How to Build a GDPR Implementation Plan
Summary
TLDRIn this webinar, experts from Focal Point discuss GDPR compliance strategies and challenges. The presentation covers the importance of data privacy, common pitfalls in GDPR implementation, and best practices for aligning with GDPR requirements. Key topics include the definition of personal data, the need for cross-functional collaboration, and prioritizing high-risk areas. The session also emphasizes the significance of continuous communication, project management, and preparing for the May 25th deadline. A Q&A segment addresses audience queries on GDPR projects, third-party data handling, and regulatory focus areas.
Takeaways
- ποΈ The presentation is structured to cover the current GDPR landscape, common pitfalls in GDPR implementation plans, and methods for building and communicating these plans within an organization.
- π Eric Dietrich, a leader in data privacy, emphasizes the importance of a risk-based approach to GDPR compliance, focusing on high-risk processes and systems first.
- π Francesca Sanabria discusses the cross-functional nature of GDPR, highlighting the need for collaboration between IT, legal, and other departments in the implementation process.
- π The definition of personal data under GDPR is broader than traditional PII (Personally Identifiable Information), creating challenges for organizations in identifying and managing personal data.
- π Organizations should group GDPR articles by related topics to streamline the implementation process and reduce complexity.
- π οΈ GDPR implementation involves a sequence of events starting from readiness benchmarking to defining baseline standards and workflows.
- π A common pitfall is underestimating the level of cross-functional effort needed for GDPR projects, which can lead to inefficiencies and delays.
- π’ The scope of GDPR projects should consider different types of personal data and geographic locations, with a focus on high-risk areas.
- π GDPR is not solely an IT or legal issue; it requires a company-wide effort with clear ownership and collaboration across departments.
- π‘οΈ Tools and technology are important for GDPR compliance, but they must be implemented with proper workflow design and operational considerations.
- β° Time is a critical factor, and organizations should prioritize high-risk projects and processes to meet the May 25th deadline, using a risk-based approach.
Q & A
What is the purpose of the webinar?
-The purpose of the webinar is to discuss GDPR readiness, implementation plans, and answer related questions from participants.
Who are the panelists for this webinar?
-The panelists are Eric Dietrich, Francesca Sanabria (Fran), and Katherine Kill.
What topics will be covered in the presentation?
-The presentation will cover the current GDPR landscape, common pitfalls in designing GDPR implementation plans, and methods for building and communicating these plans.
What are some common pitfalls when designing a GDPR implementation plan?
-Common pitfalls include inconsistent interpretations of GDPR articles and lack of prioritization and ownership of activities due to the cross-functional nature of GDPR requirements.
Why is a risk-based approach recommended for GDPR compliance?
-A risk-based approach helps prioritize high-risk processes and systems, making it more practical to address the most critical areas first and gradually work towards full compliance.
What are the key components of an effective GDPR implementation plan?
-Key components include defining project owners, collaborating departments, clear prioritization, estimated resources and costs, and dependencies with other projects.
What challenges do organizations face when implementing GDPR requirements?
-Challenges include broad definitions of personal data, complex scoping activities, cross-functional coordination, and managing timelines to meet GDPR deadlines.
How should organizations prioritize GDPR-related projects?
-Organizations should focus on high-risk systems and processes, considering factors such as the sensitivity of personal data, volume of records, and whether systems are managed internally or externally.
What are some examples of concurrent GDPR projects that can be performed?
-Examples include security activities like encryption implementation and governance functions like creating policies and procedures.
What steps should be taken to ensure third-party compliance with GDPR?
-Organizations should review and update contracts with third parties to include GDPR compliance clauses and may rely on certifications like ISO or SOC 2 for assurance of security practices.
Outlines
π Webinar Agenda and Introduction
The script opens with an introduction to the webinar's agenda, which includes a 30-minute presentation followed by a 15-minute Q&A session. The panelists are introduced: Eric Dietrich, a leader in data privacy, Francesca Sanabria, an expert in GDPR projects, and Katherine Kill, a GDPR specialist. The host also briefly introduces Focal Point, the company hosting the webinar, and invites attendees to submit questions through the webinar dashboard for the Q&A session.
π οΈ GDPR Implementation Strategy and Pitfalls
Eric Dietrich discusses the current GDPR landscape, emphasizing the shift from readiness to implementation. He highlights the importance of a risk-based approach to strategy, focusing on high-risk processes and systems. Common pitfalls are identified, such as inconsistent interpretations of GDPR articles and the challenge of prioritization and ownership across departments. The presentation aims to provide insights into building and communicating implementation plans within organizations.
π Defining Personal Data and GDPR Complexity
The script delves into the challenges of defining personal data under GDPR, which has become broader and more complex than previous definitions. The implications for technical and operational teams are discussed, along with the importance of understanding the context of data processing activities. The complexity of GDPR's 99 articles is also addressed, suggesting a grouping by related topics to streamline implementation and reduce complexity.
π Sequence of GDPR Implementation Activities
The script outlines a sequence of events for GDPR implementation, starting with readiness benchmarking to identify gaps and create new processes. It discusses the shift of focus from readiness to implementation, emphasizing the need to define baseline standards and ensure workflows, processes, and technology support for privacy operations by May 25th.
πΊοΈ Scoping GDPR Activities and Geographic Considerations
The paragraph discusses the importance of accurately scoping GDPR activities, including deciding which buckets of personal data are relevant and considering geographic locations and departmental systems. It highlights the challenge of determining where personal data is captured and processed across various global locations and the need to scope in or out based on operational practices.
π Common Misconceptions about GDPR Implementation
The script addresses common misconceptions, such as viewing GDPR solely as an IT or legal issue, and emphasizes the importance of cross-functional collaboration. It also discusses the role of privacy management solutions in maintaining and operationalizing GDPR compliance efficiently on an ongoing basis.
π€ Cross-Functional Efforts in GDPR Initiatives
Francesca Sanabria highlights the importance of cross-functional efforts in GDPR initiatives, discussing the pitfalls of underestimating the level of collaboration needed across departments. She provides examples of how different departments need to update their procedures and training to align with GDPR requirements, emphasizing the need for clear ownership and collaboration in project design and implementation.
π Prioritizing GDPR Projects and Risk Management
The script discusses the challenge of prioritizing GDPR projects, given the broad scope of personal data and systems involved. It suggests focusing on high-risk projects and processes first, using a risk index based on factors such as data sensitivity, volume, and system management. The importance of understanding that not all tasks can be completed before the May 2018 deadline is also emphasized.
π‘οΈ Technical and Privacy Initiatives for GDPR
Francesca continues by discussing various technical and privacy initiatives for GDPR compliance, such as data protection officer functions, privacy impact assessments, and encryption measures. She highlights the importance of regularly testing and assessing the effectiveness of controls and the challenges companies face in creating new positions or modifying existing ones to meet GDPR's monitoring requirements.
π Contracts, Workflows, and Data Subject Rights
The script touches on the need to review contracts and agreements with third parties to ensure GDPR compliance and discusses the importance of updating workflows for data subject rights, such as the right to erasure and data portability. It also mentions the collaboration required between privacy, legal, and other departments to ensure that new processes and policies align with GDPR requirements.
π£οΈ Communication and Project Management for GDPR Implementation
Eric Dietrich concludes the presentation by emphasizing the importance of communication in the implementation of GDPR projects. He suggests holding internal workshops and seminars to bring together collaborative teams and work through specific tasks. The need for a dedicated project manager to monitor and track progress is also highlighted, along with the advice to prioritize and take a risk-based approach to meet the GDPR deadline.
β Closing Q&A and Final Remarks
The script ends with a Q&A session where panelists address questions about GDPR projects, prioritization, and third-party data handling. The host thanks attendees for participating and provides information on how to access a recording of the webinar and additional GDPR resources. The email address for further inquiries is also provided.
Mindmap
Keywords
π‘GDPR
π‘Data Privacy
π‘Fortune 500 Companies
π‘Cross-functional Teams
π‘Data Subject Rights
π‘Privacy by Design
π‘Data Protection Officer (DPO)
π‘Third-Party Processors
π‘Risk-Based Approach
π‘Implementation Plan
π‘Privacy Impact Assessment (PIA)
Highlights
Eric Dietrich built Focal Point's data privacy practice from the ground up and runs it nationally, providing thought leadership on GDPR transition for Fortune 500 companies.
Francesca Sanabria leads many of Focal Point's largest GDPR projects and is a respected speaker and innovator in international data privacy regulations.
Katherine Kill is a GDPR specialist at Focal Point, with a unique perspective from her previous role as an attorney investigator at the US Department of Health and Human Services.
Focal Point, founded in 2005, is the largest pure-play data risk firm in the United States, focusing on cybersecurity, data privacy, identity governance, and data analytics.
The webinar's primary focus is on GDPR implementation strategies, highlighting common pitfalls and methods for effective communication and implementation.
A key approach recommended is taking a risk-based strategy to limit exposure and prioritize higher-risk processes and systems.
Organizations are shifting focus from GDPR readiness to implementation, emphasizing the need for workflows, processes, and technology to support privacy operations.
Common challenges include inconsistent interpretations of GDPR articles and the lack of prioritization and ownership of cross-functional activities.
Understanding the broad definition of personal data under GDPR and focusing on the context of data collection, usage, and transfer is crucial.
Grouping GDPR requirements by related topics can streamline implementation and reduce complexity.
Accurate scoping of GDPR impact involves considering different types of personal data, geographic locations, and departments.
Effective GDPR implementation requires clear ownership and collaboration across various departments, such as legal, IT, marketing, and customer care.
Organizations should prioritize high-risk processes and systems, using criteria such as data sensitivity, volume, and internal versus external management.
Data protection officer roles under GDPR should ensure independence to avoid conflicts of interest with monitoring obligations.
Effective communication of the GDPR implementation plan through workshops and seminars is essential for ensuring cross-functional collaboration and executive support.
Transcripts
Tord on the right of your screen you can
use that to ask questions throughout the
webinar just drop them into the question
section of the dashboard
our presentation today should run a
roughly about thirty minutes and we'll
follow that up with a 15 minute Q&A if
you have specific questions about your
your DDP our plans will also be happy to
take those conversations offline as well
okay so before we get started I would
like to introduce our panelists for this
afternoon our first time is today is
Eric Dietrich Eric is built focal points
data privacy practice from the ground up
and today runs the practice nationally
is one of the earliest voices providing
thought leadership on the gdpr
transition helping many Fortune 500
companies build GDP our transition plans
shortly after its passage is a frequent
speaker at industry conferences and
events across the country asking the
biggest profit that the biggest topics
in privacy today of course including GDP
are also on the panel today is Francesca
Sanabria Francesca or Fran leads many a
focal points largest GDP our projects
and is a respected speaker and innovator
in international data privacy
regulations as a principal in the
privacy practices especially developed
in implemented privacy programs for many
a focal point societies clients she is
also the ia PP knowledge net chairperson
in South Florida and regularly presents
at privacy and security conferences
around the country and our third
panelist is Katherine kill Katherine is
a gdpr specialist at focal point and as
being closely tracking GDP our since its
passage she brings a unique perspective
to our privacy team having previously
served as attorney investigator at the
US Department of Health and Human
Services office for civil rights
she holds a JD and is a fellow in
information privacy holding both C IPP
and CIPM designations so I'd like to
thank all three for speaking with us
today so I know we had some folks on
there first focal point webinar today so
I'd like to very briefly introduce who
we are and where we came from the focal
point
was founded in 2005 as a technology
focus risk management firm we have a
little over 400 full-time employees
working in 17 offices across the United
States in Canada and today with the
largest pure-play data risk firm in the
United States we're agnostic to any
industry and work with companies from
tech startups to some of the world's
largest global organizations we're
focusing primarily on cybersecurity data
privacy identity governance and data
analytics but as you can see on the
right of your screen there that's our
full range of service offerings and we
feel privileged to have the opportunity
to speak with you today and hope you get
some insights here that help you put
together a gdpr plan the works for your
organization so just again for those
late join us just a quick reminder to
drop your questions into the questions
section of your GoToWebinar dashboard
and our panelists will answer as many
questions as we can in order to receive
them during the Q&A portion at the
webinar at the end so I think with that
I'll turn over to Eric who can walk us
through today's agenda
Eric Thank You Lee appreciate everyone
joining today so just a quick
introduction to the topics we'll be
talking about through our presentation
and then as we mentioned we'll also be
opening up for a Q&A session at the end
and hopefully leaving plenty of time for
questions so just three key points that
we wanted to cover just spend a few
minutes on the current GDP our landscape
through the lens of our clients and
through other relationships we have
across the industry across industries we
want to highlight some of the common
pitfalls we see when designing a gdpr
implementation plan and working towards
implementing enhancements throughout
your organization's to further align
with the requirements of the gdpr
and then talk a little bit about some
some methods that could be leveraged for
building and communication of those
implementation plans throughout your
organization as we know a common theme
here today will be the cross function
cross-functional nature
of the gdpr and in the implications it
has across many departments so as we
jump into the activities here we just
wanted to give a snapshot of kind of
where we're at today with just under ten
months to go we see a few common themes
and transforming through our experiences
we've been fortunate enough to be
involved with with quite large and even
small GDP our projects for over a year
now very much starting almost
immediately after the passage of the
regulation and have had great insight
into to some of the challenges some of
the strategies organizations are using
for implementing various enhancements
across the organization want to share
some of those with you today for the
first one would be around strategy so
anytime we talk about regulations and
end or compliance and we think about a
risk-based approach we somewhat get a
little nervous as we know as a
regulation we need to comply with all
that we need to ensure we're aligned
with all those details but as we
continue to hear from from a lot of
organizations out there achievement or
alignment of a hundred percent is
probably not at the practical approach
we should strive for that hundred
percent but but some of the those
details and elements might come past
that may 25th deadline so I'm trying to
design a strategy that's taking a
risk-based approach that's going to
limit our exposure to the best that we
can is a practical approach that we see
being implemented quite often with a
strategy being developed to to address
those those higher risk processes higher
risk systems making sure we know who are
a processor and some processors are and
so forth them but but that strategy is
is really you know evolved to that
risk-based approach what we'll talk a
little bit more about some of those
elements later on and the focus if we if
we if we play the
we went back in time a little bit and we
looked at the focus of GDP our readiness
six 12 months ago it was very much in
the heavy heavier readiness phase I'm
really trying to understand how we align
with each requirement each article and
and so forth and spending quite a good
amount of time understanding that the
processing activities that we do with
personal data both on the employee
customer consumer or client side
whatever might be involved there but now
we definitely see a shift for okay
what's draw that line din assent with
our readiness and let's really focus in
on the implementation aspect and really
work on defining those baseline
standards let's make sure we have
workflows processes and technology to
support those privacy operations that we
need to have in place by May 25th so so
definitely something we've seen a
continuous shift and especially over
over this last quarter here we see that
pendulum is shifting much more into the
implementation side rather than the
readiness but but there's still some
readiness activities going on there so
so if you haven't done anything yet you
know we would say a little bit behind
the curve but but not too late to catch
up as of yet so so two challenges we
want to highlight and these will be
somewhat of themes through throughout
our presentation here and discussion
will be around the challenges that we
continue to see one being around the
kind of the interpretations the
inconsistent interpretations or just a
room for interpretation around the
various articles how they should be
apply for organizations and all the
different scenarios that could play out
around the different use cases on how
you're collecting processing storing and
potentially transmitting those personal
data but but we do see that that tide
shifting a little bit and we do see a
little bit more of alignment on a lot of
those areas around right to erasure data
portability some areas that they had a
lot a lot of gray and then determination
we seem to be narrowing in on a little
bit
and clear direction to take part there
any other major challenge what we see
and what we'll talk like I said we'll
talk about this one more is the lack of
prioritization and ownership of those
activities and and it's really due to
the cross-functional nature which always
makes it challenging especially for a
