A successful GDPR Program

PART 1
• Do not call it a project!
• Top-5 priorities for getting ready
• Different points of view?
• 7 don’ts you should know
• Get the Board involved
2© CLUSIT 2017 – Praticamente GDPR
Agenda
Praticamente GDPR – Spike Reply

 By May 25 2018 you should have put in place a Privacy Management System to be
compliant with GDPR and be able to show it
 The complexity of the many requirements, the wide scope of application (data and
applications), and the limited timeframe and resources available imply that a sound
Program Management is a key success factor
Do not call it a project!
Processes Data Breach Notification, Privacy Impact Assessment, Information request handling,
Privacy Audit, Privacy Training, Privacy by Design: these will be rolling activities whose
effectiveness should be measurable to assess the effectiveness of the whole Management
System
Policies and Controls Governance Framework, from guidelines to procedures to records to
audit trails to organizational and technological measures
People Beyond the DPO, where required, further roles are necessary in a company to
distribute responsibilities: there is no one-model-fit-all, each company should evaluate the
most appropriate privacy organizational model.

 A challenge is posed by the cultural change most companies will face during the set-
up of the Privacy Management System, due to a common perception of privacy and
data protection as a bureaucracy cost, which will hinder the implementation of the
GDPR Program.
Do not call it a project! cont’d
4
«The will to succeed is important, but what’s more important is the will to
prepare.»
Bobby Knight, American basketball coach

Define your priorities answering
the following questions
1. Do I know my role – as Controller
or Processor – for all the
processing activities?
2. Does my current privacy
organizational model fit the
GDPR?
3. Can I show accountability in all
processing activities?
4. Am I ready to face data subjects
requests exercising their rights
and to respond to data breach?
5. Are all my cross-border data
flows compliant with GDPR?
Top-5 priorities for getting
ready
1.
YOUR ROLE
2.
DPO &
MODEL
3.
ACCOUNTA-
BILITY
4.
CUSTOMER
DATA RIGHTS
AND DATA
BREACH
5.
CROSS-
BORDER
DATA FLOW COMMUNICATE
WITH
STAKEHOLDERS

Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you
show evidences of effectiveness? Is a remediation plan defined for breaches?
Data
Protection
Authority
Can you delete my data? Why are you contacting me without consent? Why did you disclose my
data I erased some time ago? Who are the third parties processing my data, and where?
Customers
Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you
show evidences of effectiveness? Is a remediation plan defined for breaches?
Data
Protection
Authority
Can you delete my data? Why are you contacting me without consent? Why did you disclose my
data I erased some time ago? Who are the third parties processing my data, and where?
Customers
Different points of view?
Are task-ownerships assigned? Are task dependencies clear? Are goals achievable? Is the
Program endorsed adequately? Is the working team skilled? Are criticalities addressed?
GDPR
Program
Manager
Are privacy risks assessed? Are employees aware of their duties and responsibilities? Are
company practices on data compliant with policies and notices? How long data are retained?
Privacy
Officers,
Legal ,
Compliance
Do applications store audit trails to enforce breach prevention and management? Are user access
rights and profiles validated? Is data protected adequately from collection to erasure?
CTO, CDO
CSO, CISO
Or converging needs for the Program?

7 don’ts you should know
Delay the awareness
to the Board
Don’t review your
organizational
model
Use a sledge
hammer to crack a
walnut
Focus on privacy,
postponing security
Assess and test the
processing activities
customer-faced
Underestimate the
importance of a
skilled team
Run separate
initiatives

Get the Board involved
With privacy and data protection business cases
Privacy for Mktg and CC
• Is consent documented for all processing
activities?
• What we risk if we keep processing data of
old customers w/o consent?
• Are our profiling activities with big data
analytics legitimate?
• Should I erase or de-identify data of old
clients?
Privacy for Workplace
• Do we respect employees rights during
hiring, performance management,
whistleblowing, surveillance?
• Are employees aware of their duties and
trained on the governance framework (data
retention, data breach, privacy and security
by design, customer requests, data
classification and protection, …)?
Privacy for Supply Chain
• Do contracts include adequate privacy and
data protection clauses?
• Do we assess the privacy risks for third
parties?
• Do we outsource offshore?
• Do we assess cloud-based services and
external system admistrators?
Privacy for ICT
• Are user access rights and profiles
validated?
• Are logging and monitoring set-up for all
relevant systems and applications?
• Are backup and restore procedure tested
regularly? Are ICT vulnerabilities assessed
and adressed?
Each business case pinpoints possible gaps and exposure of the Board.
Use this leverage to budget remediation activities.
B usiness cases can
be built for most
company areas and
data categories.
Start from GDPR
requirements and
highlight gaps known
and consequences of
violations for the
Board.
Assess the cost of
remediation activities
and propose a
prioritized
remediation plan
orchestrating all
needs.
Benefit from these
cases also for self-
assessment tools and
for training,
throughout the
Program lifetime.

Part 2
• Sample roadmap
• Sample macro-plan
• Sample team
• Privacy Program after May 2018
9
Agenda
Praticamente GDPR - Spike Reply
© CLUSIT 2017 – Praticamente GDPR

Sample roadmap illustrative
Board consensus, Plan
defined, Working Team
operative
<3 months
Most ICT assessment
and ad-hoc PIA in
progress
10 months
Employees trained, most ICT
assessments achieved and
remediation plan implementation
launched
<16 months
Global Privacy
Governance
Framework approved
9 months
Framework applied in all
Countries and legal
entities of the group
15 months
15-3-17 15-10-17
25-5-1815-9-17 15-3-17Dec
2016
14 months left to have it done
Preliminary
Analysis and
Assessment
in 2016
Early
Awareness to
Stakeholders
Remark: if
you didn’t do
it hurry up!
A few
remediation
plan
implementati
on will likely
be still in
progress
15-4-17
GDPR-readiness:
Privacy Management System
auditable
<18 months
The roadmap is illustrative, actual roadmap widely depends on the initial scenario, strategy and resources available to implement the Program
TODAY

Sample roadmap cont’d
 Compliance in US, the review of the privacy governance framework is temporarily on
hold, late as the current framework is incomplete
 ICT is leading an IT assessment and is updating the company IT asset inventory with
privacy metadata; privacy by design already in place, no data breach mgt in use yet
 More than 30 countries, still lack of endorsement from the Board
global
manufacturer,
market-leader
 Privacy function led an early self-assessment in 4 continents to assess privacy gaps in
minor countries
 Early awareness to the Board, strong culture of IT risk & audit, global framework under
review, model organization under review, scouting of GRC tools in progress
global large
manufacturer
 Early program management exercise to identify priorities
 Early awareness to the Board
 Governance framework under review
 IT assessment postponed, Internal Audit in the working team, no DPO appointed yet
mid-size online
bank
 Late start, IT is leading an initial assessment with the support of compliance
 Limited initial budget, and sharp focus on critical data processing areas
 Organizational model to review, no DPO appointed yet
italian
pharmaceutical
service provider
 Group with more than 90 operative companies in 3 continents, half of which IT service
provider in different industries: telco, media, healthcare, public administration…
 Strong endorsement from the Board, structured communication plan
 Data mapping in progress, global framework and organizational model under review
(local DPO)
 Legal tracking activities in progress, IT assessment of central services under planning
global ICT
consulting and
service provider

Sample macro-plan illustrative
Hypotetical Launch in January 2017
Program Master Plan
Program Tasks in 3 phases *
2017 2018
Jan-17 Mar-17 Jun-17 Sep-17 Dec-17 Jan-18 Mar-18 May-18
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Kick-Off of the GDPR Program
Set Vision, Strategy, Team and Plan
Consensus of the Board, Comm. Plan
Develop the global Governance
Framework and the Organizational Model
Local Legal Tracking, ICT Assessment
Ad-Hoc PIA, Remediation Plan
Implement the global Framework locally
Train management and employees
Test activities customer-faced
Audit Framework, Implement changes
GDPR Program implemented
PlannedBaseline Major MilestoneMilestone
Privacy
Management
System
auditable
Plan approved, Team operative
Launch
Program Timeline
Count-down
Board aware, Communication Plan
Global Model, Guidelines, Standards, Procedures
Major Remediation Plans
Controls Implemented
Employees trained
Framework in all Countries
25 May 2018
* Illustrative macro-plan, a detailed plan is largely dependent on the company Context, Strategy and Team
End
TODAY

People * Role *
Program
Coordination and
Quality Assurance
Program
Auditing and
Approval
Program
Implementation
Steering
Committee and
Sponsors
‒ Chief Privacy Officer
‒ Privacy and Security Practitioners
‒ Company Areas Privacy Champions
‒ Specialized 3 Parties and consultants
‒ Data Protection Office(r)
‒ Internal Audit
‒ Specialized 3 Parties and consultants
‒ GDPR Program Manager
‒ Board, Heads of Departments and
other Stakeholders (e.g. Mktg, HR,
Compliance, Legal, ICT, Ops.)
‒ Coordination, communications, escalation management
‒ Interface towards Stakeholders and the Working Team
‒ Support the DPO for Program quality assurance
‒ DPO: check and approval of intermediate/final
deliverables
‒ IA, 3Ps: if present, support DPO for ensuring the
auditability of the Privacy Management System
‒ Vision, Strategy and Goals Setting
‒ Endorsment and Program Visibility
‒ CPO: lead and coordinate and supervise the working team,
interface with DPO and Program Manager
‒ Practitioners, i.e. working team: develop the framework
documentation, perform the info gathering (interviews,
workshops), deliver assessments and remediation plans
‒ Areas Champions: support the working team, sharing and
preliminary validation of partial outcomes
‒ 3Ps, Consultants: support the working team
Sample team illustrative
* Illustrative team for a large company, in smaller companies roles and responsibilities could be aggregated

PLAN, DO
Program after May ‘18
1.
Strategic
Management
2.
Develop and
Implement
3.
Performance
Measurement
4.
Assess
5.
Protect
6.
Sustain
7.
Respond
CHECK
ACTVision,
Mission,
Strategy,
Team
Framework, Policies,
Standards,
Guidelines
Metric Lifecycle
Assessment
Models,
Assess Key
Areas (Data,
Systems.
Process)
Data Lifecycle
Management
Information
Security Practices
Privacy by Design
Conduct analysis
and assessment
Monitor, Audit,
Communicate
Information Request,
Legal Compliance,
Incident Planning,
Incident Handling
B y May 2018 you will have
likely implemented most part
of the framework, and started
checking it.
No matter why and how, what
you should focus on is
keeping it going as a rolling
overall process which is
improving over time and
producing all the
accountability trails required
by the GDPR.
It is not a 14 months exercise,
it is a new regime of data
protection looming on EU and
beyond.
PRIVACY AND
DATA
PROTECTION
MANAGEMENT
SYSTEM

A successful GDPR Program

More Related Content

What's hot (20)

Similar to A successful GDPR Program (20)

Recently uploaded (20)

A successful GDPR Program