EU General Data Protection Regulation (GDPR) Tieto s approach and implementation
GDPR roles and positions Data subjects Information on processing Consent or other basis for processing Right requests High risk breach notification Data subject damages Data Controller Data Protection Authority Accountability burden of proof Notification of breach Prior consultation Monitoring Fines GDPR processing principles Accountability Privacy by design Data security Data subject right executions Vendor management Transfers of personal data outside EU/EEA Data Processor Sufficient guarantees Data protection agreement Instructions on processing Assistance with right requests Data security Transfers of personal data outside EU/EEA Data Processor services Data processor subcontractors 2
Data processor position Controller s accountability (Art. 5.2, 24) The controller shall be responsible for, and be able to demonstrate compliance with principles relating to processing of personal data Privacy by design and default (Art. 25) At the time of the determination of the means for processing and at the time of the processing itself implement appropriate technical and organisational measures to meet the Regulation Processor Processor obligations(art. 28) 26.2, (a) Scope, instructions, transfers (b) Confidentiality (c) Security of processing(art. 32) (d) Subprocessors (e), (f) Assistance, rights of data subjects (Chapter III) and art. 32-36 (g) End of processing (h) Information, notification and audit obligations 3
GDPR impact summary Confidential Customer awareness Customers are aware of the GDPR and ask for solutions and advice. Contractual changes Mandatory contractual clauses must be entered into new and existing agreements. Organizational changes Organizing data protection network, privacy responsible personnel appointed, group level trainings required. Process changes GDPR requirements implemented into the current processes, activities and tasks, privacy assessment requirements, data breach notification instructions, extended documentation requirements. Technological changes Privacy by design and security requirements need to be implemented in products, services and processes. 4
Implementation overview Tieto has been following EU s data protection legislation reform since 2012 and related internal Data Privacy program was officially initiated in January 2016. Tieto has an implementation roadmap for the transition period. Several areas will be reviewed against the new legislation, carrying out adjustments where needed.
Program structure Internal Customers Work group 1: General privacy governance Privacy policy, rules and general information renewed. Top management commitment and organisation ensured. Governance, support, follow up and reporting models updated. Privacy in core support processes updated. Communication and training. Work group 2: Privacy in offering development, project and service delivery Review and update privacy engineering framework, processes, rules, guidelines. Business impact estimation. Offering reviews and renewal. Communication and training. Work group 3: Privacy in sales and customer management Sales process, guidelines and templates reviewed and updated. Customer contract reviewing and renewal planned and prepared. Communication and training. Preparation phase: 2016-2017 Rollout phase 2016-2018 Work group 4: Privacy in Tieto internal services (HR, ICT, Procurement, Marketing, CRM, etc.) Privacy engineering in service implementation process updated. Internal services reviewed and compliance ensured. Partner, vendor and sub-contractor management updated. Communication and training. 6
Completeness follow up 7
Rollout phase 2016 2017 2018 20xx Execution in business units Reviewing and if necessary renewing current contracts Reviewing and if necessary renewing current services and products All applicable contracts shall be compliant with the regulation New service and product releases shall be compliant with the regulation Privacy Engineering in production, new services and products shall be compliant with the GDPR Targeted employee trainings Go live General employee communication and trainings Privacy network and governance model in place 8 May 25, 2018 GDPR enters into force
Privacy governance model at Tieto Strategic decision making, commitment Tieto Leadership Team Tactical decision making and operative steering, coordination, reporting and communication. Tieto Legal Corporate Risk and Security Management CFO Data Protection Officer Corporate Support Functions Privacy Council Execution, recources, financials, accountability of solutions and services. FS PHCW ICS NDDB TSM PDS 9 Privacy network Privacy network Privacy network Privacy network Privacy network Privacy network
Privacy Engineering framework GDPR requirements Right of access (Art. 15) Right to rectification (Art. 16) Right to be forgotten (Art. 17) Restriction of processing (Art. 18) Right to data portability (Art. 20) Profiling (Art. 22) Privacy by design and default (Art. 25) Security of processing (Art. 32) Purpose limitation (Art. 5) Data minimisation (Art. 5) Accuracy (Art. 5) Storage limitation (Art. 5) Integrity and confidentiality (Art. 5)
Privacy engineering framework Privacy Engineering GDPR Practical use cases Practical privacy and security controls Processes Technology Solution Documentation 11
Privacy Engineering framework 1. Define purpose of processing Save Control Identify 4. Implement and document 2. Define the risk level of processing Personal data 3. Choose and define privacy and security controls Delete Copy Edit
Data Processing Agreement (DPA) GDPR sets mandatory requirements for agreements involving processing of EU personal data. Scope (Art. 28.3) Instructions, transfers (a) DPA is to be used in all services where service provider is processing personal data as data processor on behalf of the customer. Tieto s DPA update is executed in two parts: DPA is published to be used with all Tieto services where personal data is processed. Existing customer agreements are updated by agreeing the DPA. Confidentiality (b) Subprocessors (d) End of processing (g) Security of processing (c) Assistance duties (e), (f) Information and audit obligations (h) 13
Agreement structure DPA functions as frame agreement for all processing operation between Tieto group and the customer group Customer company (parent company) Data Processing Agreement DPA Data Processing Agreement Customer Group company A Service A Service Agreement A Processing specification A Service A Service Agreement A Tieto company (Tieto Finland) Customer group company B Service B Service Agreement B Processing specification B Service B Service Agreement B Tieto Group company (Tieto Sweden) 14
Processing Specification Form categories of processing Choose applicable categories Add new details if pre-set choices do not cover the processing in question 15