large international global organizations
creating these these cross-functional
teams to manage and drive home and
deliver certain deliverables tasks
workflow design and so forth is a
challenging challenging area so we often
see a lot of activities going into the
readiness we see some some plans being
designed but then we also we see a lot
of time being taken on who's going to
own this who's going to do it who has
time when we're going to leverage
external work we do internal so this
prioritization often is starting to
absorb a good amount of time so you know
there's certain things that hopefully
will highlight today as we have
continued our discussion that will help
alleviate and maybe manage some of those
risk as well so just jumping into the
what we're going to call pitfall number
one and this would be around the
definition of personal data as mo CEO or
probably familiar now that the
definition has changed under the gdpr
and it has become much broader a little
bit murkier that can be interpreted in
many different ways that makes this this
very complex when especially when when
you're dealing with more the the
technical teams dealing with more of the
operational teams that just want to know
where do those data elements that
constitute personal data and while I
think there will be this shift away from
from the term PII
that we were all so accustomed to under
current and the current privacy
landscape globally right now and moving
more to a broader term like personal
data it's going to create challenges for
organizations organizations always like
to say hey here the 1520 data elements
that rip
present was PII so let's just make sure
we're applying our controls our
safeguards and we're managing our data
subject rights accordingly for those
those those data elements it's a much
easier test and then where we're at
today with a much broader view of
personal data so so we just wanted to
highlight that understanding how broad
personal data can be in certain
organizations depending on the industry
depending on the product or service
you're offering to your customer base
it's something we you know you need to
consider and don't want to fall down the
trap on trying to identify certain data
elements but rather the the context of
how information is being collected how
it's being used now it's being
transferred in those processing type of
activities is much more important than
specific data elements now sure we want
to apply certain security controls and
certain mitigating safeguards to
mitigate the certain risks with certain
data elements but looking at it more at
the processor activity often helps with
a lot of the activities as you prepare
for gdpr the next area we want to talk
about is we all know how complex if you
look at all the articles sub articles
and the recitals that help provide
guidance into the various or sub
articles so we all know this is the 99
articles that make it up but but also
traditionally for a controller processor
roughly about 36 articles plus or minus
a few in either direction depending on
your specific industry are traditionally
relevant for organizations acting in
capacity as a controller and or a
processor so something that that we
often find organizations get a little
bit caught up in is more of a checklist
mentality where they go through and they
try to look at each article or sub
article individually try to understand
what they've done as an organization or
what they need to do as an organization
to achieve alignment to the respective
article but but that's not always the
best way to think about it right a lot
of these concepts around
and here are two examples on collection
and consent a lot of these are very
common privacy concepts that have been
around for a long time there's things
that are very relevant and easy to
understand from a business perspective
from a technology perspective so one
thing that that we we suggest them as an
option to help further clarify how to go
about and how to bring these back to a
meaningful use as you start talking to
the business and IT and operations and
so forth on what they need to do and
also from an efficiency standpoint in
the execution of your readiness and the
building of your implementation plan is
group these by related topics so if you
group these your often left with you
know just over a dozen maybe 15 17
depending on how broad of a group you
create but then it comes back to those
very relevant topics and related areas
that that will help with the overall
implementation help streamline the
efficiency of it and then also reduce
some of the complexity now you don't
want to lose sight of the sub articles
or the specific articles that you might
have grouped together but but having
them in those like topics or like
buckets provides for those efficiency
gains throughout your exercises and even
beyond as you start to work on the
implementation phase which leads us into
what we're seeing from from a sequence
of events to where some organizations or
where we see based on our direct insight
and also through kind of our indirect
context that we have at various
organizations across industries as it
relates to privacy so as many this might
be very familiar for many starting off
with that readiness benchmarking
activity understanding where we might
have some gaps and we need to create a
new process enhance existing processes
enhance our technology to support those
processes and really designing that that
roadmap or that implementation plan of
those specific
acet need to be accomplished in order
for our organization to further align
with those articles within the GPR and
I'm moving into that implementation
enhancement activities for a higher risk
process so we'll talk a little bit more
about how you could kind of separate up
or break your various tasks into these
groups of high or moderate or lower risk
activities so so you can see there's
kind of three shaded in green here those
are to represent where we see most
organizations today either working in
one or all three of those buckets and
then the gray circles representing areas
that I think unless you're very mature
down the scale but I think it's rare at
this point to see organizations already
focused in and have completed their
high-risk processes I've worked through
those have built a lot of the privacy
program functions that will need to be
created enhance those systems so forth
and now I've transitioned into to the
lower risk activities and then
operationalizing those so just to give a
little bit of a picture we wanted to
demonstrate this as we say most
organizations are in one of those three
buckets with the the migration over the
last couple months I think having a good
amount of organizations working in that
in that middle bucket there as we
proceed into pitfall number three would
be around scoping activities so as we
say here kind of that that pitfall of
not accurately scoping out what needs to
be evaluated what do we need to think
about from an overall GDP our landscape
and how it applies to our organization
so the first thing would be deciding the
the buckets of personal data that might
be relevant so are we most organizations
if you have operations in you you're
going to need to be considering employee
personal data and often those processes
vary quite differently from how you
process collect and transfer your
customer data so treating those as
almost distinct but parallel
for which you're going to do your
readiness activities is something to
consider and then another area that we
often see organizations get tripped up
is in the scoping as it relates to
geographic locations the department's
the systems that support it as we know
as organizations tend to grow through
acquisition grow very fast organically
or have been around for a really long
time and there's a lot of legacy
processes all those elements could lead
to challenges when trying to determine
where are we recapturing this personal
data how we processing this personal
data what what functional teams are
involved in those services or product
where those teams located it's all very
common to have dozens and dozens if not
hundreds of global locations but maybe
there is a reason we could scope some
out maybe there's a reason we need to
scope them all in which leads to two
common approaches that we traditionally
see and these would be around taking
that targeted based approach so let's
say we're very keen on our operational
practices we have a very good at least
conceptual understanding of our
processing activities so we could do a
much more targeted discovery whether
through questions or in-person
interviews or over the phone where we're
going to really refine our understanding
as an organization around some of those
critical processes that are involved in
the collection of our processing of that
personal data either on the employer
customer side so taking a very targeted
based approach compared to where we see
organizations where maybe they don't
have that that great of a picture
because they haven't gone through an
information mapping exercise they
haven't done an evaluation around on
where their personal information resides
so maybe that those types of
organizations need to take a broad
stroke so maybe sending out some type of
questionnaire survey to hundreds if not
thousands of employees that help refine
their understanding of those processing
activities so then you could further
narrow down where you're going to focus
your efforts from a gdpr readiness and
GPR implementation and that could also
help with the identification of those
higher risk processes so there might be
you know
or set of we'll just make up a number of
a hundred processing activities that are
occurring maybe there there is only 20
that are heavily involved in person they
assure there might be ancillary personal
data located in those other areas but
you know what
let's go focusing on those 20 and we'll
we'll try to finish everything by May
25th but if we got a really focusing on
20 so that's where you can start
implementing that that risk based
approach and then the other area where
I'm sure all the listeners on the phone
today could relate to is is some element
of this is it an IT issue were brought
in to many organizations where GPR for
some reason is thought to be an IT issue
or even just solely a legal issue and
those are the organizations that tend to
miss some of the other elements that
really are applicable from a GPR
standpoint so we wanted to reinforce
eyes as we all know not just an IT
effort IT is is greatly involved in a
very vital department to helping
implement and and align with the various
gdpr articles but but but but it's
definitely not solely an IT issue same
with legal the legal opinion needed to
ensure appropriate implementation of GDP
our program is vital to the success and
extremely important for risk mitigation
standpoint if you are going to take a
certain stance in those gray areas we
talked about earlier your legal team
both in-house and external need to be
comfortable with those decisions so that
they are in a position to communicate to
regulators if that event ever needs to
occur and are able to defend that that
position that the organization takes so
so while they're there vital but but
definitely not solely a legal issue but
we all know there are tools out there
and we even in the professional services
get you know we get a lot of increase
and details about different tools out
there to help with the implementation
and while there's definitely different
tool sets to help with various articles
I think there is often a misconception
that if you if you get a tool
or you're good from a GDP our standpoint
as it relates to certain articles which
isn't always the case as we all know
there's the work flow that needs to be
designed around it is the operational
aspect there's the implication that
might have on marketing that might have
on your HR teams and so forth so so all
important elements of building your GDP
car program but we shouldn't think it
solely as a technology issue and then we
all know that there's other tools out
there especially some some of the newer
privacy management solutions that will
help more from the operational side so
as you start to implement some of the
GPR readiness activities within your
organization there there's privacy
management solutions out there to help
with the ongoing maintenance and
operation making it efficient on a
regular ongoing basis so there's
definitely different opportunities out
there and now I'll pass it over to to
Francesca who will talk a little bit
more about some of the other pitfalls
that we mentioned earlier on Thank You
Erik um so I should think of being more
about now that we we may have an IBM or
from a graininess perspective and we're
moving towards more the implementation
and we have identify certain projects a
common pitfall that we have seen it's
it's under estimating the level of
cross-functional efforts in across some
of the initiatives that are coming out
of remediation projects so then this is
definitely beyond IT and privacy right
in their initiatives such as the writer
ratio right to that report ability right
to that subject right there to me
require involvement and from other
departments and in the in in not having
a clear ownership of who's going outward
and who plays a key role in some of
these projects you know often can commit
to inefficiencies can lead to companies
and spin their wheels and in spending a
lot more time and effort that they
should have so you know wanted to share
with you guys the risk instead of the
project department owners in
collaborating apartments right so having
a clear definition of not only who's not
on the project but
so defining collaborate apartments that
would also play a role in allocating
resources and effort since they can help
with certain pieces of the activities
within the project becomes very crucial
when you're designing implementation
plan so for example we see early in this
table if we're thinking about a project
around having to enhance the consent
forms for your customer data so we could
think well privacy will own it you know
and then they could be that the
facilitator and in the way that you
definitely want ownership because if not
nothing at Sun
however privacy department may need
super for mighty right because you can
imagine that these consent forms some of
them might be changes that need to be
done on certain websites for example you
also need feedback from legal since as
you're approving that in that form in a
universally input from legal making sure
that that's within the GDP requirements
and then if we're thinking like that one
of those forms is relates to a medical
department because you might have a
department that is collecting medical
information this department will need to
update their procedures in internal
training and so forth so the the people
on the field are going to use the new
form that we are enhancing and then we
have marketing of course right when that
comes in form right now we might be
collecting more information that we were
before or less and now when you think
about okay how we're planning from a
marketing perspective on marketing or do
it with information for marketing right
and then another example could be your
your customer care department right and
they will need to update also the
procedures on how they're collecting
that consent over the phone so you may
need to update the scripts so all of
these projects become become having sub
tasks and you have different
collaborative departments that are
helping the privacy team as a project
owner to make sure that all of this gets
done
so hopefully this gives you some
visibility into you know known under
civilian value and I think another thing
that has worked very well to make sure
that we also are able to in define in a
better way and how what what is it type
of the project and it helps provide
visibility around the level of effort
and where you're presenting your
planning and getting executive approval
you know it's easier to explain you know
by grouping these projects into these
three categories here that we have at
the left right so we're thinking about
right whatever changes do we need to
make so we can think about
recommendations as relays in the
governance domain right so these are
recommendations that are around policies
procedures and standards updates then
may need to be either greater from
scratch because we did not have it or
that we need to be enhancing to ensure a
line with a gbbr
then we also have certain changes that
we in recommendations that can be
categorized around the operations in the
business and so these recommendations
will indicate an area in which like the
those business departments will need to
make certain changes to the way they're
applying those policies and in those
procedures and so the example that I
provided before around that those
scripts that the customer care
department will need to use are under
consent process it would be can be
classified as such and then around the
system so I will definitely as we all
know that I would resign across hundreds
of systems and so we may need to make
certain organizations and technical
practices or certain configuration
changes we may need to add certain
features in our systems or we may just
need to change the mission allottee or
some of them or security controls on top
of it and so some of this recommendation
see you know m we can be categorized
within this category in another key
component right we talked about it
pretty the current owner we talked about
a correct collaborate apartments but
having certain other as you see defining
the implementation projects it becomes
useful from
prioritization perspective for my
expectations and level of effort so
having your key levels clearly fine for
each project that way you sure to
measure name so are there or not
having a priority within it and then
having some estimate from our resources
in duration and that also becomes key as
you know all of these it becomes a cost
organization and you may have in your
gustation different in budget process at
the corporate level versus are they be
specific division of business unit level
so i've been able to provide for each
project estimated resources are going to
be needed either external or internal
estimated costing the duration and
becomes very key in in a particular
component that part of a critical part
will be the dependencies with other
projects so for example in this figure
on the right in we have an example
around the BPI a program and how we have
key variables around the be pay policies
you proceed on the questionnaire but we
may have a different project around
privacy protection by design which
interrelate with epi a and there's
certain components with EPA a they will
need to consider in the pan of the
successful completion of the Privacy
Protection by design policy right so in
having that that clear understanding
where we may have different departments
in owning those two projects and becomes
very useful as you guys are working
towards our plan and our working on
braiding management that going forward
and then you know the biggest challenge
that the image that we see in I think
our you know companies are realistically
being forced to unneeded and if the fact
that and we cannot finish everything
before May 2018 and companies are and
depending on their size understanding
that and in in applying that griffix
approach that Eric was talking about in
the beginning of this presentation right
we were talking about for prioritizing
the high-risk projects processes or
partisan systems right
so depending on the size of realization
numbers of product processes through
patent theses may vary but beyond of
that because of the scope of that
personal data in because of the broader
definition of a personal data you know
the the in scope systems and processes
is a much larger number that you know
the companies can realistically address
and tackle and in this short time frame
right so so I'm so today my useful to
consider might be for season focus
products for example start with the
higher higher resistance and what does I
mean right because we have different
answers and I know companies are used to
thinking of financially significant
systems for public companies in the Sox
were in or systems that may have just
just PII but now because of this
definition we're going to have a lot
more system so for hurry system for
example and then we can provide you some
insight into some risk index and
criteria or factors that can help you
think about that so for example the
sensitivity of the personal data
elements so what is the degree of
sensitivity for those personal data
elements and that for example in even
though anything will become free
personal data in the possibility of
losing or in a social security number
versus a passport number versus just a
name and even though it's still within
the scope of GDP are all of those
elements together it if you know can
give you an indication how risky the
system in companies can make choose to
focus on the systems that have more so
City data elements first volume also
becomes important you know the number of
Records the personal data elements that
you may have so it also can be another
criteria could can be can be used to
calculate the risk index for that system
and then this concept of systems managed
internal versus external II in what what
we mean here is like a it would
basically assumption that for my GDP
erroneous perspective like systems and
are managed by through PI will be
consider to have a lower impact for the
UPR anus because the responsibility of a
third party
and realize of them over configuring
that system the system architecture
there hosting the data and we're going
to have all the requirements are going
to the companies are pushing on the
vendors and inter-party systems but if
it's not configured where you guys
you know if there's less effort for my
GDP erroneous perspective so there's
also a factor that can be used to us you
decide to prioritize your systems and
then of course data types which annoy
your official read about in the
beginning but you know I think what
companies are doing even though we might
not but also me that we don't care I
wear umbrella data however from a and
the customer or end-user data we are
holding in our systems and especially
like larger number of data and also from
a GDP our provides us higher risks that
a data for it is from the possibility of
for having that a subject requests on or
or more on and reputational risk and so
forth so so companies are giving a
higher way to customer chain that and
contrary to our employees and putting
that on a second priority alright so I
so hopefully right now you know we'll
give you some idea of some common
pitfall so we have been seen I think we
also that we wanted to give you guys
today some visibility in some of the
technical project activities that we
have seen come out out of the in this
organization so in to GDP Irenaeus
activities and sort of result we have a
different type of projects and programs
around in technical measures around
encryption that I'm asking
greater ratio writes to the report
ability and then we have all the ones
I've been more in the privacy side
around paas and privacy by design and
data protection officer and so for I
think a couple ones that I want to
highlight today for you guys is the
vasila specific assessment program you
know the UDP are clearly states that the
data controller a processor should
implement a process for regularly tests
in assessing
in evaluating the effectiveness of those
controls that the company will have on
the around the security of the
processing so it's not only how many
controls but how the company's really
testing assessing the effectiveness of
those controls so and so him that
becomes kind of significant from a scope
perspective because now we have more
systems and you can have a public
company where you may already have a
good at monitoring controls and security
measures around your successes that you
may not have that applied yet to CSIS
beyond your your 'suck systems right so
now that you have all these hairy
systems there is go for gdpr what we
have seen companies doing in you know
picking and choosing certain controls
where they are in for example and
valuating the effectiveness of the
access and they're doing use for access
reviews in their prioritizing and
rolling that program that you already
have where you really have a program in
place crawling that out to the those
systems so that that's one way how
companies have been addressing that one
and then in the other one that has
definitely created a lot of questions
and then we see companies approach in a
different way but I think something that
we want to highlight as relates to the
guidance has come out or around this is
the data protection officer function in
how companies are having on a specific
challenge the image challenge has been
that you if you already have a European
operation so you may already have a
summer working in a position of a dpo
with we decorum EU directive and outside
of GDP are you know that person the
person the personal strolls and quarter
rolls in and you know they are not
clearly aligned with what you di would
require the future so because those
person those persons in that capacity
are performing a lot of duties which can
make them flee with a monitoring
obligations for the appeal because the
rigidity requirement for a UDP are
really has at this monitoring
type of role where there that person is
supposed to be performing audits and
order or the regular privacy of these
functions
so um so I think what we have been
seeing is companies considering him you
know if they already have a key key
privacy personnel in their perform
specific functions coming up with a
either an acceptor an external or or a
new position create a whole different
position that will oversee that team and
provide use monitoring and oversight
however would not be they're embedded in
in providing the day-to-day functions so
he doesn't conflict with that monitoring
requirement that the gdpr brings it up
into into light you know and I think I
am something as a while to show you the
other activities and I think Catholics
can attach Nexen in some of those and I
know many of you are probably very
interesting in around consent and in
other requirements but hopefully it is
some perspective into some other
initiatives that we have been seen and
how companies are starting to tackle
those
you
all right your peers behind certain
engages with gathering something phone
line but I'll talk in a couple of these
ones so I think another ones that we
want to touch on today is around the in
processor and supersets termination
procedures right in that there has been
a big topic around in whatever
requirements do we need to like what do
we need to do water parties and what do
we need to our vendors and whatever
requirements we have on them right so
this is one where we're not only we're
making sure that the companies are
reviewing those contracts and agreements
and making sure that in in that and
there's new requirements and classes
around gdpr compliance but also not only
from a contract and we got our agreement
we will need to also consider as part of
the workflow for some of those in right
for those some of those activities
around right to ratios right at our
portability where we may need to include
the store policy as part of the workflow
so that that's one that I think
companies are just having focusing on
the legal like part and just push in a
contract bound to them but definitely
the Sprint Center parties and we also
have a pain in certain key key workflow
for some of those new processes that we
have now we want to put in place in the
rest of the initially that we see here
where we have data subject rights
commission's for consent privacy notices
and the these are definitely some that
we're definitely have a
Allura collaboration between the privacy
requirements and marketing and so forth
and no antigen touching one of those
examples before in their field a privacy
trading will need to be expanded
substantially as companies may already
have one but I think this is something
that as companies are choosing to
deliver later I still update policies
and procedures across all these other
projects and new prosecutors who are put
in place privacy training will be
gaining hands to reinforce and
demonstrate that you are able to
operationalize these visitors in these
new changes into the organization
all right Eric so I think about it -
Eric now so we can kind of conclude and
later on AIM how we are being seen be
able to communicate in this
implementation planning so our place
mostly learned over there are with some
organizations
thanks for in Jessica yeah and just to
close it out here one of the last topics
we wanted to touch on was the importance
of the communication of that
implementation plan so so something that
that we found to be effective and in
communicating the obligations of the
various ownership of these projects the
collaboration that Francesca walked us
through that needs to take place for a
lot of these articles is the the
communication aspect so you know we
think that the performance of various
workshops seminars internally to your
organization that bring together those
collaborative teams you work through the
specific tasks that have been defined
within those projects for the execution
and implementation of those various
activities to align with the gdpr
articles is key and making sure that at
least early on there's the the right
decision makers that are there whether
that's your senior leadership or the
executive team that needs to be part of
those to ensure that the the right time
the right funds and the importance of
these initiatives for your various
organizations is communicated so overly
you know I think communicating more
frequently than maybe a traditional
project because of the collaborative
nature is something that we see for
organizations that have had success in
the beginning of the implementation of
those key activities and then really
just just to leave it here before we
open it up for questions for the last 15
minutes one just the three key points is
if you could take away so as we
mentioned we're just under 10 months to
go and taking that risk-based
prioritization you know really looking
at it at a tactical level thinking of
the specific execution on the line by
line projects that need to be done to
get movement and and to start making
progress to further enhance or implement
operational governance and technical
elements that need to be implemented but
by prioritization is key looking at the
you know looking at everything
collectively could be overwhelming but
if you're able to prioritize using some
risk-based formula it really helps with
the implementation and the execution
another thing that we see often be
becoming kind of a highlight of these
projects is since there is a lot of
moving parts having a dedicated project
manager somebody either internally
externally assigned to helping monitor
track and even ask Clara Clara fication
that this is a huge area where often
it's it's new to everyone but there
needs to be that collaborative at least
individual or individuals who could
bring together those decision-makers and
keep the progress moving along so having
that dedicated project manager
especially for the larger scale
implementations is key and then we all
know that the clock is ticking but but
not to to you know just fear the
deadlines but but but achieve it taking
that that prioritization and risk-based
approach so I believe I'll pass it back
over to to Lee right now who will then
walk us through the Q&A session
thanks Eric appreciate that so okay so
the questions have been coming in fast
and furious here in the presentation so
thank you to everybody will attempt to
get to as many as we can and answer them
in the order we received the questions
for those that we don't get to we can
provide a response after the
presentation for your convenience so
with that said the first question for
the panel is as follows what are we
finding are the largest projects that
need to be tackled in terms of timing
and effort all right okay I can say that
one is Francesca so I think in terms of
cost I would say definitely any any
project that requires a purchase of any
tools and and then making changes to
systems such as encryption and that I'm
asking type of initiatives I would say
those are thickened we've seen are
taking the largest number of ever in
terms of cost and in terms of timing and
in level of perhaps resources so we need
to see involving this we some of those
ones that I spoke about or around those
onto where we have to make changes to a
whole workflow where we have different
departments involved from beginning to
end like the writer ratio data
portability right we definitely need to
make changes throughout the whole
different workflow different parties and
then that takes a lot more time and then
you have to retrain different
departments and such so it's different
components of that so I think the sort
of ones that I take in the longer inter
survived a long time in an effort okay
great thank you so the next question
here um which risks should be
prioritized in terms of what regulators
are placing a heavy focus on
really this is Erica I'll take this one
for you so while we don't have perfect
vision into the crystal ball of what the
regular regulators might be after I
think based on you know just the the
history of other enforcement outside of
the GD P R would be ones that that have
a pretty strong direct impact to the
data subject so what I mean by that
would be things like if an organization
failed to implement a an avenue for a
data subject to request their their
information or request the right to
erasure and they you know just say
they're an e-commerce platform and they
didn't have a link they didn't have a
number they didn't have a communication
channel for that individual to request
such or put such a request in that that
you could the perception is that that
that would be highly unfavorable by the
regulators and the would be viewed as
very transparent to to the regulator's
that that you didn't do your behalf of
implementing and aligning with the
various GD P or articles so things that
tend to be very data subject focus would
definitely be the higher risk areas at
least the perceived higher risk areas
compared to things as Francesca was
mentioning earlier the system specific
assessments that should be performed
while those are things we absolutely
should implement the the transparency
from the outside that would only come
into play in the event that that we
didn't do something or we were requested
to demonstrate our adherence to that but
it wouldn't necessarily be as
transparent day one so taking that that
that prioritization based on the direct
interaction with the data subject could
be one avenue for addressing those
higher risk areas okay great thanks Eric
so here's another one what are some gdpr
projects that can be performed concur
currently I'll pick this one also nearly
so I think as we enter this phase of the
readiness and implementation as we're
under the ten month mark now we
definitely see a lot more concurrent
project tasks happening definitely see a
lot more things happening in parallel
than maybe we did six to twelve months
ago so I think some of the ones that
that we traditionally see are a lot of
the security for activities so maybe an
organization's decided to implement
encryption at rest or some of their
higher risk systems maybe they've
designed to do other enhanced security
safeguards as well so a lot of those
technology security related activities
that might be in part of our
implementation plan we see a lot of that
happening and concurrently as well and
then some of the other activities would
be a lot of the governance function so
so each of those implementation projects
that Francesca walked us through each
one of those traditionally has a
government's or policy or procedure
element so so usually there there is
there could be multiple dozen plus work
streams of policies and procedures being
created to define the standards and
baseline requirements for those specific
governance activities so a lot of those
could be done concurrently as well okay
great so plenty of questions coming in
still fast and furious I'm sure we'll
have time for at least two more this
one's got a lot a lot of long words in
it so I'll try do privacy impact
assessments need to be retroactive Lee
performed for all processing activities
to ensure that evidence is maintained
that it was performed all right and I'll
take that one and so I think for him yes
the way we think of myself as this one
is through a combination of two
components so I think some of the
grayness activities if they're done
in a way that you are able to get up the
broad coverage so we were spoken before
and the defined use your high risk data
flow processes systems and their parties
and I think that bad is there there's
like a good argument to justify what are
we doing with the current state like
anything that we were doing before in
terms of processing and in we haven't
defined with that GDP our anus and any
gaps or enhances they need to be made
them for some of the current state
processes and activities so I think then
as you wouldn't have to do that retro
actively right with your doing that and
then going forward though right not only
do we find your DPA program in your
making sure that any type of initiative
is in it goes to a DBA a that that may
have any scope from a GDP a perspective
you're also in another key initiative
that we have mineral leases what's
around privacy by design right so making
sure that you're in private eye this
time policy privacy by default or its if
coming into play at companies are
defining new processes new systems and
in even in the may change managing and
software development lifecycle
activities if you're doing that then
that that helps with it with a go
forward in continues maintenance of data
input new framework I put in place okay
great thanks Fran I think we have time
for one more here this visit that that
I'll read for third-party holding data
on our behalf is there a report or
certification we need to get from them
to ensure they are following the GDP our
requirements and Emily I'll pick that
one so a few different obligations of
our third parties that might be holding
the data on our behalf so as some of you
might be familiar there is that the
certification
element to the GDP are however it's
still yet to be defined on what that
certification will entail what standards
it might be a
- and and so forth that's something we
should definitely keep our eyes on as
the the as the working party provides
more guidance on the actual GDP our
certification per st. as and then what
organizations might be able to go
through that and what that might entail
that'll definitely be a key piece there
additionally depending on if it's more
of an IP provider as this question
alludes to a little bit holding your
data reliance on at least certain
element on like an ISO type of source of
certification you know for you know more
based here in the US maybe some type of
sock - under the AICPA will give you
some comfort on the controls that they
have at least on the security for those
processing activities that they're doing
on your behalf so there's a few
different angles you could tell but
definitely also need to consider the
contractual updates that will need to be
made to those relationships depending on
what type of service they're providing
so a couple different angles that can be
taken but then we all need to keep our
eye on on what that certification would
be as it gets further defined here over
the next few months okay great thanks
Eric
well it looks like time has got the best
of us were roughly against the hour here
so that'll that'll have to wrap up these
the Q&A part of the webinar if you have
a question that we didn't answer or if
you'd like to talk with our experts
about your GDP our plans feel free to
reach out and you can reach us through
our webinar tweeters or drop us a line
at the email in the bottom right corner
of your screen which is info at Sokol -
point comm so I'd like to thank everyone
for attending the webinar today as a
reminder we'll be sending everybody a
link to a recorded version of the
webinar tomorrow and we will also post
the presentation from today a number of
people have asked us about that and as
always feel free to check out our
additional gdpr resources on our website
thanks again for everybody on the call
and bye for now
you
Browse More Related Video
![](https://i.ytimg.com/vi/3IDnuvs0kNs/hq720.jpg?v=65e1ef52)
How to Implement GDPR Part 2 :Roadmap for Implementation
![](https://i.ytimg.com/vi/o8-058VyUOI/hq720.jpg)
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
![](https://i.ytimg.com/vi/-S-DbVoXpd4/hq720.jpg)
Keynote: Are You Ready for GDPR? - Michele Appello
![](https://i.ytimg.com/vi/G4rYuEcNlsI/hq720.jpg)
Your Personal Data Inventory Top Tips & Brexit Impact 161220
![](https://i.ytimg.com/vi/3PxvSueuc-8/hq720.jpg?v=65e1ef1d)
How to Implement GDPR Part 1 :Roadmap for Implementation
![](https://i.ytimg.com/vi/LcGJ_djNpmg/hq720.jpg)
Europrivacy Introduction β Your Gateway to Certified GDPR Compliance
5.0 / 5 (0 votes)