GDPR project board deck (example)
- 1. INFORMATION SECURITY & DATA PROTETION DATA PROTECTION @TommyVandepitte
- 2. BUSINESS Price Profit Cost External Cost Internal Cost (perceived) value for customer Value proposition Value creation Value delivery Value capture experience convenience meeting the customers’ needs product design meeting the qualifiers image additional functionalities future proofquality people meeting the users’ needs culture
- 3. VALUE CAPTURE IS HARD Value captured = Value of the business
- 4. THE SAUCE IS ALWAYS AT RISK • Financial risk • Solvability • Liquidity • Cash flow • Operational risk • Counterparty risk • Customers • Credit risk • Suppliers • Market risk • Reputational risk • Legal risk • ...
- 5. THE WORLD IS “VUCA”
- 6. 4 KEY CHALLENGES “Change comes from outside. And that is what you should use to challenge how your team has got to the end product.” - Prof. Stijn Viaene - Use 4 key challenges: • Experience IS value, not just functionality. The reference experience is NOT the sector, it is Google, Facebook, Uber, … • Customers are moving targets. • You can’t (and shouldn’t) have it all in-house: data, skills, … What is core and should be owned? What can we outsource? • You need well architected information systems.
- 7. APPLY Whatwecomprehend What there is to know What we don’t know we know What we know we know What we don’t know we don’t know What we know we don’t know Unknown Unknown Known Known
- 8. MODELS & FRAMEWORKS • Business threats a.o. disruption / creative destruction
- 10. RISK APPROACH Impact Likelihood Share Accept Avoid Mitigate High High Low Low Impact Likelihood Mitigate Cont. monitoring Share Accept Per. monitoring Mitigate Cont. review Avoid Mitigate Per. Review High High Low Low
- 11. THE IDEAL
- 12. FOR REAL ?!
- 13. ISDPP IS (JUST) ANOTHER RISK • Customers • Who are your customers? • What do your customers value? • Why do your customers choose you? • Suppliers • Who are your customers? • What relationship do you have with your suppliers? (“value partition”) • Why do you have this relationship with your suppliers? • Competitive edge • Culture • Ideas • Operational excellence • Cost control • Trade secrets • Protectable intellectual property • … Part of the secret sauce
- 14. INFORMATION MANAGEMENT ARCHITECTURE LIFECYCLE • Databases • Links • Silos v transversal Information asset ownership
- 15. ISDPP “INTELLIGENCE” WHAT IS OUT THERE? • (Information) Threat Intelligence • network • peers • vendor information • threat reports • threat intelligence services • futurists • sci-fi • …
- 16. Environment Physical Human Device Application Repository Carrier LAYERS & DIMENSIONS Risk Assessment Risk Decision Controls Incident Management Changes • In the regulatory environment • In processes • In people (JLT) • In technology Network Data 3rd Parties • 1st line • 2nd line • 3rd line • Impact • Probability • Avoid • Mitigate • Share • Accept
- 17. LEGAL OVERVIEW Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
- 18. GDPR - NEW • Processor now also an addressee • Organisation • ”Accountability” (reversal of the burden of proof), concrete • Processing register (and risk register) • Privacy impact assessment (“PIA”) • Privacy by Design and Privacy by Default • Data Protection Officer • Acknowledgement of “frame”-mechanisms: certifications, codes of conduct, binding corporate rules,… • Incident management and data breach notification • Rights of individual are increased and further elaborated • Enforcement • Administrative fines universal and uniform • Collective actions of individuals universal and uniform
- 19. GDPR – CHANGE - VISUAL Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
- 20. CHANGE PROGRAM PROJECT • Change management • HR review • Roles and function review, a.o. o DPO needed? o Information asset owners ? • HR processes review • Communication & Training • Processes review • Processing register • In iterations for legacy processes • Consent of data subjects • Incident management review • Project management review • PIA, PbD, • Documentation => register • Complaints management (rights update) • Outsourcing partner review • Access management • IT review • Archicture view • Security measures: comfortable? • Need to have • Nice to have BUSINESS AS USUAL • Tone at the top ! • “Money where your mouth is” • Decisions on data protection • Sponsor • HR • Communication & Training • Awareness (= top of mind) • Processes • Periodic review and update • IT • Security is moving target – upgrade, patch, decommission • New development - PbD • Monitoring & Reporting • Test • Firs tline controls (KPI, SL, etc.) • Board reporting to ISO and DPO • Consolidating dashboard to top management In parts / iterations
- 21. CHANGE RISK
- 22. CONTROL THE CHANGE Change management • Decisions • Action plan • Tone at the top • Budget and skilled people • Multinational coordination ?
Editor's Notes
- #8: “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” – Donald Rumsfeld https://www.theatlantic.com/politics/archive/2014/03/rumsfelds-knowns-and-unknowns-the-intellectual-history-of-a-quip/359719/
- #10: Dorfman 1997 Tolerate (retain), Treat (mitigate), Terminate (eliminate) and Transfer (by contract or insurance) Check GRC Tuesdays: a new approach to risk oversight: A lens to look through and levers to pull” SAP