GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

GDPR - Context, Principles,
Implementation, Operation,
Impact on Outsourcing, Data
Governance and Data Ethics
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney

Topics
• Context of GDPR – this contains information on other directives and
regulations relating to GDPR to provide details on its wider content
• Personal Information – this reiterates what is meant by personal
information and so what is covered by GDPR
• Principles of GDPR – this identifies some of the key principles that
underpin GDPR and will affect its operation and the particular provisions of
the GDPR intended to give effect to those principles
• Implementing and Operating GDPR – this discusses approaches to
operationalising GDPR within organisations and the IT system changes
required
• GDPR and Outsourcing – this contains details on the particular topic of
outsourcing that will be impacted by GDPR
• Data Governance – this puts GDPR into wider Data Governance context
• Data Ethics– this briefly discusses the wider issue of data ethics in the
context of GDPR
March 28, 2018 2

GDPR Impact
• GDPR and its related regulations
have different impacts depending
on the profile of an organisation
and the way in which it collects
and process information about
individuals
• GDPR impacts on the areas of:
− Data Governance
− Privacy Management
− Security Management
− Risk Management
• Existing business processes and IT
systems will need to be modified
and new processes and systems
acquired to support the successful
operation of GDPR
• The operation of outsourcing
arrangements will be impacted by
GDPR
March 28, 2018 3
Data Governance
Privacy
Management
Security
Management
Risk
Management

GDPR Impact
• Organisations have personal data in many locations used by many different
applications using different storage technologies
• GDPR now requires a new and more strict data regime to implement,
operate and enforce
• Organisations should consider a consistent approach across all personal
data platforms
March 28, 2018 4
Personal Data Landscape

No One Solution
• There is no one solution to achieving GDPR compliance
that applies to all organisations and to all aspects of GDPR
• Organisations need to define their GDPR compliance
strategy and their approach to data governance before
looking at long-term solutions
March 28, 2018 5

Reuse Existing Standards And Methodologies
• There are existing, detailed, well-proven,
well-documented methodologies in the
areas such as approaches to data
governance, data privacy, information
security management, digital filing,
supplier governance and managing
outsourcing relationships that can be
successfully re-used to achieve the
necessary GDPR compliance without the
need to look for new approaches
• The wheel is not getting any rounder - it
does not need to be reinvented
• So use existing well-proven frameworks
and methodologies to systematically
improve skills, experience and practise in
key competency areas
• The world does not need new frameworks
and methodologies – it needs existing
ones well-implemented
March 28, 2018 6
r
d
πd
πr2
1800
900
2700
3600

Reuse Existing Standards And Methodologies
March 28, 2018 7
GDPR
Data
Governance
Data
Management
Information
Security
Outsourcing
Management
Records
Management
COBIT
TOGAF
DMBOK
ISO 15489 Records
Management
ISO 16175 Standard
for Digital Filing
ISO 27001
Information
Security
Management
Standards for Attestation
Engagements (SSAE) 18,
Reporting on Controls at
a Service Organisation
Trust Services Principles
and Criteria for Security,
Availability, Processing
Integrity, Confidentiality,
and Privacy

ISO 15489 Records Management
• ISO 15489 defines the concepts and principles from which
approaches to the creation, capture and management of
records are developed:
− Records, metadata for records and records systems
− Policies, assigned responsibilities, monitoring and training supporting
the effective management of records
− Recurrent analysis of business context and the identification of records
requirements
− Records controls
− Processes for creating, capturing and managing records
• ISO 15489 applies to the creation, capture and management of
records regardless of structure or form, in all types of business
and technological environments, over time
March 28, 2018 8

No Silver Bullet
• There is not silver
bullet to achieve
GDPR compliance
• Just a bunch of
regular bullets to
fire at the problem
March 28, 2018 9

Tactical And Strategic Approaches
• Take a multi-
track
approach to
achieving
appropriate,
risk-based
GDPR
compliance
March 28, 2018 10
Tactical
Analysis,
Scope and
Design
Strategy,
Strategic
Sourcing and
Implementation
• Request Logging and Tracking Facility
• Consent Tracking
• Notices
• Policies
• DPO
• Supplier Review
• Personal data collection and processing profiling
• Personal data business process definition and ownership
assignment
• Definition of wider set of GDPR processes
• Personnel certification
• Define and agree strategic approach
and operating framework
• Source and implement strategic
solutions and associated operational
processes

GDPR Context
March 28, 2018 11

Wider Context Of GDPR
• There are many related regulations and directives
• The data protection landscape is becoming increasingly
crowded and the burden on organisations more onerous
March 28, 2018 12
Treaty on the Functioning of
the European Union (TFEU)
European Convention for
the Protection of Human
Rights and Fundamental
Freedoms (ECHR)
GDPR
ePrivacy Regulation
EU Digital Single Market
(DSM)
NIS DirectiveeIDAS
Directive on Privacy and
Electronic Communications
Police and Criminal Justice
Directive

Wider Context Of GDPR
• The GDPR (http://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX%3A32016R0679) exists within the
context of the wider EU Digital Single Market (DSM) strategy
and a related set of regulations and directives
• The DSM is a strategy of the European Commission to ensure
access to online activities for individuals and businesses under
conditions of fair competition, consumer and data protection,
removing geo-blocking and copyright issues
• The stated objective of the GDPR is to increase trust in and the
security of digital services in order to advance digital
opportunities for citizens and businesses in Europe
• The stated aim is to strengthen the position of the EU as a
digital economy world leader
March 28, 2018 13

Police and Criminal Justice Directive
• Police and Criminal Justice Directive - Directive (EU) 2016/680 on the
protection of personal data by competent authorities for the purposes of
the prevention, investigation, detection or prosecution of criminal offences
or the execution of criminal penalties and on the free movement of such
data and repeals Council Framework Decision 2008/977/JHA – will apply
from 6 May 2018
• Creates a coherent framework for data processing activities performed for
the prevention, investigation, detection or prosecution of criminal offences
or the execution of criminal penalties, including the safeguarding against
and the prevention of threats to public security
• The Police and Criminal Justice Directive harmonises the laws in the
Member States in respect of the exchange of information between police
and judicial authorities
• Applies to both cross-border and domestic processing of personal data and
it aims to improve cooperation of the Member States in the fight against
terrorism and other serious crime across the EU, in that, it guarantees that
personal data transferred outside the EU by criminal law enforcement
authorities will be adequately protected
March 28, 2018 14

Directive on Security of Network and Information
Systems (NIS Directive)
• Directive (EU) 2016/1148 of the European Parliament and of the Council of
6 July 2016 concerning measures for a high common level of security of
network and information systems across the Union (NIS Directive) comes
into force on 10 May, 2018
− http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:
TOC
• NIS Directive applies to:
− Operators of Essential Services (OES) that are established in the EU. Certain
businesses operating in critical national infrastructure (CNIs)
− Seven sectors affected by the NIS Directive are energy, transport, banking, financial
market infrastructure, health, water and digital infrastructure
− Digital Service Providers (DSP) with search engines, cloud computing services, and
online marketplaces identified as the types of DSP that are subject to regulation
− The onus is on organisations to determine for themselves whether they are DSPs
and subject to the Directive’s security and notification requirements
− The NIS Directive does not apply to DSPs that are considered small and micro
businesses (companies employing fewer than 50 people whose annual turnover
and/or balance sheet total is less than €10 million)
March 28, 2018 15

Directive on Security of Network and Information
Systems (NIS Directive)
• Aim of the NIS Directive is to ensure there is a common and
high-level of EU-wide information systems and network
security and cyber security by:
− Improving national information and network security capacity and
effectiveness including having Computer Security Incident Response
Teams (CSIRTs) or Computer Emergency Response Teams (CERTs)
− Increasing co-operation on information and network security across all
Member States
− Introducing binding security obligations and incident reporting
obligations for operators of essential services (OESs) in critical national
infrastructure (CNI)
− Member States will be responsible for dealing with the security of
services provided by multinational companies across the European
Union that have their European headquarters located in that country
March 28, 2018 16

NIS Security Principles
March 28, 2018 17
SecurityPrinciples
Identify
Asset Management
Systems and/or services that are required to maintain or support essential services must be determined, understood and
documented
Business Environment Overall organisation mission, objectives, stakeholders, and activities are understood, prioritised and documented
Governance
Policies, procedures, and processes to manage and monitor the regulatory, legal, risk, environmental, and operational
requirements are identified, understood and documented
Risk Assessment and Risk
Management
Identify and understand the network security risk to operations, assets and individuals
Protect
Service Protection Policies
and Processes
Define, communicate and document policies to direct the overall approach to securing systems and data that support
delivery of essential services
Identity and Access Control
Access to assets and associated facilities is limited to authorised users, processes or devices and to authorised activities and
transactions/functions
Data Security
Information and records are managed and documented consistent with the risk strategy to protect the confidentiality,
integrity, and availability of information
System Security Network and information systems and technology critical for the delivery of essential services are protected from attack
Resilient Networks and
System
Incorporate resilience against cyber-attack and system failure into the design, implementation, operation and management
of systems that support the delivery of essential services
Staff Awareness and
Training
Employees and partners are provided network security awareness education and training to perform their information
security-related duties and responsibilities
Detect
Anomalies and Events
Detection
Anomalous and unusual activity is detected in a timely manner and the potential impact of events is understood
Security Continuous
Monitoring
Information systems and assets are monitored in order to identify network security events and validate the effectiveness of
protective measures
Respond
Response Planning
Response processes are executed, maintained and documented to ensure timely response to detected network security
events
Analysis Analysis is conducted to ensure adequate response and to support recovery actions
Mitigation Take actions to prevent expansion of an event, mitigate its effects and resolve the incident
Improvements Response activities are improved and documented by incorporating lessons learned
Communications Response activities are co-ordinated with internal and external stakeholders including law enforcement
Recover
Recovery Planning
Execute recovery processes and procedures are executed to ensure timely restoration of systems affected by network
security events
Improvements Improve recovery planning by incorporating lessons learned
Communications
Coordinate restoration activities with internal and external parties, such as coordinating functions, Internet Service
Providers, owners of attacking systems, victims, other CSIRTs and vendors

NIS Security Principles
• Use these security principles to create an operational
security framework to reduce the chances of a data breach
March 28, 2018 18

ePrivacy Regulation
• In January 2017, the European Commission published its Proposal for a Regulation
of the European Parliament and of the Council concerning the respect for private
life and the protection of personal data in electronic communications and
repealing Directive 2002/58/EC (Regulation on Privacy and Electronic
Communications) COM (2017)
− http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010
• The ePrivacy Regulation aims to make more effective and to increase the level of
protection of privacy and personal data processed in relation with electronic
communications in accordance with the Article 7 (respect for private and family
life) and Article 8 (protection of personal data) of the Charter of Fundamental
Rights of the European Union and ensure greater legal certainty
− Complements and particularises the GDPR
• While the ePrivacy Directive applied to telecommunication providers, the ePrivacy
Regulation will apply to all providers of electronic communications services –
described as Over-the-Top (OTT) communications services such as Facebook
Messenger, LinkedIn, Skype, WhatsApp and others
• ePrivacy Directive - Directive 2002/58/EC – will be replaced by the ePrivacy
Regulation in due course
March 28, 2018 19

eIDAS (electronic IDentification, Authentication and
trust Services)
• The eIDAS Regulation - Regulation (EU) No 910/2014 of the
European Parliament and of the Council of 23 July 2014 on electronic
identification and trust services for electronic transactions in the
internal market and repealing Directive 1999/93/EC (Electronic
Signatures Directive) – came into effect on 1 July, 2016
− http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG
• Aims to enhance trust in electronic transactions between
businesses, citizens and public authorities by providing a common
legal framework for the cross-border recognition of electronic ID and
consistent rules on trust services across the EU
• Focuses on two areas:
− Interoperability – Member States are required to create a common framework
that will recognise electronic Identifications (eIDs) from other Member States
and ensuring their authenticity and security
− Transparency – eIDAS provides a list of trusted services that may be used
within a centralised signing framework
March 28, 2018 20

European Union Agency for Network and
Information Security (ENISA)
• European Union Agency for Network and Information Security
(ENISA) is a centre of expertise for cyber security in Europe
• Privacy and Data Protection by Design -
https://www.enisa.europa.eu/publications/privacy-and-data-
protection-by-design/at_download/fullReport
− View of what needs to be done to achieve privacy and data protection by
default. For example, it specifies that encryption and decryption operations
must be carried out locally and not remotely because both encryption/
decryption keys and data must remain in the power of the data controller and
processor if any privacy is to be maintained
− Covers topics such as the use of cloud data storage where the data controller,
not the cloud service provider, holds the encryption/ decryption keys
• Handbook on Security of Personal Data Processing -
https://www.enisa.europa.eu/publications/recommendations-on-
european-data-protection-certification/at_download/fullReport
− Guidelines for small to medium businesses on data security
March 28, 2018 21

Article 29 Working Party
• Article 29 Working Party - Working Party on the Protection of Individuals with
Regard to the Processing of Personal Data – was established under Article 29 the
Data Protection Directive (Directive 95/46/EC) http://eur-lex.europa.eu/legal-
content/en/TXT/?uri=CELEX%3A31995L0046
• Produced much useful material on the implementation and operation of GDPR
March 28, 2018 22
Document Link
Guidelines on Automated Individual Decision-Making and Profiling for
the Purposes of Regulation
http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826
Guidelines on Data Protection Impact Assessment (DPIA) http://ec.europa.eu/newsroom/document.cfm?doc_id=47711
Guidelines on Data Protection Officers http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
Guidelines on Personal Data Breach Notification Under Regulation
2016/679
http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827
Guidelines on the Application and Setting of Administrative Fines http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889
Guidelines on the Lead Supervisory Authority http://ec.europa.eu/newsroom/document.cfm?doc_id=44102
Guidelines on the Right to "Data Portability" http://ec.europa.eu/newsroom/document.cfm?doc_id=44099
Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798

European Data Protection Board (EDPB)
• Article 68 of the GDPR provides for the establishment of
the European Data Protection Board (EDPB), which will
replace the Article 29 Working Party
• Members of the EDPB are the heads of the supervisory
authorities in each Member State (or their
representatives) and the European Data Protection
Supervisor (or their representative
March 28, 2018 23

European Data Protection Supervisor (EDPS)
• The post of European Data Protection Supervisor (EDPS)
was established in 2004 under Regulation (EC) 45/2001,
which regulation sets out the data protection standards
that apply to the Union institutions
• The post of EDPS is recognised in GDPR
− The EDPS is a member of the EDPB, although the EDPS will only
have voting rights where the issues involve principles and rules
that are applicable to the institutions of the Union
March 28, 2018 24

Personal Information
March 28, 2018 25

• Personal information is at the core of GDPR
• Personal data is defined in Article 4(1) of the GDPR:
− ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person
• Information is personal if it is:
− Owned by a person
− About a person
− Directed towards a person
− Sent or posted or communicated by a person
− Experienced by a person
− Relevant to a person
• The definition of personal data is very important
− It does not just include information a person explicitly supplies
− It includes implicit information such as browsing history
• GDPR identifies special categories of personal data for which processing is subject to
additional constraints
− Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data concerning a natural person's sex
life or sexual orientation shall be prohibited
March 28, 2018 26

March 28, 2018 27
Personal Data Type Personal Data Items
Personal Information Name, such as full name, maiden name, mother‘s maiden name, or alias
Date of birth
Place of birth
Full home address
Country, state, postcode or city of residence
Marital status
Telephone numbers, including mobile, business and personal numbers
Information identifying personally owned property, such as vehicle registration number
Passport number
Social insurance or national insurance number
Residence and geographic records
Sexual orientation
Biographical Data Specific age
Height
Weight
Eye colour
Hair colour
Photographic image
Gender
Racial or ethnic origin
Any defining physical characteristics
Digital Footprint Digital identities, such as avatars and usernames/handles
Logon details such as name, screen name, nickname, or handle
Email address (if private from an association/club membership, etc.)
IP addresses (in the EU)
Geo-tracking information and location-based data
Web usage behaviour or user preferences using persistent cookies
Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address
(MAC) address or other host-specific persistent static identifier that consistently
Any information that links a particular person to a small, well-defined group
Medical or Heath Data Patient identifier
Number of sick days taken from employer and other information relating to any sick leave
Visits to doctors
Medical data
Biological traits including DNA
Fitness data
Medical images such as X-rays, CT scans and ultra sound
Biometric data such as fingerprints, retinal scans, voice signature or facial geometry
Medication

Principles of GDPR
March 28, 2018 28

Principles of GDPR
• Core of the GDPR are stated principles governing data processing, which
are supported by detailed provisions
− Lawfulness, Fairness and Transparency: Article 5(1)(a) sets out the principle that
personal data shall be processed lawfully, fairly and in a transparent manner in
relation to the data subject
− Specified, Explicit and Legitimate Purpose: Personal data must only be collected
for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; Article 5(1)(b)
− Adequate, Relevant and Limited: Personal data shall be adequate, relevant and
limited to what is necessary in relation to the purposes for which the data is
processed; Article 5(1)(c)
− Accurate and Up-To-Date: Personal data shall be accurate, and, where necessary,
kept up to date; every reasonable step must be taken to ensure that personal data
that is inaccurate, having regard to the purposes for which it is processed, is erased
or rectified without undue delay; Article 5(1)(d)
− Pseudonymisation/Storage Limits: Personal data shall be kept in a form which
permits identification of data subjects for no longer than is necessary for the
purposes for which the personal data is processed; Article 5(1)(e)
− Security: Personal data shall be processed in a manner that ensures appropriate
security of personal data, including protection against unauthorised or
unauthorised processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures; Article 5(1)(f)
March 28, 2018 29

Implementation And Operational Principles
Data Protection By Design and
By Default
Limitation and Minimisation
One Common Set of Rules and
One-Stop Shop
Certification
Notices, Responsibility and
Accountability
Data Protection Impact
Assessment (DPIA)
Lawful Basis For Processing
Consent
Right of Access
Right to Rectification
Right to Erasure
Right to Object / Prohibition
Automated Decision-Making
Data Portability
Data Protection Officer
Pseudonymisation
Handling of Data Breaches
Penalties and Sanctions
March 28, 2018 30

GDPR Implementation And Operational Principles
March 28, 2018 31
Data Protection By
Design and By
Default
Limitation and
Minimisation
One Common Set
of Rules and One-
Stop Shop
Certification
Notices,
Responsibility and
Accountability
Data Protection
Impact Assessment
(DPIA)
Lawful Basis For
Processing
Consent
Right of Access
Right to
Rectification
Right to Erasure
Right to Object /
Prohibition
Automated
Decision-Making
Data Portability
Data Protection
Officer
Pseudonymisation
Handling of Data
Breaches
Penalties and
Sanctions

Data Protection By Design and By Default
• Article 25 of the GDPR requires that data protection is designed into
the development of business processes for products and services
− Appropriate measures to implement the data protection principles and to
safeguard data must be put in place in an effective manner at the time the
means of processing is determined and at the time of the processing itself
− This is a mandatory requirement, breach of which can lead to a fine
• Article 25(2) addresses the concept of data minimisation and
provides that the controller should implement appropriate technical
and organisational measures for ensuring that, by default, only
personal data which are necessary for each specific purpose of the
processing are processed
− Obligation applies to the amount of personal data collected, the extent of
processing and the period of storage and accessibility
− Data Protection by design and by default requires a combination of systems
and processes
− Changes to existing IT systems and possible new IT systems will be required to
achieve this
March 28, 2018 32

Limitation and Minimisation
• The collection of personal data should limited for specific and
justifiable purposes
• The amount of personal data collected should be minimised
• The storage interval should be limited
• The type of processing should be limited and necessary
• There should be a legal basis for processing
• Access should be controlled and excluded by default rather
than being inclusive
• Processing of special categories of personal data should be
avoided unless absolutely required
• Data security should occur as a matter of course.
• Essentially, if there are any doubts and the data is not
necessary, do not collect it
March 28, 2018 33

One Common Set of Rules and One-Stop Shop
• There will be one set of data protection rules across all EU Member States.
• Each Member State must create an independent supervisory authority to hear complaints,
investigate them and to take administrative actions and enforce sanctions - Articles 51-54
• Article 51 requires each Member State to provide for one or more independent public
authority to be responsible for monitoring the application of the GDPR.
• Under Article 51(2), supervisory authorities have a duty to contribute to the consistent
application of the GDPR, as well as specific obligations to cooperate with one another and
the Commission through the consistency process.
• Article 57 of the GDPR lists tasks of supervisory authorities, while Article 58 lists their
powers
• The general tasks of a supervisory authority is to monitor and enforce the application of the
GDPR
• Additionally, Chapter VII on Cooperation and Consistency sets out detailed provisions on
mutual assistance (Article 61) and on the conduct of joint operations (Article 62)
• Article 58(4) provides that the exercise of the powers of a supervisory authority must be
subject to appropriate safeguards, including effective judicial remedies and due process
• Where an entity such as a multi-national has multiple locations in multiple EU states, it will
have a single supervisory authority as its lead supervisory authority, based on the location
of its main office
• In this instance, the lead supervisory authority will act as a one-stop shop (OSS) to
supervise all the processing activities of that business throughout the EU
March 28, 2018 34

Certification
• GDPR provides for a voluntary data protection
certification regime to be established
• There is no certification approach or regime defined yet
• ENISA has documented a possible certification approach
March 28, 2018 35

Notices, Responsibility and Accountability
• The need for and the content of privacy statements on web sites and other entry points to
digital information and services that was specified in the Data Protection Directive has been
expanded
• Article 5(1) of the GDPR requires data controllers to process personal data fairly and
lawfully and in a transparent manner: the objective is to ensure that data subjects are
aware of the processing of their personal data, the purposes for which the processing is
taking place and data subjects’ rights in relation to personal data
• Article 13 of the GDPR specifies the information that must be provided to a data subject.
The legal obligation is on the controller, although the controller may use a third party agent
(such as the processor) to provide the information on the controller’s behalf as long as the
notice meets the required standards
• Information may be provided by a privacy notice (also known as a fair processing notice,
privacy policy or data protection notice)
• The information must be clearly accessible and available “at the time when the data are
obtained”, which, in general terms, means the time when the data is collected
• Under Article 13(1) of the GDPR, the privacy notice must state:
− The identity of the controller (and where applicable, the controller’s representative)
− The contact details of the Data Protection Officer, if applicable
− The purposes of the processing for which the personal data is intended as well as the legal basis for the
processing
− The recipients or categories of recipient of the personal data
− If the controller transfers personal data, the fact that the controller intends to do so to a third country or
international organisation (and related information in relation to such transfers)
• The purposes of the processing must be described in accessible terms and clearly distinguished from one another
March 28, 2018 36

• Article 13(2) of the GDPR requires that additional information
should be provided where necessary to ensure fair and
transparent processing
− The retention period for personal data (or, where that is not possible,
the criteria used to determine that period);
− The data subject’s rights in relation to the personal data (being the right
to request access to and rectification of personal data, the right to
erasure of personal data, to restrict the processing of personal data, to
object of the processing of personal data and right to data portability)
− The right to lodge a complaint with a supervisory authority;
− Whether the provision of personal data is a statutory or contractual
requirement or a requirement necessary to enter into a contract and
whether the data subject is obliged to provide the personal data and
the possible consequences of failure to provide the data; and
− The existence of any automated decision-making, including profiling,
and if it is to be used, meaningful information about the logic involved,
as well as the significance and the envisaged consequences of such
processing for the data subject
March 28, 2018 37

• There can be one general notices or several notices throughout the
web site on those pages where personal information is being
collected
• It is best practice to include notices on all pages where personal
information is required to be entered
• Where the data subject already has the relevant information, the
controller will not need to provide the information to the data
subject - Article 13(4)
• The information must be concise, transparent, intelligible and easily
accessible form, using clear and plain language, in particular for any
information addressed specifically to a child; Article 12(1)
• The information shall be provided in writing, or by other means,
including, where appropriate, by electronic means
• When requested by the data subject, the information may be
provided orally, provided that the identity of the data subject is
proven by other means
March 28, 2018 38

March 28, 2018 39
Mandatory Privacy Notice Contents Specific Personal Information Collection Privacy Notice Contents
Identity and the contact details of the data
controller
The length of time for which the personal data will be stored, or if that is not possible, the criteria
used to determine it
Contact details of the data protection officer, if
one exists – see below
The right to:
 Request from the data controller access to
 Request rectification or erasure of personal data
 Restrict processing
 Object to processing
 Data portability
The purposes of the processing of personal data
and the legal basis for this processing (Article 6
Lawfulness of Processing)
The right to withdraw consent at any time, without affecting the lawfulness of processing based on
consent before its withdrawal
Who receives the personal data The right to complain to Supervisory Authority
Whether data is being transferred to a third
country or international organisation and, if so,
the safeguards that are being used and the
means by which to obtain a copy of them or
where they have been made available
If the provision of personal data is a statutory or contractual requirement or necessary to enter into a
contract, as well as whether the person is obliged to provide the personal data and of the possible
consequences of failure to provide the data
The use of automated decision-making, including profiling and where this applies meaningful
information about the logic involved, as well as the significance and the envisaged consequences of
such processing for the person

• The principle of Privacy By Design and By Default requires
that data protection measures are designed and
incorporated into the development of business processes
and systems
• The data controller is responsible for implementing
effective measures and being able to demonstrate the
compliance of processing activities even if the processing is
carried out by a separate data processor on behalf of the
data controller
• Personal data should be pseudonymised as soon as
possible after collection and expiry of its original use
March 28, 2018 40

Data Protection Impact Assessment (DPIA)
• The use of Privacy Impact Assessments (PIAs) was developed outside the EU, with
the UK being the first supervisory authority in the EU to adopt the use of PIAs
• In the UK, PIAs have been mandatory for Government departments for several
years, as well as being widely used in the privacy sector
• GDPR, in Article 35, introduces mandatory Data Protection Impact Assessments
(DPIAs) in respect of high-risk processing, that is to say, processing that poses a
high risk to the rights and freedoms of natural persons
• Article 35(3) designates three specific types of processing as high-risk so that a
DPIA is required for:
− Processing, including profiling, and on which decisions are based that produce legal effects
concerning the natural person or similarly significantly affect the natural person
− Processing on a large scale of special categories of data referred to in Article 9(1), or of
personal data relating to criminal convictions and offences referred to in Article 10
− Systematic monitoring of a publicly accessible area on a large scale
• In addition to these three cases in which a DPIA is mandatory, there is a general
obligation to conduct a DPIA where there processing is likely to result in a high risk
to the rights and freedoms of natural persons – see Article 35(1).
• Under Article 35(4), the supervisory authority is required to make public a list of
the kind of processing operations that are subject to the requirement for a DPIA
under Article 35(1) and shall communicate the list to the EDPB
March 28, 2018 41

Data Protection Impact Assessment (DPIA)
• A DPIA must address:
− A systematic description of the envisaged processing operations – this should
include the flow of personal data through the systems and business processes as
business activities are performed
− The purpose of the processing (including, where applicable, the legitimate interest
pursued by the controller)
− An assessment of why the processing is being performed and how this is
proportional to the underlying need
− An assessment of the risks to the rights and freedoms of the persons affected
− The measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with GDPR, taking into account the rights and legitimate
interests of data subjects concerned
• Where the DPIA indicates that the processing remains high risk despite the
application of measures to mitigate that risk, the controller must consult
the supervisory authority before processing – see Article 36(1)
• Member States must similarly consult the supervisory authority where
they are preparing a proposal for a legislative measure to be adopted by
the national parliament or for a regulatory measure based on legislation –
see Article 36(4)
March 28, 2018 42

Lawful Basis For Processing
• Article 5(1)(a) sets out the principle that personal data shall be
processed lawfully, fairly and in a transparent manner in relation to
the data subject
− The person has consented to the processing of their personal data for one or
more specific and prior notified purposes
− It is needed for the performance of a contract to which the person is a party or
in order to take steps at the request of the person before to entering into a
contract
− It is required to protect the vital interests of the person in question or of
another person.
− It is required so the data controlled can comply with a specific legal obligation
− It is needed to perform a task carried out in the public interest or in the
exercise of an official function of data controller
− It is necessary for the purposes of legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the person is a child
March 28, 2018 43

Consent
• Explicit consent of the person must be obtained for data collection and processing,
with Article 7 setting out the basic conditions required for a consent to be valid:
− The consent must be freely given
− A proper explanation of what the individual is consenting to must have been provided before
the consent is obtained
− Separate consents must be given for separate purposes
− Consent can be refused
− Consent can be withdrawn at any time
• Consent should be informed
− The identity of the controller and the processing purposes should be detailed
− Silence or implied consent and pre-checked boxes on web pages are no longer valid
− The organisation must ask for consent and obtain explicit consent
− Plain language should be used and consent is unlikely to be achieved if data protection
notices are unintelligible or over-complicated
− Consent must be specific
− Where the data processing has multiple purposes, consent should be given for all of them
− The burden of proof that consent was obtained in a correct and explicit manner resides with
the data controller
− Consent management needs to include both the recording of consent and the circumstances
under which it was provide and while there is no requirement that consent should be in
writing, the evidential burden suggests that, in practical terms, this will occur
March 28, 2018 44

Right of Access
• Persons have the right to access their personal data and to get details about how this
personal data is being processed
• The right of subject access is complemented by the right, under Article 20 of the GDPR, to
data portability
• A controller is under an express obligation to facilitate the exercise by a data subject of
their rights, including to subject access and data portability; Article 12(2).
• A controller’s obligation under Article 20 (right of data portability) is to “transmit … data to
another controller without hindrance”
• Article 15(1) provides that a data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning them is being processed, and,
where that is the case, access to the personal data and the information
• The data controller has to provide
− Access to the data itself
− The categories of personal data concerned
− With whom the data is shared (that is to say, the recipients or categories of recipients to whom the
personal data is or will be disclosed and in particular, recipients in third countries)
− The envisaged storage period for the data or, if it is not possible to so specify, the criteria used to
determine that period
− How it acquired the data in the sense that where the personal data was not collected from the data
subject, any available information as to the source of the personal data
− The existence of the right of rectification or erasure or restriction of processing of personal data
− The right to lodge a complaint with a supervisory authority
− The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4)
March 28, 2018 45

Right to Rectification/ Right to Completion
• Article 16 of the GDPR provides for a right to rectification
of inaccurate data, as well as a right to have incomplete
data completed
• Data must be rectified by the data controller without
undue delay if the data is inaccurate and the data subject
has so notified the data controller
• The right to completion of data applies where the purpose
of the processing makes it appropriate and the right may
be complied with by providing a supplementary statement
March 28, 2018 46

Right to Erasure - The “Right To Be Forgotten”
• Article 17 of the GDPR confers a right to request erasure of, and cessation of
processing, personal data including any copies related to them
− Where the personal data are no longer necessary in relation to the purposes for which they
are collected
− Where the person has withdrawn their consent
− Where the person objects to the processing under Article 21(1)and there are no overriding
legitimate grounds for the processing
− Where the processing of the personal data does not otherwise comply with the GDPR
− The personal data has to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject
− The personal data has been collected in relation to the offer of information society services
referred to in Article 8(1)
• A request for erasure can be refused where the processing is necessary for one of
the exempt purposes specified in Article 17(3), that is to say, where the processing
is necessary for:
− The exercise of the rights of freedom of expression and information;
− Compliance with a legal obligation or the exercise of a discretionary power;
− Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and
(i) and Article 9(3);
− Archiving and research purposes;
− Establishment, exercise or defence of legal claims
March 28, 2018 47

Right to Erasure - The “Right To Be Forgotten”
• Article 19 requires a data controller to communicate any
rectification or erasure of personal data or restriction of
processing to any person to whom the data has been
disclosed “unless this proves impossible or involves
disproportionate effort”
• If the data subject asks, the controller must provide details
of those persons to whom the data was disclosed
March 28, 2018 48

Right To Restriction Of Processing
• Under Article 18, a data subject has the right to restrict
processing of personal data in four specified circumstances:
− The accuracy of the personal data is contested by the data subject, in
which case the restriction will be for a period enabling the controller to
verify the accuracy of the personal data
− The processing is unlawful and the data subject opposes the erasure of
the personal data and requests the restriction of its use instead – it is
not entirely clear what is meant by this provision as, if the data subject
does not want the erasure of the personal data, the inference is that
the data subject consents to the processing of the data
− The controller no longer needs the personal data for the purposes of
the processing, but the data is required by the data subject for the
establishment, exercise or defence of legal claims
− The data subject has objected to processing pursuant to Article 21(1)
pending the verification whether the legitimate grounds of the
controller override those of the data subject
March 28, 2018 49

Right to Object / Prohibition Automated Decision-
Making
• Article 21(1) confers on a data subject the right to object, on grounds
relating to their particular situation, at any time to processing of personal
data concerning the data subject which is based on Article 6(1)(e) or (f),
including profiling based on those provisions
• Article 6(1)(e) permits data processing where processing is necessary for
the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller, while Article 6(1)(f)
renders lawful processing necessary for the purposes of the legitimate
interests pursued by the controller or by a third party
• The controller shall no longer process the personal data unless the
controller demonstrates compelling legitimate grounds for the processing
which override the interests, rights and freedoms of the data subject or for
the establishment, exercise or defence of legal claims
• Article 22(1) prohibits automated decision-making subject to a number of
exceptions
− Automated decisions subject to Article 22 are decisions based solely on automated
processing that produce legal effects concerning the data subject or significantly
affect the data subject
March 28, 2018 50

Data Portability
• A person must be able to transfer their personal data from one controller to
another without being prevented by the data controller - Article 20
− This covers both the information content – what was supplied – and the metadata
• The right to data portability is the “right to receive the personal data concerning
[the data subject], which [the data subject] has provided to a controller” – see
Article 20(1)
• The right applies where consent to data processing has been provided under
Article 6(1)(a) (express consent) or Article 9(2)(a) (special categories of personal
data) and where the processing is automated
• The right does not apply where the processing is necessary for the performance of
a task carried out in the public interest or in the exercise of official authority
vested in the controller – see Article 20(3)
• The right to data portability does not arise
− Where data is processed by a controller under a legal duty or in exercise of discretionary
powers
− Where processing is necessary in order to protect the vital interests of the data subject or of
another natural person
− Processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller
March 28, 2018 51

Data Protection Officer
• Article 37 sets out the circumstances in which designation of a Data Protection
Officer (DPO) is mandatory for certain data controllers and data processors
• All public authorities (except for courts)
• Where the core activities of the controller or processor monitor individuals
systematically (such as tracking and profiling on the Internet) and on a large scale
• Where the core activities of the controller or processor consist of large scale
processing of the special categories of data under Article 9 and personal data
relating to criminal convictions and offences referred to in Article 10
• The DPO is independent (Article 38(3)) and must be given sufficient resources
(Article 38(2)) to carry out their tasks effectively.
• Article 37(5) provides that the DPO shall be designated on the basis of
professional qualities and, in particular, expert knowledge of data protection law
and practices and the ability to fulfil the tasks of a DPO set out in Article 39
− The DPO should be skilled and experienced in managing IT processes, data security (including
dealing with network attacks) and be knowledgeable in the issues around the holding and
processing of personal and sensitive data
− The skills required depend on the organisation and the processing it performs
− The DPO should also know the administrative rules and procedures of the organisation
− The organisation should include the DPO in all issues relating to the protection of personal
data in a timely manner
March 28, 2018 52

Pseudonymisation
• Pseudonymisation” is defined in Article 4(5) of the GDPR
• Means the processing of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified
or identifiable natural person
• Article 29 Working Party:
− “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with
the original identity of a data subject, and is accordingly a useful security measure.”
• Encryption is a form of pseudonymisation
− The original data cannot be read
− The process cannot be reversed without the correct decryption key
− GDPR requires that this additional information be kept separate from the pseudonymised data.
• Pseudonymisation reduces risks associated with data loss or unauthorised data access
− Pseudonymised data is still regarded as personal data and so remains covered by the GDPR
− It is viewed as part of the Data Protection By Design and By Default principle
• Pseudonymisation is not mandatory
− Implementing pseudonymisation with existing IT systems and processes would be complex and expensive
and, to that extent, pseudonymisation might be considered an example of unnecessary complexity within
the GDPR
March 28, 2018 53

Pseudonymisation
• GDPR Recital 26
− The principles of data protection should apply to any information concerning an identified or
identifiable natural person. Personal data which have undergone pseudonymisation, which
could be attributed to a natural person by the use of additional information should be
considered to be information on an identifiable natural person. To determine whether a
natural person is identifiable, account should be taken of all the means reasonably likely to
be used, such as singling out, either by the controller or by another person to identify the
natural person directly or indirectly. To ascertain whether means are reasonably likely to be
used to identify the natural person, account should be taken of all objective factors, such as
the costs of and the amount of time required for identification, taking into consideration the
available technology at the time of the processing and technological developments. The
principles of data protection should therefore not apply to anonymous information, namely
information which does not relate to an identified or identifiable natural person or to
personal data rendered anonymous in such a manner that the data subject is not or no
longer identifiable. This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research purposes.
• Pseudonymisation is not anonymisation
− Anonymisation means data cannot be attributed to a person
− Pseudonymisation means data can be attributed to a person using additional information
− Pseudonymisation just makes identifying persons from data more difficult, time-consuming
and expensive
March 28, 2018 54

Pseudonymisation
• Article 89 (1): as a means of enhancing protection in case
of further use of data for research and statistics
• Article 6 (4): as a means of possibly contributing to the
compatibility of further use of data
• Article 25: as a means to contribute to “privacy by design”
in data applications
• Recital 28: “The application of pseudonymisation to
personal data can reduce the risks to the data subjects
concerned and help controllers and processors to meet
their data-protection obligations. The explicit introduction
of ‘pseudonymisation’ in this Regulation is not intended to
preclude any other measures of data protection.”
March 28, 2018 55

Pseudonymisation
• Pseudonymisation means removing the link between data and its attribution to a
specific individual
• Add a layer of complexity, time and expense to person identification
• There are many (complex) approaches to pseudonymisation
• Pseudonymisation aims to provide an extra layer of security
− It does not stop personal data being lost
− It just reduces the likelihood that lost personal data can be used
March 28, 2018 56
IT System
Person Personal
Data Field 1
Personal
Data Field 2
Person 1 Data 1 P 1 Data 2 P 1
Person 3 Data 1 P 3
Personal Data
Lose Or Allow Access To
This And Personal Data
Can Be Read By Anyone
IT System
Person Personal Data
Field 1
Personal Data
Field 2
6AC1B12B A51B6F4B E78A52F3
A27E3B3A 6E4DA618 CB9FC8AE
4F5C7F63 925A58D2
Personal Data
Direct Data
Access
1
Lose Or Allow Access To
This And Personal Data
Cannot Be Read With
Ability to Decrypt
2
1. System Retrieves
Encryption Key
2. Encrypted Data Read and
Written And Decrypted
Using Key

• is impossible to have 100% security 100% of the time and still collect and process
information
− So organisations should assume a data breach however minor will happen at some time
− Security systems should be designed to facilitate the discovery of any breach as soon as possible;
• It is important to reduce the scope and effect of the breach, the time to identify that the
breach has occurred and to respond more quickly and effectively to limit the damage.
− Organisations are responsible for the implementation and operation of sufficient countermeasures to
prevent as much as possible, detect and handle breaches
− A data breach in itself will not necessary attract administrative sanctions
− The failure to have structures in place to prevent, detect and handle breaches will
• A “personal data breach” is defined in Article 4(12) of the GDPR as:
− “means a breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
• A controller is required to document all cases of personal data breach comprising the facts
relating to the personal data breach, its effects and the remedial action taken; Article 35(5)
• Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of
natural persons, the controller is under a legal obligation to notify the supervisory authority
of a personal data breach within 72 hours (and if not an explanation of the delay) after
having become aware of the data breach; Article 35(1)
March 28, 2018 57

• Under Article 35(3), the notification must include:
− A description of the nature of the personal data breach including, if possible, the categories
and approximate number of persons affected and the categories and approximate number of
personal data records affected
− The name and contact details of the Data Protection Officer or other contact point where
more information can be obtained
− A description of the likely consequences of the personal data breach
− A description of the measures taken or that are proposed to be taken by the data controller
to address the personal data breach, including any measures to mitigate its possible adverse
effects
• Persons affected by the data breach must be notified if the breach is likely to have
a high risk to their rights – see Article 34(1)
• Importantly, data controllers do not have to notify affected persons if protection
measures were implemented that rendered the personal data unintelligible – see
Article 34(3)
− A notice required to be given to data subjects must describe in clear and plain language the
nature of the personal data breach and contain at least the name and contact details of the
Data Protection Officer (or other contact point where more information can be obtained)
− A description of the likely consequences of the personal data breach; and a description of the
measures taken or that are proposed to be taken by the data controller to address the
personal data breach, including any measures to mitigate its possible adverse effects – see
Article 34(2) (by reference to Article 33(b) to (d)
March 28, 2018 58

Penalties and Sanctions
• Failure to comply with GDPR can result in administrative penalties and other sanctions
• Warnings – under Article 58(2), a supervisory authority has specific powers to issue warnings to a controller or processing that
intended processing operations are likely to infringe the GDPR and reprimands where processing operations have infringed
the GDPR
• Data protection compliance audits – Article 58(1) confers on supervisory authorities investigative powers, including, at Article
58(1)(b) the power to carry out investigations in the form of data protection audits;
• Fines - two levels of fines
− €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is the greater, for failures relating to:
• Conditions applicable to child's consent in relation to information society services
• Failures in data processing and security
• Notification of a personal data breach to the supervisory authority
• Communication of a personal data breach to the data subject
• Data protection impact assessment
• Designation of the data protection officer
• Certification
− €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is the greater for failures relating to:
• Principles relating to processing of personal data
• Lawfulness of processing
• Conditions for consent
• Processing of special categories of personal data
• Information and access to personal data
• Information to be provided where personal data are collected from the data subject
• Right of access by the data subject
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Automated individual decision-making, including profiling
• Transfers of personal data to third countries or international organisations
March 28, 2018 59

Implementing and Operating GDPR
March 28, 2018 60

Implementing and Operating GDPR
• GDPR compliance is achieved through a combination of processes
and technology
• Most of the impact that GDPR will have is on existing IT systems that
process personal data
• The effort to implement and operate GDPR will depend on the scope
of the problem which is dictated by the amount of personal data the
organisation collect and processes
• The problem with many compliance initiatives is that they tend to be
treated as single projects operating in an organisation silo rather
than as being part of a wider and more general and shared
compliance framework
• Despite have a broad scope across the organisation, GDPR
compliance will more likely in many cases be treated as yet another
stand-alone initiative
• It is simply not possible to quantify the volume and types of requests
that individuals will make under GDPR
March 28, 2018 61

GDPR Compliance Preparatory Steps
1. Determine the organisation’s role under the GDPR – data
controller or data processor
2. Assign someone to the Data Protection Officer role/team
3. Implement consent management
4. Review and update data retention and data backup
5. Identify and document business processes and associated
IT systems processing personal data
6. Identify and assess any cross-border data flows
7. Prepare for persons exercising their GDPR rights
8. Prepare for a data breach
March 28, 2018 62

Determine The Organisation’s GDPR Role
• Inform your employees about GDPR risks and appropriate
behaviours by defining clear policies on the collection and
use of personal data and any collaboration and sharing or
maintenance of local uncontrolled copies
• Implement security awareness and privacy training
March 28, 2018 63

Fill The Data Protection Officer Role And Team
• The primary role DPO is to ensure the organisation is compliant with
GDPR
• Initially, appoint someone to the DPO role irrespective of any legal
necessity
• The role does not have to be full-time
• Once compliance is achieved the level of work may reduce
• The DPO role is cross-functional. It spans the entire organisation,
crossing the boundaries of business functions
• These roles are often very difficult to implement as they encroach on
the territories of business function leaders and, in doing so,
encounter resistance
• To be successful the DPO role needs to be supported from the
highest levels in the organisation
• Train personnel
March 28, 2018 64

Implement Consent Management
• Consent management involves:
− Identifying all points where personal data is collected across all
communication channels
− Identifying the data processing processes where consent is
required
− Drafting GDPR consent management notices
− Updating communication channels such as the organisation web
site(s) with GDPR consent notices
− If data is collected from children, implement an approach to
collect consent from parents or guardians
− Updating IT systems to record consent details and allow consents
be subsequently updated
March 28, 2018 65

Review And Update Data Retention And Backup
• Reviewing existing approaches to data archival, retention
and deletion, if any
• Reviewing data backup processes to ensure data not being
retained is not held on backups
• Implement data retention and deletion policies and
procedures
• Update data backup policies and procedures
March 28, 2018 66

Identify And Document Business Processes And
Associated IT Systems Processing Personal Data
• Create an inventory of personal data collected, created, processed and derived
− Review the reasons why personal data is collected and stop collecting if it is not necessary or justifiable.
• Identify any high-risk data collected or generated
− Consider conducting DPIAs for these
• Identify if you process any of the special categories of personal data and handle this
instances in more detail
− Consider conducting retrospective DPIAs for these
• Where personal data is collected ensure explicit consent is obtained
• Develop and implement notices on all personal data collection points
− Identify points were consent is necessary.
• Create an inventory of business processes where personal data is involved
− Appoint business process owners
− Document these business processes with those involved in their operation
− Define business process review dates, at least annually
• Document the legal grounds for processing this personal data
• Create an inventory of IT systems that store and process personal data
• Map the flow of personal data across business processes and IT systems from initial
collection to its processing and ultimate deletion.
• Consider initiating a business process review and update exercise that minimises the
amount of personal data being collected and processed to reduce compliance overhead
and risk
March 28, 2018 67

Identify And Document Business Processes And
Associated IT Systems Processing Personal Data
• This data discovery and profiling work has the potential to be quite onerous,
depending on the number of IT systems and processes involved in processing
personal data.
• Review your network security, especially on systems that contain personal data
that can be accessed from outside the organisation
• Identify any third-parties involved in data collection and data processing for your
organisation such as IT outsourcing or business process outsourcing arrangements
• For each of these outside organisations you must ensure that they too are
compliant with GDPR:
− Review their network security
− Review their data retention policies to ensure personal data is deleted as soon as it is no
longer needed
− Review data backup processes and amend to ensure data not being retained is not held on
backups
− Ensure they appoint a DPO
− Review their process for handling data breaches
• Where suppliers fail to meet GDPR compliance requirements they must resolve
these issues or you must replace the
March 28, 2018 68

Organisation Conceptual Data Model
• Consider building an organisation conceptual data model
to assist with identifying personal data processing and data
flows
March 28, 2018 69

Generic Organisation Conceptual Data Model
March 28, 2018 70

Generic Data Conceptual Data Model – Components
- 1 of 2
28 March 2018 71
Component Description
External Interacting Parties These are the range of external parties that supply data to and access data from the enterprise
External Party Interaction
Zones, Applications, Channels
and Facilities
These are the set of applications and data interface and exchange points provided specifically to
External Interacting Parties to allow them supply data to and access data from the enterprise
These can be hosted internally or externally or a mix of both
External Third Party
Applications
These are third-party applications (such as social media platforms) that contain information
about the enterprise or that are used by the enterprise to present information to or interact with
External Interacting Parties or where the enterprise is referred to, affecting the perception or
brand of the enterprise
External Data Sensors Sources of remote data measurements
External Party Interaction Zones
Data Stores
These are applications and sets of data created by the enterprise to be externally facing where
external parties can access information and interact with the enterprise
External Devices These are devices connected with services offered by the enterprise (such as ATMs and Kiosks)
Date Intake/Gateway This is the set of facilities for handling data supplied to the enterprise including validation and
transformation including a possible integration or service bus
This can be hosted internally or externally or a mix of both
Line of Business Applications This represents the set of line of business applications deployed on enterprise owned and
managed infrastructure used by business functions to operate their business processes
Organisation Operational Data
Stores
These are the various operational data stores used by the Line of Business Applications

Generic Data Conceptual Data Model – Components
- 2 of 2
28 March 2018 72
Component Description
Line of Business Applications
Hosted Outside the Organisation
This represents the set of line of business applications deployed on external infrastructure used
by business functions to operate their business processes This includes cloud facilities such as
external data storage and XaaS facilities and an integration service to connect external data to
internal data
External Application Operational
Data Stores
These are the various operational data stores used by the Line of Business Applications used by
Line of Business Applications Hosted Outside the Organisation
Data Mastering These are facilities to create and manage master data and data extracted from operational data
to create a data warehouse and data extracts for reporting and analysis. This includes an extract,
transformation and load facility
Data Reporting and Analysis
Facilities
This represents the range of tools and facilities to report on, analyse, mine and model data
Document Sharing and
Collaboration
These are tools used within the enterprise to share and collaborate on the authoring of
documents
Document Management Systems These are systems used to manage transactional and ad hoc structured and unstructured
documents in a formal and controlled manner, including the metadata assigned to documents
Desktop Applications These are applications used by individual users to view and author documents
Document and Information
Portal
This provides structured access to documents and information including externally hosted
applications providing these facilities
Unstructured Data Stores These are storage locations for enterprise documentation

Zones Within Data Fabric Conceptual Data Model
• Sets of components of conceptual data fabric model can
be grouped into zones:
− Internal – within the enterprise’s boundary
− Cloud Extension – extensions to enterprise applications and data
held in external cloud platforms
− Interface – set of components responsible for getting data into
and out of the enterprise and presenting data and applications
externally
− Externally Located Extension – infrastructure and applications
that are connected to the wider enterprise network
− External Controlled – components outside the enterprise but
under the control of the enterprise
− External Uncontrolled – components outside the enterprise and
not under the direct control of the enterprise
28 March 2018 73

Why Create A Conceptual Data Fabric Model?
• Conceptual data fabric model represents a rich picture of the
enterprise’s data context
− Embodies an idealised and target data view
• Detailed visualisations represent information more effectively than
lengthy narrative text
− More easily understood and engaged with
• Show relationships, interactions
• Capture complexity easily
• Provides a more concise illustration of state
• Better tool to elicit information
• Gaps, errors and omissions more easily identified
• Assists informed discussions
• Evolve and refine rich picture representations of as-in and to-be
situations
March 28, 2018 74

Identify and Assess Any Cross-Border Data Flows
• The EDPS has produced guidance on international data transfers – see
https://edps.europa.eu/data-protection/data-protection/reference-library/international-
transfers_en
• Transfers to any of the 28 EU member states (the status of the UK after BREXIT is not
currently defined) are still allowed as well as to Norway, Liechtenstein and Iceland, that is
countries that are members of the European Economic Area (EEA)
• The European Commission has Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel,
Isle of Man, Jersey, New Zealand, Switzerland and Uruguay to have an adequate level of
protection so data transfers to these countries are also possible
• In February 2016, after the previous Safe Harbour scheme was rendered invalid, the
European Commission and the United States agreed on a framework for transatlantic data
transfers called the EU-U.S. Privacy Shield
• The European Commission officially deemed this to be adequate in July 2016 – see
http://europa.eu/rapid/press-release_IP-16-2461_en.htm
• In the absence of adequacy decisions for particular countries you should use proper and
suitable safeguards such as Binding Corporate Rules (BCRs) and contracts. BCRs are
described in Article 47 of GDPR and in the working document created by the Article 29
Working Party Elements and Principles to be Found in Binding Corporate Rules (BCR)
http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
March 28, 2018 75

Binding Corporate Rules (BCR)
• Any BCRs must be legally binding and must specify clearly the duties and responsibilities of each
participating member of the group of undertakings or group of enterprises engaged in a joint economic
activity including their employees. BCRs must apply to every member of the group
• The group of undertakings can include international organisations, business alliances, joint ventures,
outsourcing arrangement, or shared economic activities
• The BCR should cover:
− Structure and members of the group sharing the joint economic activity
− Contact details of overall group and of each member
− Contact details for DPO function of each member
− Details on data protection training for staff with access to personal data
− Obligations towards the relevant supervisory authorities
− The tasks of any DPO or other business function responsible with compliance monitoring.
− Numbers or and details on the data transfers including the data being transferred
− Purpose of the data transfers
− Processing perform by each member of the group
− Legally binding obligations of each member towards one another and towards the persons whose data is being
processed
− Statement of liability of data controller or data processor in EU with regards to breaches of the BCRs by any
member outside the EU
− Persons rights, the ways to exercise those right including the right to complain
− Provision of information on the BCRs towards persons to meet obligations, duties and rights of information of
the GDPR
− Complaint procedures and complaint handling
− Data protection audits including scope and frequency and the methods of correction to protect persons’ rights
− Application of general data processing principles and generally accepted privacy principles
March 28, 2018 76

Binding Corporate Rules (BCR)
• Outsourcing review activity should also include:
− Review all external data processing arrangements, including data
storage and use of external applications, that store personal data
− Determine the GDPR compliance of these processing
arrangements and consider rationalising suppliers
− Review the contracts and agreements associated with these
arrangements
− Update the agreements to include GDPR-specific details
− Review and update supplier selection and procurement processes
to include GDPR-specific requirements in selection factors and in
new service contracts
March 28, 2018 77

Prepare for Persons Exercising Their GDPR Rights
• The operation of GDPR will give rise to the need to develop, implement and
operate a number of business processes and associated standard operating
procedures to implement the rights of persons under GDPR
• The inventory of these processes includes:
1. Request Tracking
2. Consent and Consent Recording and Tracking
3. Consent Withdrawal
4. Access to Data
5. Data Rectification
6. Restriction of Processing
7. Data Objection
8. Profiling Objection
9. Data Erasure
10. Data Portability
11. Complaint Handling
12. Personal Data Breach Notification
13. Person Data Breach Notification
14. Record of Audits of Third-Party Data Processors
• This is lengthy list of processes
• Their definition, implementation and operation has the potential to be onerous
March 28, 2018 78

Generalised Information Lifecycle And GDPR
• To achieve compliance with GDPR,
the lifecycles of personal data
processes should be documented
and formalised
• In particular data archival, data
retention and data deletion –
stages in the information lifecycle
that are currently infrequently not
handled well, if at all – need to be
implemented
March 28, 2018 79
Enter, Create, Acquire,
Derive, Update,
Integrate, Capture
Secure, Store,
Replicate and
Distribute
Preserve, Protect and
Recover
Archive and Recall
Delete/Remove
Implement Underlying
Technology
Architect, Budget,
Plan, Design and
Specify
Present, Report,
Analyse, Model

Information Lifecycle And GDPR
• Architect, Budget, Plan, Design and Specify - This relates to the design and specification of the data
storage and management and their supporting processes. This establishes the data management
framework
• Implement Underlying Technology - This is concerned with implementing the data-related hardware and
software technology components. This relates to database components, data storage hardware, backup
and recovery software, monitoring and control software and other items
• Enter, Create, Acquire, Derive, Update, Integrate, Capture - This stage is where data originated, such as
data entry or data capture and acquired from other systems or sources
• Secure, Store, Replicate and Distribute - In this stage, data is stored with appropriate security and access
controls including data access and update audit. It may be replicated to other applications and distributed
• Present, Report, Analyse, Model - This stage is concerned with the presentation of information, the
generation of reports and analysis and the created of derived information
• Preserve, Protect and Recover - This stage relates to the management of data in terms of backup,
recovery and retention/preservation
• Archive and Recall - This stage is where information that is no longer active but still required in archived
to secondary data storage platforms and from which the information can be recovered if required
• Delete/Remove - The stage is concerned with the deletion of data that cannot or does not need to be
retained any longer. Data has to be able to be disposed of in a managed, systematic and auditable way
• Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer,
Standards, Governance, Fund - This is not a single stage but a set of processes and procedures that cross
all stages and is concerned with ensuring that the processes associated with each of the lifestyle stages
are operated correctly and that data assurance, quality and governance procedures exist and are
operated
March 28, 2018 80

Map GDPR Processes And Their Impacts To
Information Lifecycle
March 28, 2018 81
Architect,
Budget, Plan,
Design and
Specify
Implement
Underlying
Technology
Enter, Create,
Acquire,
Derive,
Update,
Integrate,
Capture
Secure, Store,
Replicate and
Distribute
Present,
Report,
Analyse,
Model
Preserve,
Protect and
Recover
Archive and
Recall
Delete/
Remove
Define,
Design,
Implement,
Measure,
Manage,
Monitor,
Control, Staff,
Train and
Administer,
Standards,
Governance,
Fund
Request Tracking X X X X
Consent and Consent
Recording and Tracking
X X X X X X X
Consent Withdrawal X X X X X X X
Access to Data X X X X X X X
Data Rectification X X X X X X X
Restriction of Processing X X X X X X X
Data Objection X X X X X X X
Profiling Objection X X X X X X X
Data Erasure X X X X X X X X
Data Portability X X X X X X X
Complaint Handling X X X X
Personal Data Breach
Notification
X X X X
Person Data Breach
Notification
X X X X
Record of Audits of Third-
Party Data Processors
X X X X

Request Tracking Facility – Sample Facility Required
March 28, 2018 82
Information Item Description
Date and Time Request Received The date and time that the request is received from the individual/authorised entity
Received By The person of business function who logged the request
Source The source of the request
Request Type The type of the request
Priority A priority assigned to the request
Request Details A description of the request
Requester Contacted for Clarification A flag indicating if the requester needs to be or was contacted to clarification
Clarification Received Notes on clarification received
Request Reviewed and Approved for
Processing
A flag indicating that the request contains sufficient details to allow it to be processed
Date Request Processing Started The date that formal response processing started. The due date is calculated from this date, based on the
request type
Date Request Response Due The due date of the response
Business Functions Affected by Request A list of business functions within the organisation affected by the request
Third Parties Affected by Request A list of third-parties within the organisation affected by the request
Request Sent to Business Functions <N> Details on the request sent to the business function, date and time, person, details of request, date due, date
received, clarification required and received. This will be repeated for each affected business function. There
will be a sub workflow for each business function
Request Sent to Third Party <N> Details on the request sent to the third party, date and time, person, details of request, date due, date
received, clarification required and received. This will be repeated for each affected third party. There will be a
sub workflow for each business function
Response Reviewed Date and Time The date and time that the response is received and collated
Response Reviewed By The person who reviewed the response
Response Redaction Required A flag indicating that the response needs to be redacted before it is issued to the requester
Response Redaction Notes Notes on the nature of and reason for the redaction of the response
Response Redaction Completed By The person who completed the redaction
Response Redaction Reviewed By The person who reviewed the redaction
Response Redaction Reviewed Date and
Time
The date and time the redaction was reviewed and approved
Response Release Authorised By The person who authorise the release of the response
Date and Time Response Issued The date and time the response was issued
Response The response or details on where the response is stored
Response Covering Communication The covering communication that accompanied the response

Prepare For A Data Breach
• At a high-level, the activities involved in this include:
− Identify Supervisory Authority contact details
− Document a list of breach scenarios and identify steps to be
performed
− Create draft breach notifications including Supervisory Authority
and personal contacts
− Document breach management process including roles and
responsibilities
March 28, 2018 83

Approaches To Achieving Compliance
• The owner of the business processes where personal data is collected and processed is
responsible for compliance
− The DPO is not responsible for compliance
− The DPO assists with compliance
− So the organisation should formally appoint business process owners
− These business process owners should conduct privacy impact and risk assessments regularly
• Risk management plays a large part of achieving compliance with GDPR
− Business process owners should be able to informed decisions on how to address risks in their data
processing processes within the processes for which they are responsible
− Risks can be mitigated until the residual risk is within tolerable limits
• Achieving compliance with GDPR should, in the first instance, focus on personal simplification,
reduction and minimising the amount of personal data you collect and process, is possible
− Consider moving to excluding access to personal data by default.
− Review any processing performed by third-parties, any outsourcing arrangements or use of cloud systems or
platforms
• Review your sourcing and supplier selection factors and ensure they explicitly include security
controls, privacy management and privacy control functions, certifications and approach to
auditing
• Note that mobile devices come under the ambit of GDPR if they are used for the processing of
personal data
− Data breaches occur when mobile devices are lost, resulting in unintended loss of control over personal data
− A mobile device management facility including the ability to remotely wipe lost devices might be required
− Previous Bring Your Own Device (BYOD) policies might need to be revisited employees do not consent to his
personal device being remotely monitored and controlled
March 28, 2018 84

Approaches To Achieving Compliance
• GDPR compliance cost could be substantial
• PwC have conducted a number of surveys on the GDPR
preparations and estimated budgets for 300 large organisations
in the UK, US and Japan
− The most recent survey is from July 2017 –see
https://www.pwc.com/us/en/increasing-it-
effectiveness/publications/general-data-protection-regulation-gdpr-
budgets.html
• Highlights
− In July 2017, only 11% of executives surveyed said their companies have
now finished operationalised preparations
− Of the companies who said they have finished preparations, 88%
reported spending more than USD 1 million on GDPR preparations and
40% reported spending more than USD 10 million
− Among all companies, 60% said they plan to spend at least USD 1
million on GDPR preparation projects and 12% plan to spend more than
USD 10 million
March 28, 2018 85

Survey Of State Of GDPR Compliance – Preparation
Status
March 28, 2018 86

Survey Of State Of GDPR Compliance – Estimated
Budget
March 28, 2018 87

IT Systems And GDPR Compliance
• There are multiple IT systems, each of which will store
personal data
− Personal data may also exist in the form of documents scanned
into document management systems or documents generated
and store in electronic folders or in email systems.
• The same person will have different sets of data stored
across these systems
− The person may not uniquely identifiable across these systems
− There may be variations in the spelling of names and addresses
and different data formats
March 28, 2018 88

High-Level Representation Of IT System Landscape
And Personal Data
March 28, 2018 89
Operational IT
System 1
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Data Store
Operational IT
System 2
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Data Store
Scanned
Documents
External
Documents
Document Store
Reporting IT
System
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Data Store
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Cloud Data Store

GDPR And Personal Data Landscape
March 28, 2018 90
Personal Data Landscape
Consent
Fairness
Lawful
Transparency
Retention
and
Deletion
Anonymisation
Pseudonymisation
Accuracy
and
Currency
Security
Legitimate
Purpose
Accountability
Minimisation
Access
Policies
Appropriate
Usage
Data Lifecycle
Data
Ownership Data
Governance

GDPR And Personal Data Landscape
• GDPR now imposes strict and severe legislative constraints
on the organisation’s personal data landscape
March 28, 2018 91

IT System Compliance Options
• Option 1: Modify each operational IT system to hold additional information
such as GDPR flag indicating that the data is personal and comes under the
scope of GDPR, retention details, consent details, deletion details
− Potentially very expensive and time consuming
− If the IT systems are sourced from third-parties these organisations may over time
update their systems to allow the additional GDPR-related information to be stored
• Option 2: Implement a separate system that takes data from the
operational systems and that create a single consolidated view of personal
data across these systems
− Involves developing or sourcing a software system to provide this consolidated
personal data management functionality
− One of the issues with having a separate system is that changes that occur in the
underlying operational systems have to be reflected in it
• Both of these solution approaches just provide containers for GDPR-
related information on personal data to be stored
− That information has to be defined and completed and subsequently maintained
March 28, 2018 92

GDPR Related Metadata
• For each item of personal data collected after GDPR goes live and held in an
application or stored outside IT systems, there is a need to maintain a set of
GDPR-related metadata
• Set of metadata will depend on the approach to handling the GDPR compliance
processes
• The metadata can be stored within each application or stored in a separate
personal information management tool or be shared between them
• The metadata can include:
March 28, 2018 93
GDPR Metadata Description
Personal Information Flag Flag indicating that the field contains personal data
Sensitive Information Flag Flag indicating that the field contains sensitive personal data
Retention Date The date up to which the information can be retained and after which it must be
deleted
Consent Identifier A link to where consent about the collection and processing of this data is held
Consent Withdrawal Flag A flag indicating that consent to use the data has been withdrawn
Data Erasure Flag A flag indicating that the data was erased
GDPR Tracking Identifier Link to case management facility for activity relating to this field
Restriction of Processing Flag A flag indicating that the processing of the data is restricted

Consolidated Personal Data Management
• Implementation option 1 involves some form of Consolidated
Personal Data Management that contains details on personal
data being held in all organisation IT systems
• Provides a centralised facility to operate GDPR without the
need to make substantial changes to existing IT systems
March 28, 2018 94
IT System 1
Person Personal
Data Field 1
GDPR
Details
Personal
Data Field 2
GDPR
Metadzta
Person 1
Person 2
Person 3
Data Store
IT System 2
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Data Store
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Consolidated Personal Data Management

Implementing Pseudonymisation
• Pseudonymisation is concerned with removing the ability
to link data to a person
• Direct data access is replaced with indirect data access
that requires some form of key, held separately from the
personal data, to translate personal data into a usable
format
• Implementing pseudonymisation is complex
• Remember - pseudonymisation is not a mandatory GDPR
requirement
March 28, 2018 95

Pseudonymisation
• Pseudonymisation is widely used for research data
containing personal information (such as medical trials)
− https://www.openpseudonymiser.org/
• Data volumes very small and pseudonymisation performed
in batch
• Approach is not really suitable or scalable for a an
operational business personal data processing
environment
March 28, 2018 96

Encryption And Key Pairs
• Based on PKI (Public Key Infrastructure)
• Based on Key Pairs
• Each data sender and receiver gets a pair of keys:
− Public Key
− Private Key
• The public keys are published and the private keys are kept
secret
• Communications involve only public keys and no private
key is ever transmitted or shared
• Anyone can encrypt with the public key, only one person
can decrypt with the private key
March 28, 2018 97

Key Pairs
March 28, 2018 98
Data Application Data Store
Public Key of
Data Application
Private Key of
Data Application
Public Key of
Data Store
Private Key of
Data Store
Data Application
Knows This
Data Store
Knows This

Pseudonymisation And Key-Based Encryption
• Pseudonymisation can be implemented using a single key
pair or two key pairs
• Single key pair
− Encryption facility encrypts data using public key and decrypts
using private key
− Public and private keys are kept separate
• Two key pairs
− Data is encrypted twice – using the public key of the store and the
private key of the application
− Encryption facility encrypts data using public key of data store and
the private key of data application and decrypts using private key
− Public and private keys are kept separate
March 28, 2018 99

Pseudonymisation And Single Key Pair
March 28, 2018 100
IT System
Person Personal
Data Field 1
Personal
Data Field 2
Person 3 Data 1 P 3
Personal Data
Lose Or Allow Access
To This And Personal
Data Can Be Read
By Anyone
IT System
Person Personal Data
Field 1
Personal Data
Field 2
6AC1B12B A51B6F4B E78A52F3
A27E3B3A 6E4DA618 CB9FC8AE
4F5C7F63 925A58D2
Personal Data
Direct Data Access – No Encryption
1
Lose Or Allow
Access To This
And Personal
Data Cannot Be
Read With Ability
to Decrypt
2
1. System Retrieves Encryption Public
Key
2. Encrypted Data Written Using
Public Key
3. Encrypted Data Decrypted Using
Private Key
4. Decrypted Data Available for Use
Encryption/
Decryption
Layer
3
4
Direct Data Access – Encryption

Pseudonymisation Using Separate Encryption
• This involves using application-level encryption combined with Data
Store Key
− Data Application generates random characters
− Data Application encrypts data using random character as key
− Data Application encrypts random characters with Data Store public key
− Combine encrypted data and encrypted key as data sent to Data Store
March 28, 2018 101
1
Public Key
Storeb1952360d460d463eefb9d7a
a3b306668b3f5e36a064e4256
b546e6fdca93ee7
2
188a955f463ab8339ee7843ce
5f09a76ed702a457890186c74
2b2706e7ab0e63d51ebd8b19
f13e091182137f63856978
3
=
+4

Key Encryption With Key Pairs
March 28, 2018 102
Encrypted with Public Key
of Data Store
Encrypted with Private
Key of Data Application
Data
Applicatio
n
Data StoreData Read and Write Layer
Decrypted with Private
Key of Data Store
Decrypted with Public
Key of Data Application
Write Data
Read Data
Unencrypt
ed Data
Decrypted
Data

Pseudonymisation With Separate Keys For Each
Individual Person - Write
March 28, 2018 103
Person Identifier Person Public Key
6AC1B12B
A27E3B3A
4F5C7F63
A51B6F4B
Person Identifier Person Private Key
6AC1B12B
A27E3B3A
4F5C7F63
A51B6F4B
Data Application
Public Key of
Data Application
Private Key of
Data Application
Data Store
Write Data for Person 1
Step 1 Encrypt With
Person 1 Public Key
Step 2 Encrypt With
Application Private
Key
Encrypted Data
Decrypted
Data
Write

Pseudonymisation With Separate Keys For Each
Individual Person - Read
March 28, 2018 104
Person Identifier Person Public Key
6AC1B12B
A27E3B3A
4F5C7F63
A51B6F4B
Person Identifier Person Private Key
6AC1B12B
A27E3B3A
4F5C7F63
A51B6F4B
Data Application
Public Key of
Data Application
Private Key of
Data Application
Data Store
Read Data for Person 1
Step 2 Encrypt With Data
Application Public Key
Step 3 Decrypt With
Person 1 Private Key
Encrypted
Data
Step 1 Request
Data for Person 1
Decrypted
Data
Read

Pseudonymisation And Data Breaches
• Pseudonymisation means removing the direct link between
data and its attribution to a specific individual
− Direct data access is replaced with indirect data access that requires
some form of key, held separately from the personal data, to translate
personal data into a usable format
− Adds a layer of complexity, time and expense to person identification
− There is still an indirect link so the data is usable
− Data is not being anonymised
• There are many (complex) approaches to pseudonymisation
• Pseudonymisation provides an extra layer of security
− It does not in itself stop personal data being lost
− It just reduces the likelihood that lost or leaked personal data can be
read – both the encrypted data and the means to decrypt it must be
lost or leaked
March 28, 2018 105

Implementing Pseudonymisation
• Potentially complex and expensive, depending on the
implementation approach
− Pseudonymise at the level of the database of all data
− Pseudonymise at the level of the individual data record
• Multiple implementation options and approaches
− Use encryption facilities provided by data store (such as database
software)
− Using single key pair encryption for all data
− Use two key pairs encryption for all data
− Using single key pair encryption for each data record
− Use two key pairs encryption for each data record
March 28, 2018 106

How Far To Pseudonymise?
• What identifies a person
− Name
− Address
− Sex on its own does not identify a person uniquely
− Sex + Date Of Birth could
− Sex + Date Of Birth + City could further
− Image or video recording
− Recording of telephone call
March 28, 2018 107

GDPR Compliance Management
• separate system approach can be extended to provide additional
facilities for some or all of:
− Define and manage business processes that use personal data
− Log requests of various types and their processing
− Continuously monitor operational systems to identify changes in personal data
− Log details on personal data audits and DPIAs
− Data breach management
− Personal data access portal
− Case management for GDPR work with workflow and tracking
• There are software vendors that offer such compliance solutions
that provide some or all of the range of functions
− However, the market is still embryonic and the optimum approach to achieving
GDPR compliance is still uncertain
− Investing in such technologies now may be premature
− There are vendors and developers of existing software products classified as
Master Data Management (MDM) or Data Integration Hubs that offer similar
facilities that may also be used
March 28, 2018 108

• Separate compliance management system can implement
required operational processes
• Can include functions of Consolidated Personal Data
Management to hold details on where personal data is held
March 28, 2018 109
IT System 1
Person Personal
Data Field 1
GDPR
Details
Personal
Data Field 2
GDPR
Details
Person 1
Person 2
Person 3
Data Store
IT System 2
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Data Store
Person Personal
Data Field 1
Personal
Data Field 2
Person 1
Person 2
Person 3
Business
Process 1
Business
Process 2
Request
Manager

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

Ähnlich wie GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics (20)

Mehr von Alan McSweeney

Mehr von Alan McSweeney (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics