Praticamente GDPR Spike Reply PART 1

Transcription

1

2 Agenda Praticamente GDPR Spike Reply PART 1 Do not call it a project! Top-5 priorities for getting ready Different points of view? 7 don ts you should know Get the Board involved 2

3 Do not call it a project! By May you should have put in place a Privacy Management System to be compliant with GDPR and be able to show it Processes Data Breach Notification, Privacy Impact Assessment, Information request handling, Privacy Audit, Privacy Training, Privacy by Design: these will be rolling activities whose effectiveness should be measurable to assess the effectiveness of the whole Management System Policies and Controls Governance Framework, from guidelines to procedures to records to audit trails to organizational and technological measures People Beyond the DPO, where required, further roles are necessary in a company to distribute responsibilities: there is no one-model-fit-all, each company should evaluate the most appropriate privacy organizational model. The complexity of the many requirements, the wide scope of application (data and applications), and the limited timeframe and resources available imply that a sound Program Management is a key success factor 3

4 Do not call it a project! cont d A challenge is posed by the cultural change most companies will face during the setup of the Privacy Management System, due to a common perception of privacy and data protection as a bureaucracy cost, which will hinder the implementation of the GDPR Program. «The will to succeed is important, but what s more important is the will to prepare.» 4 Bobby Knight, American basketball coach 4

5 Top-5 priorities for getting ready 5. CROSS- BORDER DATA FLOW 4. CUSTOMER DATA RIGHTS AND DATA BREACH 1. YOUR ROLE COMMUNICATE WITH STAKEHOLDERS 3. ACCOUNTA- BILITY 2. DPO & MODEL Define your priorities answering the following questions 1. Do I know my role as Controller or Processor for all the processing activities? 2. Does my current privacy organizational model fit the GDPR? 3. Can I show accountability in all processing activities? 4. Am I ready to face data subjects requests exercising their rights and to respond to data breach? 5. Are all my cross-border data flows compliant with GDPR? 5

6 Different points of view? Or converging needs for the Program? Data Protection Authority Is the Governance Framemork complete? Are practices aligned to it? Are roles assigned? Can you show evidences of effectiveness? Is a remediation plan defined for breaches? Customers Can you delete my data? Why are you contacting me without consent? Why did you disclose my data I erased some time ago? Who are the third parties processing my data, and where? GDPR Program Manager Are task-ownerships assigned? Are task dependencies clear? Are goals achievable? Is the Program endorsed adequately? Is the working team skilled? Are criticalities addressed? Privacy Officers, Legal, Compliance Are privacy risks assessed? Are employees aware of their duties and responsibilities? Are company practices on data compliant with policies and notices? How long data are retained? CTO, CDO CSO, CISO Do applications store audit trails to enforce breach prevention and management? Are user access rights and profiles validated? Is data protected adequately from collection to erasure? 6

7 7 don ts you should know Delay the awareness to the Board Run separate initiatives Don t review your organizational model Use a sledge hammer to crack a walnut Focus on privacy, postponing security Assess and test the processing activities customer-faced Underestimate the importance of a skilled team 7

8 Get the Board involved With privacy and data protection business cases Privacy for Mktg and CC Is consent documented for all processing activities? What we risk if we keep processing data of old customers w/o consent? Are our profiling activities with big data analytics legitimate? Should I erase or de-identify data of old clients? Each business case pinpoints possible gaps and exposure of the Board. Privacy for Supply Chain Do contracts include adequate privacy and data protection clauses? Do we assess the privacy risks for third parties? Do we outsource offshore? Do we assess cloud-based services and external system admistrators? Privacy for Workplace Do we respect employees rights during hiring, performance management, whistleblowing, surveillance? Use this leverage to budget remediation activities. Are employees aware of their duties and trained on the governance framework (data retention, data breach, privacy and security by design, customer requests, data classification and protection, )? Privacy for ICT Are user access rights and profiles validated? Are logging and monitoring set-up for all relevant systems and applications? Are backup and restore procedure tested regularly? Are ICT vulnerabilities assessed and adressed? B usiness cases can be built for most company areas and data categories. Start from GDPR requirements and highlight gaps known and consequences of violations for the Board. Assess the cost of remediation activities and propose a prioritized remediation plan orchestrating all needs. Benefit from these cases also for selfassessment tools and for training, throughout the Program lifetime. 8

9 Agenda Praticamente GDPR - Spike Reply Part 2 Sample roadmap Sample macro-plan Sample team Privacy Program after May

10 Sample roadmap illustrative The roadmap is illustrative, actual roadmap widely depends on the initial scenario, strategy and resources available to implement the Program Preliminary Analysis and Assessment in 2016 Early Awareness to Stakeholders Remark: if you didn t do it hurry up! <3 months Board consensus, Plan defined, Working Team operative Dec months Most ICT assessment and ad-hoc PIA in progress TODAY <16 months Employees trained, most ICT assessments achieved and remediation plan implementation launched A few remediation plan implementati on will likely be still in progress 9 months Global Privacy Governance Framework approved 15 months Framework applied in all Countries and legal entities of the group <18 months GDPR-readiness: Privacy Management System auditable 14 months left to have it done 10

11 Sample roadmap cont d global manufacturer, market-leader global large manufacturer mid-size online bank italian pharmaceutical service provider Compliance in US, the review of the privacy governance framework is temporarily on hold, late as the current framework is incomplete ICT is leading an IT assessment and is updating the company IT asset inventory with privacy metadata; privacy by design already in place, no data breach mgt in use yet More than 30 countries, still lack of endorsement from the Board Privacy function led an early self-assessment in 4 continents to assess privacy gaps in minor countries Early awareness to the Board, strong culture of IT risk & audit, global framework under review, model organization under review, scouting of GRC tools in progress Early program management exercise to identify priorities Early awareness to the Board Governance framework under review IT assessment postponed, Internal Audit in the working team, no DPO appointed yet Late start, IT is leading an initial assessment with the support of compliance Limited initial budget, and sharp focus on critical data processing areas Organizational model to review, no DPO appointed yet global ICT consulting and service provider Group with more than 90 operative companies in 3 continents, half of which IT service provider in different industries: telco, media, healthcare, public administration Strong endorsement from the Board, structured communication plan Data mapping in progress, global framework and organizational model under review (local DPO) Legal tracking activities in progress, IT assessment of central services under planning

12 Sample macro-plan illustrative Baseline Planned Milestone Major Milestone * Illustrative macro-plan, a detailed plan is largely dependent on the company Context, Strategy and Team Program Tasks in 3 phases * Kick-Off of the GDPR Program Program Master Plan Jan-17 Mar-17 Jun-17 Sep-17 Dec-17 Jan-18 Mar-18 May Launch Program Timeline Count-down Set Vision, Strategy, Team and Plan Consensus of the Board, Comm. Plan Develop the global Governance Framework and the Organizational Model Local Legal Tracking, ICT Assessment Ad-Hoc PIA, Remediation Plan Implement the global Framework locally Train management and employees TODAY Plan approved, Team operative Board aware, Communication Plan Global Model, Guidelines, Standards, Procedures Major Remediation Plans Controls Implemented Framework in all Countries Employees trained Test activities customer-faced Audit Framework, Implement changes GDPR Program implemented End Privacy Management System auditable Hypotetical Launch in January May 2018

13 Sample team illustrative * Illustrative team for a large company, in smaller companies roles and responsibilities could be aggregated People * Role * Steering Committee and Sponsors Board, Heads of Departments and other Stakeholders (e.g. Mktg, HR, Compliance, Legal, ICT, Ops.) Vision, Strategy and Goals Setting Endorsment and Program Visibility Program Coordination and Quality Assurance GDPR Program Manager Coordination, communications, escalation management Interface towards Stakeholders and the Working Team Support the DPO for Program quality assurance Program Auditing and Approval Data Protection Office(r) Internal Audit Specialized 3 Parties and consultants DPO: check and approval of intermediate/final deliverables IA, 3Ps: if present, support DPO for ensuring the auditability of the Privacy Management System Program Implementation Chief Privacy Officer Privacy and Security Practitioners Company Areas Privacy Champions Specialized 3 Parties and consultants CPO: lead and coordinate and supervise the working team, interface with DPO and Program Manager Practitioners, i.e. working team: develop the framework documentation, perform the info gathering (interviews, workshops), deliver assessments and remediation plans Areas Champions: support the working team, sharing and preliminary validation of partial outcomes 3Ps, Consultants: support the working team

14 Program after May 18 Information Request, Legal Compliance, Incident Planning, Incident Handling 1. Strategic Management Vision, Mission, Strategy, Team PLAN, DO CHECK ACT Monitor, Audit, Communicate Data Lifecycle Management Information Security Practices Privacy by Design Conduct analysis and assessment 6. Sustain 7. Respond 5. Protect PRIVACY AND DATA PROTECTION MANAGEMENT SYSTEM Assessment Models, Assess Key Areas (Data, Systems. Process) 2. Develop and Implement 4. Assess 3. Performance Measurement Framework, Policies, Standards, Guidelines Metric Lifecycle B y May 2018 you will have likely implemented most part of the framework, and started checking it. No matter why and how, what you should focus on is keeping it going as a rolling overall process which is improving over time and producing all the accountability trails required by the GDPR. It is not a 14 months exercise, it is a new regime of data protection looming on EU and beyond. 14

15 Thank you Our GDPR Journey