General Data Protection

Regulations (GDPR)
Advisory

When is privacy not something to

keep quiet about?
Agenda
 Setting the context

 Typical approach

 Knowledge assessment

 Key takeaways

Page 2 GDPR Advisory

 01
Setting the context
GDPR brief

GDPR becomes Part of personal data

What is GDPR?
enforceable on stored should be obtained
The GDPR is the culmination of years of work by the
by consent
EU to reform Data Protection regulation into a Union-
wide framework instead of a patchwork of country- freely given, informed, unambiguous
specific legislations
Data breaches must be reported to
Tough penalties the supervising authority within 72
Who is impacted by GDPR? Hours
Fines up to

Any company doing business with European
citizens – regardless of where the company is
based
The definition of personal data is more explicit and
includes identifiers such as:
4% ofrevenues
annual global
or
20 Million Euros
whichever is greater
Data subjects have the right
to be forgotten and erased
from records
Users may request a copy of
personal data in a portable
format
Appointment of Data Protection
Officers will be mandatory for
companies processing high volumes of
personal data and good practice for
others
Data flow mapping and Privacy
Impact Assessments become mandatory
for organizations
Products, systems and processes must
consider privacy-by-design concepts
during development

Page 4 GDPR Advisory

 Security vs Privacy

Why These Terms Are Mixed Together

Security for Privacy
We assume that:
• a company with highly secure servers can guarantee our
privacy
• If a software developer says that they’re using ultra-uber-safe
encryption, we consider that the information we share will be Security Privacy
kept private because hackers can’t access it
To emphasize the difference between privacy and
security, let’s build a few scenarios:

High security but a lack of privacy Low security but very high privacy

A software developer provides you with a highly-encrypted database
that allows you to store your information. When you do so, however,
the company will share this information with third parties (advertisers,
affiliates, etc.) who may not have as strong a security infrastructure in
place as the people who you entrusted your data with. You decide to
do this nonetheless because you didn’t read the small print in their
terms of service and therefore are oblivious to what is done with your
data.
You’re sharing very personal data with a company that uses weak
end-to-end encryption (or none) in its database. The thing is that the
data is used only for a very short amount of time (seconds or minutes)
and doesn’t provide enough time for hackers to even be aware that it
exists. Once you’re finished, the data is deleted immediately.
This guarantees that no one will be able to view it, thereby making the
data private even though it may not have been very secure.

Page 5 GDPR Advisory

GDPR applicability decision tree

GDPR applies globally and companies outside EU will have to comply with the Regulation if they process EU persons personal data

Does the
company have Yes GDPR APPLIES
presence in EU?

No
Yes Yes

Does the
Does the
Is the company’s processing relate
processing relate
customer an EU Yes to offering goods or No to monitoring the
resident? behavior of persons
services in Union?
in EU in Union?

No No

GDPR does not apply

Non-EU based organizations: For offering of goods and services (but not monitoring), it must be apparent that the organisation “envisages” that
activities will be directed to EU data subjects.
Examples: The use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be
relevant

Page 6 GDPR Advisory

 GDPR- some case studies

1 A tourist from the India logs onto the website of their local India
grocery store from their hotel in the EU. They provide personal
data such as their India delivery address and India credit card
details, to order a delivery to their home in the India
GDPR may not applicable - it is not an EU transaction and it does
not matter where the data is processed
2 A tourist from the EU logs onto the website of their local EU
grocery store from their hotel in the India. They provide personal
data such as their EU delivery address and EU credit card details
to order a delivery to their home
GDPR is applicable - this is a service being delivered in the EU.

3 4
A tourist from the India logs onto the website of a nearby EU
pizza restaurant from their EU hotel. They provide personal data
such as credit card details and name, to order a pizza delivery to
their EU hotel
A tourist from the EU logs onto the website of a nearby India
pizza restaurant from their India hotel. They provide personal
data such as credit card details and name, to order a pizza
delivery to their friend in a US hotel

GDPR is applicable - this is a product and service being provided GDPR may not be applicable - this is not a product or service
in the EU being provided in the EU.

5 A person logs onto the website of a car parts store in the India,
from their home in the EU, to order a car part. They provide
personal data such as credit card details and their EU home
address for delivery of the car part
GDPR is applicable - this is related to a product or service to be
provided in the EU.

Page 7 GDPR Advisory

 Some examples
Market research company
A bank contracts a market research company to carry out some
research. The bank’s brief specifies its budget and that it requires a
satisfaction survey of its main retail services based on the views of a
sample of its customers across the UK.
The bank leaves it to the research company to determine sample
sizes, interview methods, method of conducting the survey and
presentation of results.
What is the role of the research company?
The market research company is a data controller in its own right in
respect of the processing of personal data done to carry out the
survey, even though the bank retains overall control of the data in
terms of commissioning the research and determining the purpose the
data will be used for.
Page 8
Mail delivery services
A courier service is contracted by a local hospital to deliver
envelopes containing patients’ medical records to other health
service institutions.
The courier service is in physical possession of the mail; it may not
open it to access any personal data or other content.
What is the role of the mail delivery service company?
The mail delivery service is neither a data controller nor a data
processor for the clients that use its services because:
 it is a mere conduit between the sender of the mail and its recipient
 it does not exercise any control over the purpose for which the
personal data in the items of mail entrusted to it is used; and
 it has no control over the content of the personal data entrusted to
it.
GDPR Advisory
GDPR- The big picture

GDPR is not a one-off compliance demonstration and requires a fundamental organizational transformation with regard to data and
privacy. GDPR impacts and overlaps with many areas, affecting people, process and technology

Employees The impact of GDPR is enormous and spans across a multitude of

organizational areas:

vendors Human
Privacy
Resources
Governance
PII touch points

IT infrastructure Areas
Cross Border
impacted
Third parties and
Data by GDPR vendors
Transfers

Applications

IT Systems and Marketing and

applications
profiling

Page 9 GDPR Advisory

Typical challenges faced by organizations

Our focus is to target any organization that acts as data controller or data processor and that offers goods or services to
individuals in the EU, regardless of whether it is physically located in the EU

Typical challenges faced by clients

Big data analytics
• Challenges around privacy arise due to the
lack of consent amongst data subjects in
the big data analytics processing of PII
Privacy governance
• Privacy has evolved into a multi-disciplinary
issue
• Organisations are struggling to establish a
comprehensive model to lead privacy
transformation
Risk based approach
• A risk-based approach for prioritisation of
actions and the identification of those which
can be pursued centrally to facilitate
integration with the entire organisational
data governance

Data flow mapping Rightful usage Right be forgotten

• Many organisations are unaware of their • The concept of rightful usage is essential • Organisations struggle with supporting the
data flows and have launched ambitious and organisations often adopt an isolated right to be forgotten due to the complexity
data flow mapping initiatives approach focused on a singular data flow and wide distribution of data

Page 10 GDPR Advisory

Roadmap to GDPR compliance

Simplify your privacy journey Uncover the risks Take quick action

Obtain understanding of Assess GDPR requirement Perform gap

As is state business landscape and and develop GDPR assessment Viz a
operations on employee applicability matrix for Viz GDPR
and customer PII data data controller and requirements at all
processor role 3 layers
v

Rollout of processes
and procedures- Review/ Update/ Identify the
Develop PII Conduct GDPR framework
breach management, Privacy Privacy
data inventory data subject rights, design polices, Organization
and data flow Awareness procedures and
notice, consent etc. Workshops Structure
diagram templates

Develop Enterprise
framework for and Perform
reassessment to Implement Continuous
conduct Data Compliance Program
Protection Impact ascertain closure of To be state
Assessment (DPIA) gaps

Page 11 GDPR Advisory

Key safeguards to be adopted by
organizations

Ability to restore the

Identification of PII records Data protection Impact
availability and access to
of processing activities Assessments (DPIA) where
personal data in the event of
required
an incident

Mechanism to provide Ability to ensure ongoing

controller with a notice of confidentiality, integrity,
data breach within 72 hours availability and resilience of
of becoming aware processing services

Page 12 GDPR Advisory

 02
Typical approach
GDPR implementation approach

An assessment of potential non-compliance Identify personal data processing Ongoing operations and update of the
based on walkthroughs and interviews activities processes, policies, and responsibilities
Roadmap development highlighting key Document data flows developed during the compliance
initiatives Map the 5 W’s journey.
Define and monitor metrics

DISCOVER Know MONITOR &

ASSESS SUSTAIN
your data

DESIGN Deliver
Align privacy framework to
GDPR

• Privacy framework Operationalize the privacy framework

• Privacy notices • Conduct Privacy Impact Assessments
• Contracts governance Update your existing privacy policies, procedures • Design consent mechanisms
• Vendor management and notices to GDPR requirements • Ongoing vendor due diligence
• Data subject rights • Operationalize privacy by design & default
• Breach management • Manage data breaches and subject access rights

Page 14 GDPR Advisory

GDPR implementation approach
Phase I- Assess

GDPR gap assessment

• Finalize the scope for gap
assessment
PROGRAM
GOVERNANCE
• Conduct interview with respective
stakeholders

Alignment
to 3 • Conduct gap assessment against
program GDPR requirements
pillars

• Report the findings and recommend

Data Controller Data Processor mitigation steps
(EMPLOYEES) (CUSTOMER)

Page 15 GDPR Advisory

GDPR implementation approach
Phase I- Assess

14 point capability model

Focus areas for gap assessment

Page 16 GDPR Advisory

GDPR implementation approach
Phase II- Align privacy framework to GDPR

Governances Supporting Governance Roles

Privacy strategy/charter Regulatory reporting IT and information security

Governance
Roles and responsibilities must be Executive reporting Legal and compliance
Privacy policy
clearly defined, and stakeholders from
across the enterprise should be
continuously engaged. Training and awareness Managing public perception Communications and crisis management

Operations Privacy life cycle Managed Lines of Defence

Privacy by design
5.Review of
Risk management
Operations privacy
expectations
1.Appropriate
collection of CPO/Privacy Office
Data privacy programmes rely heavily
Incident management data
upon the implementation of strong
policies and processes
Vendor due diligence

4.Appropriate
Consumer request/complaints retention Risk and compliance
and
2.Relevant
disposal
Data classification use of data

Monitoring Personal data Inventory Management

3.Managed
Teams and tools supporting privacy disclosure Audit
programmes should be integrated to Cross border data management
allow for correction and effective on-
going analysis of the existing state of Sustenance
Data owners
the organisation.
Regulatory expectations Privacy audit
Data processors

Internal expectations Data flow management Data collectors

Page 17 GDPR Advisory

GDPR implementation approach
Phase III-Discover

Data inventorization
Conduct interviews with functional/process stakeholders to identify and update the manual PII inventory template prepared as a part of the previous phase
to understand the flow of personal data. In the inventories:

7
? 2
Determine the purpose for which data is collected, processed, accessed, stored,
transferred and retained and the data categories (PII, SPI etc.) required for those
purposes
IG
Principles
Determine flow of data across boundaries, to vendors, other functions etc. and the 6
associated approval mechanism 3

Develop heat map for the process based on risk score and risk exposure
5
4

Page 18 GDPR Advisory

GDPR implementation approach
Phase III-Discover

PII inventorization and classification process

Evaluate The gathered information is structured and assessed off-

information line. Outstanding questions are complied and sent to 4
relevant personnel.
Identify processes which handle
personal data

Perform workshop Verify the understanding of the processes. What, where 3 Per step identify underlying
and why are discussed in detail.
systems

Analyze and Create an understanding of the data flows and processes Per system identify underlying
prepare and develop a ”data centric” process map, covering the 2 PII categories
full data flow lifecycle

Identify data transfers (cross

borders)
Gathering Gather existing documentation on data flows and
information processes in scope and conduct interviews with key 1
personnel.

Page 19 GDPR Advisory

GDPR implementation approach
Phase IV- Deliver

Framework rollout and governance

Information Governance (IG) Program not only prepares you for GDPR compliance but also help with building out an ongoing, operational program which
will be critical for an organization to have complete control on their information assets
Rollout and implement
all privacy policies and
Conduct PIA at all in- procedures such as
scope locations for breach management,
identified high risk privacy by design and
and new processes default, etc.
and close PIA gaps
Perform implementation
reviews against the pre-
defined targets and
report the status to
identified stakeholders
Setup a privacy office
(PMO) and develop an
implementation review
Circulate notices and
plan
obtain consent at all
required touch points

Page 20 GDPR Advisory

GDPR implementation approach
Phase V-Monitor and sustain

Sustainance program

To run a successful Privacy Program, it is pivotal to have a sustenance framework in place which defines the metrics for periodic monitoring and continual
improvement. The model has to be self evolving and agile to accommodate the unforeseen changes and adapt accordingly to the organization’s needs.

Steps for agreed compliance measurement metrics and dashboards

03
02 Metrics rating, setting
Signoffs

01 Metrics identification and

target and tolerance

dashboard development

► Validate the high risk areas of data
privacy across and develop a short list
of metrics based on levels of risk.
► Identify the business units that will be
reporting through the dashboard and
develop dashboard options
► Develop metrics reporting process and
supporting RACI. Rate the metrics based
on key risk factors (such as financial,
legal/ regulatory and reputational)
► Set the tolerance levels for the reporting
metric and develop timeline to support
implementation
► Review and agree the final list of
metrics and BUs at the Privacy Team
► Review and agree the look and feel of
the dashboard and seek sponsor sign
off

Page 21 GDPR Advisory

 04
Knowledge assessment
Knowledge assessment

What is the maximum fine for a As per GDPR, within what

GDPR breach? timeframe must organizations
a. There is no maximum fine notify the supervisory authority of
b. 20,000,000 pounds or up to 4% the data breach?
of annual turn-over, whichever is a. Within 12 hours
greater b. Within 48 hours
c. 20,000,000 pounds or up to 2% c. Within 72 hours
of annual turn-over, whichever is
greater

The marketing team gets access to Techniques of data protection by

the data collected by the app used design include which of the
to analyze trends. Can they publish following:
the information if the data is made
anonymous? a. Pseudonymisation
b. Cleansing
a. True
c. Interpretation
b. False

Page 23 GDPR Advisory

 05
Key Takeaways
Key takeaways-Immediate steps to be
taken to become GDPR compliant
Identify your role under GDPR
Determine whether your organization is an EU "data
controller" or otherwise required
to comply with GDPR requirements.
Appoint a person for data protection
matters
GDPR requires some organisations to designate a DPO.
However, even if DPO is not required, organizations
should consider nominating a person who will deal with
all queries arising for data protection.
Conduct data mapping exercise
Organizations should document what personal data they
hold, where it came from and whom do they share it
with.
Organizations may need to organize an information
audit.
Information Governance
Review and refresh internal policies and procedures to
ensure fit for purpose.
Policy to include; your identity; how you intend to use
the information; the legal basis for processing the data;
data retention periods.
Page 25
Secure IT (and manual data too)
Physical and procedural security controls will be just as
important as technical ones.
ISO 27001 and other certifications will help
demonstrate “adequate technical and organizational
measures” to protect persons’ data & systems.
GDPR elements
requiring
primary
attention
Privacy notices and consent
Notices will almost certainly require amendment to
include additional information and a refresh to be in
plain language.
Ensure consent requires some form of clear affirmative
action.
GDPR Advisory
New Data Subject Rights
Implement processes to manage these rights and train
staff to identify these requests and pass to the correct
person for action.
If request for data removal is received, have processes
to remove data from all sources, including backups.
Data Breach
Establish a data breach management process to
identify, escalate and manage data breaches effectively.
Include a communications strategy for informing
Supervisory Authority, customers or wider public.
Review and update agreements
Review agreements and amend these to reflect the
requirements of new Regulation.
Failure to do so may mean organizations run the risk of
sharing/ processing data illegally, ultimately risking
financial penalty.
Privacy Impact Assessments – Privacy by
design
Develop a standard privacy impact assessment process
and embed into all new projects.
Knowledge assessment

Thank You

Page 26 GDPR Advisory