EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

Similar documents
DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

GDPR General Data Protection Regulation

ARTICLE 29 DATA PROTECTION WORKING PARTY

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

GDPR Compliance Checklist

GDPR in Early Years and Childcare settings. What s the connection? Data Protection

GDPR a legal overview

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

SAP and SAP Ariba Solution Support for GDPR Compliance

Getting Ready for May 25, 2018

ARTICLE 29 DATA PROTECTION WORKING PARTY

How employers should comply with GDPR

Data Protection (internal) Audit prior to May (In preparation for that date)

General Data Protection Regulation

Genera Data Protection Regulation and the Public Sector

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

General Data Privacy Regulation: It s Coming Are You Ready?

GDPR: What Every MSP Needs to Know

EU General Data Protection Regulation in the digital age: Are you ready?

Vendor Agreements and the New EU GDPR Steps to Take Now

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

JOB DESCRIPTION: Hospitality Data Protection Officer

Preparing for the General Data Protection Regulation (GDPR)

General Data Protection Regulation ( GDPR ) National Care Forum How Boards Manage GDPR Compliance & Risks. By Meena Lekhi, Associate

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

GDPR factsheet Key provisions and steps for compliance

CNPD Training: Data Protection Basics

GDPR Webinar : Overview & practical compliance steps. 23 October 2017

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

ARTICLE 29 Data Protection Working Party

The ICT Service:

EU GENERAL DATA PROTECTION REGULATION

GDPR 7 questions you should ask technology vendors about GDPR

GDPR Factsheet - Key Provisions and steps for Compliance

Foundation trust membership and GDPR

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

What you need to know. about GDPR. as a Financial Broker. Sponsored by

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

The GDPR Are you ready?

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Tourettes Action Data Protection Policy

General Personal Data Protection Policy

More information at cventconnect.com/europe/mobileapp

General Data Protection Regulation

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Data Protection Law: An Update

GDPR The role of the Internal Audit Function

What is GDPR and Should You Care?

Sir William Perkins s School Data Protection Policy

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

Preparing for the GDPR

The (Scheme) Actuary as a Data Controller

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

Preparing Your Vendor Agreements for the General Data Protection Regulation

Getting Ready for the GDPR

IBM Collaboration Solutions Readiness for GDPR IBM Corporation

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

What does the GDPR mean for recruitment?

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

New General Data Protection Regulation - an introduction

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

Insightly, Inc. Data Processing Addendum

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

GDPR for whom it may concern

The GDPR enforcement deadline is looming are you ready?

EU General Data Protection Regulation: Are you ready?

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

GDPR is coming in 108 days: Are you ready?

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

The General Data Protection Regulation

GENERAL DATA PROTECTION REGULATION.

Effective Data Governance & GDPR Compliance for the Nonprofit CFP

The General Data Protection Regulation: What does it mean for you?

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

Guidance on the General Data Protection Regulation: (1) Getting started

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

DATA PROTECTION POLICY

WHAT DOES THE GDPR MEAN FOR HR PROFESSIONALS?

General Data Protection Regulation (GDPR) A brief guide

ARTICLE 29 Data Protection Working Party

General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR)

An Introduction to GDPR and How To Prepare

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Preparing for GDPR 27th September, Reykjavik

A summary of the implications of the General Data Protection Regulations (GDPR)

Protecting Your Personal Data Globally

GENERAL DATA PROTECTION REGULATION Guidance Notes

WSGR Getting Ready for the GDPR Series

Getting ready for GDPR. A guide to General Data Protection Regulations

Transcription:

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR roles and positions Data subjects Information on processing Consent or other basis for processing Right requests High risk breach notification Data subject damages Data Controller Data Protection Authority Accountability burden of proof Notification of breach Prior consultation Monitoring Fines GDPR processing principles Accountability Privacy by design Data security Data subject right executions Vendor management Transfers of personal data outside EU/EEA Data Processor Sufficient guarantees Data protection agreement Instructions on processing Assistance with right requests Data security Transfers of personal data outside EU/EEA Data Processor services Data processor subcontractors 2

Data processor position Controller s accountability (Art. 5.2, 24) The controller shall be responsible for, and be able to demonstrate compliance with principles relating to processing of personal data Privacy by design and default (Art. 25) At the time of the determination of the means for processing and at the time of the processing itself implement appropriate technical and organisational measures to meet the Regulation Processor Processor obligations(art. 28) 26.2, (a) Scope, instructions, transfers (b) Confidentiality (c) Security of processing(art. 32) (d) Subprocessors (e), (f) Assistance, rights of data subjects (Chapter III) and art. 32-36 (g) End of processing (h) Information, notification and audit obligations 3

GDPR impact summary Confidential Customer awareness Customers are aware of the GDPR and ask for solutions and advice. Contractual changes Mandatory contractual clauses must be entered into new and existing agreements. Organizational changes Organizing data protection network, privacy responsible personnel appointed, group level trainings required. Process changes GDPR requirements implemented into the current processes, activities and tasks, privacy assessment requirements, data breach notification instructions, extended documentation requirements. Technological changes Privacy by design and security requirements need to be implemented in products, services and processes. 4

Implementation overview Tieto has been following EU s data protection legislation reform since 2012 and related internal Data Privacy program was officially initiated in January 2016. Tieto has an implementation roadmap for the transition period. Several areas will be reviewed against the new legislation, carrying out adjustments where needed.

Program structure Internal Customers Work group 1: General privacy governance Privacy policy, rules and general information renewed. Top management commitment and organisation ensured. Governance, support, follow up and reporting models updated. Privacy in core support processes updated. Communication and training. Work group 2: Privacy in offering development, project and service delivery Review and update privacy engineering framework, processes, rules, guidelines. Business impact estimation. Offering reviews and renewal. Communication and training. Work group 3: Privacy in sales and customer management Sales process, guidelines and templates reviewed and updated. Customer contract reviewing and renewal planned and prepared. Communication and training. Preparation phase: 2016-2017 Rollout phase 2016-2018 Work group 4: Privacy in Tieto internal services (HR, ICT, Procurement, Marketing, CRM, etc.) Privacy engineering in service implementation process updated. Internal services reviewed and compliance ensured. Partner, vendor and sub-contractor management updated. Communication and training. 6

Completeness follow up 7

Rollout phase 2016 2017 2018 20xx Execution in business units Reviewing and if necessary renewing current contracts Reviewing and if necessary renewing current services and products All applicable contracts shall be compliant with the regulation New service and product releases shall be compliant with the regulation Privacy Engineering in production, new services and products shall be compliant with the GDPR Targeted employee trainings Go live General employee communication and trainings Privacy network and governance model in place 8 May 25, 2018 GDPR enters into force

Privacy governance model at Tieto Strategic decision making, commitment Tieto Leadership Team Tactical decision making and operative steering, coordination, reporting and communication. Tieto Legal Corporate Risk and Security Management CFO Data Protection Officer Corporate Support Functions Privacy Council Execution, recources, financials, accountability of solutions and services. FS PHCW ICS NDDB TSM PDS 9 Privacy network Privacy network Privacy network Privacy network Privacy network Privacy network

Privacy Engineering framework GDPR requirements Right of access (Art. 15) Right to rectification (Art. 16) Right to be forgotten (Art. 17) Restriction of processing (Art. 18) Right to data portability (Art. 20) Profiling (Art. 22) Privacy by design and default (Art. 25) Security of processing (Art. 32) Purpose limitation (Art. 5) Data minimisation (Art. 5) Accuracy (Art. 5) Storage limitation (Art. 5) Integrity and confidentiality (Art. 5)

Privacy engineering framework Privacy Engineering GDPR Practical use cases Practical privacy and security controls Processes Technology Solution Documentation 11

Privacy Engineering framework 1. Define purpose of processing Save Control Identify 4. Implement and document 2. Define the risk level of processing Personal data 3. Choose and define privacy and security controls Delete Copy Edit

Data Processing Agreement (DPA) GDPR sets mandatory requirements for agreements involving processing of EU personal data. Scope (Art. 28.3) Instructions, transfers (a) DPA is to be used in all services where service provider is processing personal data as data processor on behalf of the customer. Tieto s DPA update is executed in two parts: DPA is published to be used with all Tieto services where personal data is processed. Existing customer agreements are updated by agreeing the DPA. Confidentiality (b) Subprocessors (d) End of processing (g) Security of processing (c) Assistance duties (e), (f) Information and audit obligations (h) 13

Agreement structure DPA functions as frame agreement for all processing operation between Tieto group and the customer group Customer company (parent company) Data Processing Agreement DPA Data Processing Agreement Customer Group company A Service A Service Agreement A Processing specification A Service A Service Agreement A Tieto company (Tieto Finland) Customer group company B Service B Service Agreement B Processing specification B Service B Service Agreement B Tieto Group company (Tieto Sweden) 14

Processing Specification Form categories of processing Choose applicable categories Add new details if pre-set choices do not cover the processing in question 15

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback