GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

Similar documents
GDPR & SMART PIA. Wageningen University Feb 2017

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

GDPR: What Every MSP Needs to Know

General Personal Data Protection Policy

Preparing for the GDPR

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

GDPR for whom it may concern

EU General Data Protection Regulation (GDPR)

St Michael s CE Primary School Data Protection Policy

PRIVACY STATEMENT Date: 25 May 2018

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

PRIVACY STATEMENT Date: 25 May 2018

Recruitment Privacy Notice Italy

GDPR is coming soon. Are you ready. Steven Ringelberg.

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Broad Run Investment Management, LLC

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

The European Union s General Data

STAFF PRIVACY NOTICE

Nissa Consultancy Ltd Data Protection Policy

General Data Privacy Regulation: It s Coming Are You Ready?

EUROPEAN UNION PRIVACY NOTICE

CHANNING SCHOOL DATA PROTECTION POLICY

How employers should comply with GDPR

EU GENERAL DATA PROTECTION REGULATION

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

Data Protection Policy

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

Data Protection Policy

Stolle Europe Introduction Important information and who we are Controller and contact information Complaints

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

The template uses the terms students / pupils to refer to the children or young people at the institution.

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Celgene General Privacy Policy

NANCY COTTIGNY: ALL RIGHTS RESERVED: FOR AUTHORIZED USE ONLY, DO NOT DUPLICATE OR COPY. 1

The Growth Company Group Privacy Notice

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

1. Netball Australia's commitment to privacy and application of this Privacy Policy

GENERAL DATA PROTECTION REGULATION Guidance Notes

Data Protection for Landlords. David Smith Anthony Gold Solicitors

EEA General Data Protection Regulation Privacy Notice - University of Rochester Office of Advancement

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

Brasenose College Data Protection Policy Statement v1.2

Recruitment Privacy Notice London

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Recruitment Privacy Notice France

Global Privacy Policy

PRIVACY NOTICE FOR JOB APPLICANTS

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

EEA General Data Protection Regulation Privacy Notice - University of Rochester Applicants and Current Employees Located in the EEA

Privacy Statement AVG-GDPR

When you visit and use our website, we may collect your personal data for the following purposes:

K Y Ä N I P R I V A C Y P O L I C Y EEA

Privacy Statement About this privacy policy Who are we and how to contact us

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

Foundation trust membership and GDPR

Data Protection Policy. UK Policy May 2018

Privacy Statement - Recruitment

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

What is GDPR including those with no physical presence in the EU May 25th, 2018

Data Protection and Privacy Statement

WSGR Getting Ready for the GDPR Series

DATA PROTECTION POLICY

What is GDPR and Should You Care?

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Introduction. Welcome to the OAG Aviation Group privacy notice.

INFORMATION WITH REGARD TO THE PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH REGULATION (EU) 2016/679 AND THE RELEVANT GREEK LEGISLATION

Data Protection Policy

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

GDPR Physical Security and Privacy Safeguards

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

GDPR: what you need to know

DATA PROTECTION POLICY 2018

More information at cventconnect.com/europe/mobileapp

LPC Law Recruitment Privacy Notice

A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS

Applicant Privacy Notice Date: June 1, 2018

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Essential Guide to the GDPR. Practical Steps to Address EU General Data Protection Regulation Compliance

European Union General Data Protection Regulation 25 th May 2018

//DATA INNOVATION FOR DEVELOPMENT GUIDE DATA INNOVATION RISK ASSESSMENT TOOL

DATA PROTECTION POLICY

EU General Data Protection Regulation in the digital age: Are you ready?

You can contact us directly at Dechert LLP, 160 Queen Victoria Street, London, EC4V 4QQ, United Kingdom or by ing

Transcription:

GDPR: Is it just another strict regulation or a great opportunity for operational excellence? Xenofon Liapakis General manager CIO & Services of Interamerican group Chairman of Hellenic CIO forum November 2017

Interamerican at a glance The most famous brand in Greek Insurance Market The highest brand awareness: Interamerican: 99% Anytime: 98% Market share: P&C: 11,9% Life: 5,4% Financial results 2016: Profit: 21M GWP: 329M The only insurer with its own Health and Assistance infrastructure Successful implementation of multi distribution model The 1st direct insurer in Greece through Anytime Innovative products in Investments, Health, Assistance Group employees: 1.154 Unique customers: 950.000 for INTERAMERICAN 290.000 for Anytime Customer satisfaction: INTERAMERICAN: 84% ANYTIME: 91%

GDPR: History & Timeline 2012 2015 2016 2017 2018 JANUARY 2012 DECEMBER 2015 APRIL 2016 DECEMBER 2017 MAY 2018 European Commission Proposes GDPR GDPR Agreed European Parliament Adopted GDPR Achmea & Opcos Adopt GDPR GDPR Takes Effect

GDPR: General Content Data Subject Entity or person that processes Personal Data on behalf of the Controller Data Controller Entity or person to which the data are transferred.

GDPR: Key points Focus on Data Subject Rights. Accountability both for Data Processor and Data Controller Data Breach announcement to Supervisory Data Protection Authority not later than 72 hours Implementation of Security measures and structures within organization Assignment of Data Protection Officer role and responsibilities Sanctions range from10.000.000 up to 20.000.000 or from 2% up to 4% of the total worldwide annual turnover in case of breach

GDPR: Private Data Digital Identifiers Private Data Demographic Data Government Identifiers IP Address(V4, V6) MAC Address X/Y Geographic Coordinate Facebook Twitter Social Media Instagram Name Gender Date of Birth Age Nationality Country City Postal Number Phone Number Email Address National ID Passport Number Social Security Number Driver s License Vehicle Registration Number Organization Special category of personal data CV Employee Number Bank Account & Credit Card Number Genetic data Biometric data Gender Race Ethnicity Sexual orientation Political opinions Children Data Religious beliefs Philosophical beliefs Trade union membership Criminal record Medical Data

GDPR: New Principles Right to be forgotten Data portability Regulation of profiling Data Monitoring Registry of Reports & Processing Classification Structured/ Unstructured (PII/SII)) Wider definition of personal data Strengthening Data Privacy Accurate Data Explicit consent Liability both for a controller and a processor Mandatory data breach notifications Accountability for Data Controllers & Processors Sanctions for non-compliance /data breaches GDPR Encryption & masking DG & Security Perspective Rules for Profiling Data User Authorization Incident Management process Providing access to personal data

GDPR: Our roadmap Implement Privacy Solutions Intergrade Privacy into Operations Evaluate KPIs & execute scenarios in order verify GDPR compliance Record outcomes and Identify Gaps & breaches 8 Create Governance & Assign Stakeholders 1 Execute PIA 7 9 Analyze Regulation 2 10 11 Engage Company Establish Methodology Functions Approach 6 5 Define GDPR & PIA Present Regulation Framework to High Management 3 4 Continuous Awareness s Program

GDPR: Our maturity status Personal Data Personal Data Safeguarding Data Processing Basic Breach Subject s Rights Principles Notification Level 2 Level 2 Level 3 Audit and Organizational Policies and Continuous Structure Procedures Improvement Level 3 Level 3 Level 2 Based on CMMI Maturity Model Security Level 3 Legend 1 Initial 2 Managed 3 Defined 4 Measured 5 Optimized

GDPR: Our findings Consent Requests for consent for different purposes are not distinguished. Consent is opt-out Retention Portability Retention periods for personal data are not clearly defined. No policy for satisfying requests for personal data portability. Security USB ports are enabled on all corporate PCs and Laptops. Emails containing personal data are not encrypted Forgetness Collection Purpose Contracts Audit Data Breach There are no mechanisms for personal data erasure. Not all data collected, stored, transferred etc. are necessary for the purposes of personal data processing The template contract between IAG and an insurer partner is not updated based on GDPR provisions The scope and criteria of the internal audit process does not include personal data protection requirements. The security incidents records do not include all the required information regarding personal data breaches.

GDPR: Our implementation approach Assign the role of Data Protection Officer (DPO) and define responsibilities Confirm existence of Data Owner per data category Document a personal data protection policy Strengthen employees awareness's & Clean Desk policy Review and Adjust processes to satisfy requests from data subjects Review the policy chapter of removable media. Encrypt or Mask personal information depending on purpose. Create a personal data processing register Review and update contracts with processors Consolidate security incidents cycle to accommodate personal data breaches Define KPIs for the measurement of GDPR performance

GDPR: Data Breach Cycle Investigation Reporting to IA & Achmea Evaluation & Decision Notify Supervisory Authority Notify Data Subject Breach Awareness of breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

GDPR : Our effort per area Awareness Policies & 10% procedures 10% Security 10% Data Governance 70%

Last but not least. Set up a Clean Desk policy Ensure paper documents are safely stored and disposed of Classify Unstructured data Employee involvement through continuous awareness Verify Processors compliance Control requests for data

GDPR : Post implementation Benefits Strengthen customer trust and customer relationships, resulting in loyalty Enhance market reputation & business cooperation Competitive market advantage Strengthen security & minimized security Incident Digital benchmark through PIA Smart Big Data leads to better, safer, faster processing Elimination of redundant or duplicate data leads to reduced costs & faster processes

GDPR is not just another framework or regulation but a great opportunity to enhance operational excellence!

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback