to take a

21:36

certain stance in those gray areas we

21:38

talked about earlier your legal team

21:40

both in-house and external need to be

21:42

comfortable with those decisions so that

21:43

they are in a position to communicate to

21:48

regulators if that event ever needs to

21:51

occur and are able to defend that that

21:53

position that the organization takes so

21:55

so while they're there vital but but

21:57

definitely not solely a legal issue but

22:00

we all know there are tools out there

22:02

and we even in the professional services

22:04

get you know we get a lot of increase

22:07

and details about different tools out

22:10

there to help with the implementation

22:12

and while there's definitely different

22:14

tool sets to help with various articles

22:17

I think there is often a misconception

22:21

that if you if you get a tool

22:23

or you're good from a GDP our standpoint

22:26

as it relates to certain articles which

22:28

isn't always the case as we all know

22:29

there's the work flow that needs to be

22:31

designed around it is the operational

22:33

aspect there's the implication that

22:35

might have on marketing that might have

22:37

on your HR teams and so forth so so all

22:39

important elements of building your GDP

22:41

car program but we shouldn't think it

22:43

solely as a technology issue and then we

22:46

all know that there's other tools out

22:49

there especially some some of the newer

22:51

privacy management solutions that will

22:53

help more from the operational side so

22:56

as you start to implement some of the

22:57

GPR readiness activities within your

22:59

organization there there's privacy

23:01

management solutions out there to help

23:03

with the ongoing maintenance and

23:05

operation making it efficient on a

23:07

regular ongoing basis so there's

23:10

definitely different opportunities out

23:13

there and now I'll pass it over to to

23:15

Francesca who will talk a little bit

23:17

more about some of the other pitfalls

23:20

that we mentioned earlier on Thank You

23:25

Erik um so I should think of being more

23:27

about now that we we may have an IBM or

23:30

from a graininess perspective and we're

23:32

moving towards more the implementation

23:34

and we have identify certain projects a

23:36

common pitfall that we have seen it's

23:38

it's under estimating the level of

23:40

cross-functional efforts in across some

23:44

of the initiatives that are coming out

23:46

of remediation projects so then this is

23:51

definitely beyond IT and privacy right

23:53

in their initiatives such as the writer

23:56

ratio right to that report ability right

23:59

to that subject right there to me

24:01

require involvement and from other

24:04

departments and in the in in not having

24:08

a clear ownership of who's going outward

24:10

and who plays a key role in some of

24:12

these projects you know often can commit

24:14

to inefficiencies can lead to companies

24:18

and spin their wheels and in spending a

24:21

lot more time and effort that they

24:23

should have so you know wanted to share

24:26

with you guys the risk instead of the

24:28

project department owners in

24:30

collaborating apartments right so having

24:34

a clear definition of not only who's not

24:36

on the project but

24:37

so defining collaborate apartments that

24:39

would also play a role in allocating

24:42

resources and effort since they can help

24:46

with certain pieces of the activities

24:48

within the project becomes very crucial

24:51

when you're designing implementation

24:52

plan so for example we see early in this

24:56

table if we're thinking about a project

25:00

around having to enhance the consent

25:02

forms for your customer data so we could

25:05

think well privacy will own it you know

25:07

and then they could be that the

25:09

facilitator and in the way that you

25:12

definitely want ownership because if not

25:14

nothing at Sun

25:15

however privacy department may need

25:18

super for mighty right because you can

25:20

imagine that these consent forms some of

25:22

them might be changes that need to be

25:25

done on certain websites for example you

25:28

also need feedback from legal since as

25:31

you're approving that in that form in a

25:34

universally input from legal making sure

25:36

that that's within the GDP requirements

25:40

and then if we're thinking like that one

25:42

of those forms is relates to a medical

25:45

department because you might have a

25:46

department that is collecting medical

25:48

information this department will need to

25:50

update their procedures in internal

25:54

training and so forth so the the people

25:57

on the field are going to use the new

25:59

form that we are enhancing and then we

26:01

have marketing of course right when that

26:03

comes in form right now we might be

26:05

collecting more information that we were

26:08

before or less and now when you think

26:09

about okay how we're planning from a

26:12

marketing perspective on marketing or do

26:16

it with information for marketing right

26:18

and then another example could be your

26:21

your customer care department right and

26:22

they will need to update also the

26:24

procedures on how they're collecting

26:26

that consent over the phone so you may

26:28

need to update the scripts so all of

26:30

these projects become become having sub

26:32

tasks and you have different

26:34

collaborative departments that are

26:37

helping the privacy team as a project

26:40

owner to make sure that all of this gets

26:42

done

26:46

so hopefully this gives you some

26:48

visibility into you know known under

26:50

civilian value and I think another thing

26:51

that has worked very well to make sure

26:54

that we also are able to in define in a

27:01

better way and how what what is it type

27:05

of the project and it helps provide

27:07

visibility around the level of effort

27:09

and where you're presenting your

27:11

planning and getting executive approval

27:12

you know it's easier to explain you know

27:15

by grouping these projects into these

27:17

three categories here that we have at

27:19

the left right so we're thinking about

27:20

right whatever changes do we need to

27:22

make so we can think about

27:24

recommendations as relays in the

27:26

governance domain right so these are

27:28

recommendations that are around policies

27:31

procedures and standards updates then

27:34

may need to be either greater from

27:36

scratch because we did not have it or

27:38

that we need to be enhancing to ensure a

27:41

line with a gbbr

27:43

then we also have certain changes that

27:46

we in recommendations that can be

27:49

categorized around the operations in the

27:51

business and so these recommendations

27:53

will indicate an area in which like the

27:55

those business departments will need to

27:58

make certain changes to the way they're

28:00

applying those policies and in those

28:03

procedures and so the example that I

28:05

provided before around that those

28:08

scripts that the customer care

28:10

department will need to use are under

28:12

consent process it would be can be

28:15

classified as such and then around the

28:18

system so I will definitely as we all

28:21

know that I would resign across hundreds

28:24

of systems and so we may need to make

28:27

certain organizations and technical

28:29

practices or certain configuration

28:32

changes we may need to add certain

28:34

features in our systems or we may just

28:36

need to change the mission allottee or

28:37

some of them or security controls on top

28:41

of it and so some of this recommendation

28:43

see you know m we can be categorized

28:46

within this category in another key

28:49

component right we talked about it

28:51

pretty the current owner we talked about

28:52

a correct collaborate apartments but

28:54

having certain other as you see defining

28:57

the implementation projects it becomes

28:59

useful from

29:00

prioritization perspective for my

29:02

expectations and level of effort so

29:04

having your key levels clearly fine for

29:08

each project that way you sure to

29:10

measure name so are there or not

29:15

having a priority within it and then

29:18

having some estimate from our resources

29:20

in duration and that also becomes key as

29:23

you know all of these it becomes a cost

29:26

organization and you may have in your

29:28

gustation different in budget process at

29:32

the corporate level versus are they be

29:35

specific division of business unit level

29:36

so i've been able to provide for each

29:38

project estimated resources are going to

29:41

be needed either external or internal

29:43

estimated costing the duration and

29:45

becomes very key in in a particular

29:48

component that part of a critical part

29:50

will be the dependencies with other

29:52

projects so for example in this figure

29:55

on the right in we have an example

29:58

around the BPI a program and how we have

30:01

key variables around the be pay policies

30:04

you proceed on the questionnaire but we

30:06

may have a different project around

30:07

privacy protection by design which

30:11

interrelate with epi a and there's

30:13

certain components with EPA a they will

30:15

need to consider in the pan of the

30:17

successful completion of the Privacy

30:19

Protection by design policy right so in

30:21

having that that clear understanding

30:23

where we may have different departments

30:24

in owning those two projects and becomes

30:29

very useful as you guys are working

30:31

towards our plan and our working on

30:33

braiding management that going forward

30:38

and then you know the biggest challenge

30:43

that the image that we see in I think

30:44

our you know companies are realistically

30:46

being forced to unneeded and if the fact

30:49

that and we cannot finish everything

30:53

before May 2018 and companies are and

30:56

depending on their size understanding

30:59

that and in in applying that griffix

31:02

approach that Eric was talking about in

31:04

the beginning of this presentation right

31:07

we were talking about for prioritizing

31:09

the high-risk projects processes or

31:12

partisan systems right

31:14

so depending on the size of realization

31:16

numbers of product processes through

31:18

patent theses may vary but beyond of

31:20

that because of the scope of that

31:23

personal data in because of the broader

31:25

definition of a personal data you know

31:27

the the in scope systems and processes

31:31

is a much larger number that you know

31:34

the companies can realistically address

31:38

and tackle and in this short time frame

31:41

right so so I'm so today my useful to

31:46

consider might be for season focus

31:48

products for example start with the

31:50

higher higher resistance and what does I

31:52

mean right because we have different

31:53

answers and I know companies are used to

31:55

thinking of financially significant

31:57

systems for public companies in the Sox

31:59

were in or systems that may have just

32:03

just PII but now because of this

32:04

definition we're going to have a lot

32:06

more system so for hurry system for

32:08

example and then we can provide you some

32:11

insight into some risk index and

32:13

criteria or factors that can help you

32:15

think about that so for example the

32:17

sensitivity of the personal data

32:19

elements so what is the degree of

32:21

sensitivity for those personal data

32:23

elements and that for example in even

32:27

though anything will become free

32:28

personal data in the possibility of

32:32

losing or in a social security number

32:36

versus a passport number versus just a

32:38

name and even though it's still within

32:40

the scope of GDP are all of those

32:41

elements together it if you know can

32:44

give you an indication how risky the

32:47

system in companies can make choose to

32:50

focus on the systems that have more so

32:52

City data elements first volume also

32:55

becomes important you know the number of

32:57

Records the personal data elements that

33:00

you may have so it also can be another

33:04

criteria could can be can be used to

33:06

calculate the risk index for that system

33:08

and then this concept of systems managed

33:11

internal versus external II in what what

33:13

we mean here is like a it would

33:16

basically assumption that for my GDP

33:18

erroneous perspective like systems and

33:20

are managed by through PI will be

33:21

consider to have a lower impact for the

33:24

UPR anus because the responsibility of a

33:26

third party

33:28

and realize of them over configuring

33:31

that system the system architecture

33:34

there hosting the data and we're going

33:36

to have all the requirements are going

33:38

to the companies are pushing on the

33:40

vendors and inter-party systems but if

33:43

it's not configured where you guys

33:45

you know if there's less effort for my

33:47

GDP erroneous perspective so there's

33:49

also a factor that can be used to us you

33:52

decide to prioritize your systems and

33:55

then of course data types which annoy

33:57

your official read about in the

33:58

beginning but you know I think what

34:00

companies are doing even though we might

34:02

not but also me that we don't care I

34:04

wear umbrella data however from a and

34:08

the customer or end-user data we are

34:12

holding in our systems and especially

34:15

like larger number of data and also from

34:18

a GDP our provides us higher risks that

34:22

a data for it is from the possibility of

34:25

for having that a subject requests on or

34:28

or more on and reputational risk and so

34:33

forth so so companies are giving a

34:35

higher way to customer chain that and

34:38

contrary to our employees and putting

34:40

that on a second priority alright so I

34:46

so hopefully right now you know we'll

34:49

give you some idea of some common

34:51

pitfall so we have been seen I think we

34:52

also that we wanted to give you guys

34:54

today some visibility in some of the

34:56

technical project activities that we

34:58

have seen come out out of the in this

35:02

organization so in to GDP Irenaeus

35:05

activities and sort of result we have a

35:08

different type of projects and programs

35:12

around in technical measures around

35:14

encryption that I'm asking

35:16

greater ratio writes to the report

35:18

ability and then we have all the ones

35:20

I've been more in the privacy side

35:22

around paas and privacy by design and

35:25

data protection officer and so for I

35:26

think a couple ones that I want to

35:28

highlight today for you guys is the

35:30

vasila specific assessment program you

35:34

know the UDP are clearly states that the

35:37

data controller a processor should

35:38

implement a process for regularly tests

35:41

in assessing

35:41

in evaluating the effectiveness of those

35:43

controls that the company will have on

35:46

the around the security of the

35:48

processing so it's not only how many

35:49

controls but how the company's really

35:51

testing assessing the effectiveness of

35:54

those controls so and so him that

35:58

becomes kind of significant from a scope

36:01

perspective because now we have more

36:03

systems and you can have a public

36:05

company where you may already have a

36:07

good at monitoring controls and security

36:10

measures around your successes that you

36:12

may not have that applied yet to CSIS

36:15

beyond your your 'suck systems right so

36:18

now that you have all these hairy

36:20

systems there is go for gdpr what we

36:22

have seen companies doing in you know

36:24

picking and choosing certain controls

36:26

where they are in for example and

36:29

valuating the effectiveness of the

36:31

access and they're doing use for access

36:33

reviews in their prioritizing and

36:36

rolling that program that you already

36:37

have where you really have a program in

36:39

place crawling that out to the those

36:42

systems so that that's one way how

36:43

companies have been addressing that one

36:44

and then in the other one that has

36:47

definitely created a lot of questions

36:51

and then we see companies approach in a

36:53

different way but I think something that

36:54

we want to highlight as relates to the

36:57

guidance has come out or around this is

37:00

the data protection officer function in

37:02

how companies are having on a specific

37:05

challenge the image challenge has been

37:08

that you if you already have a European

37:12

operation so you may already have a

37:13

summer working in a position of a dpo

37:17

with we decorum EU directive and outside

37:19

of GDP are you know that person the

37:22

person the personal strolls and quarter

37:24

rolls in and you know they are not

37:27

clearly aligned with what you di would

37:29

require the future so because those

37:31

person those persons in that capacity

37:33

are performing a lot of duties which can

37:36

make them flee with a monitoring

37:38

obligations for the appeal because the

37:41

rigidity requirement for a UDP are

37:44

really has at this monitoring

37:47

type of role where there that person is

37:49

supposed to be performing audits and

37:51

order or the regular privacy of these

37:54

functions

37:55

so um so I think what we have been

37:57

seeing is companies considering him you

37:59

know if they already have a key key

38:02

privacy personnel in their perform

38:04

specific functions coming up with a

38:06

either an acceptor an external or or a

38:09

new position create a whole different

38:12

position that will oversee that team and

38:14

provide use monitoring and oversight

38:16

however would not be they're embedded in

38:18

in providing the day-to-day functions so

38:22

he doesn't conflict with that monitoring

38:24

requirement that the gdpr brings it up

38:26

into into light you know and I think I

38:31

am something as a while to show you the

38:34

other activities and I think Catholics

38:36

can attach Nexen in some of those and I

38:39

know many of you are probably very

38:41

interesting in around consent and in

38:43

other requirements but hopefully it is

38:45

some perspective into some other

38:47

initiatives that we have been seen and

38:48

how companies are starting to tackle

38:49

those

38:59

you

39:25

all right your peers behind certain

39:27

engages with gathering something phone

39:30

line but I'll talk in a couple of these

39:32

ones so I think another ones that we

39:34

want to touch on today is around the in

39:38

processor and supersets termination

39:39

procedures right in that there has been

39:42

a big topic around in whatever

39:45

requirements do we need to like what do

39:48

we need to do water parties and what do

39:49

we need to our vendors and whatever

39:51

requirements we have on them right so

39:53

this is one where we're not only we're

39:56

making sure that the companies are