As GDPR enforcement approaches, companies around the world are making changes to their internal processes and systems to ensure they are compliant by May 2018. For many, getting started can be a daunting task, especially at larger organizations.
There’s no one-size-fits-all strategy for GDPR compliance, but there are some steps that every business should take:
1. Document the data and processes that power your organization
2. Assess the realistic compliance risks that you need to protect against
3. Keep your documentation up-to-date to demonstrate continuous compliance.
In this slide deck, you’ll read about a real-world example of a company that has started their compliance project and how they structured it.
A recording of this webinar is available for free here: http://bit.ly/2hMsQmu
2024 DevNexus Patterns for Resiliency: Shuffle shards
GDPR From the Trenches - Real-world examples of how companies are approaching compliance.
1. GDPR From the Trenches
Real-world examples of how companies
are approaching compliance
Magnus
Valmot
Ardoq
Simen
Breen
SANDS
Per
Franzén
Telia Norge
Ian
Stendera
Ardoq
4. Seeking legal counsel to help you structure
compliance projects and assess risk
Simen Breen | Senior Lawyer | SANDS
5. How to start working with the GDPR?
The nature of the GDPR
The GDPR is not sector specific and there is no
threshold for the applicability
Work in a structured way from the beginning, and
prioritize your efforts.
Before you get down to the details of the GDPR you
… need to know what you are doing with
personal data
… need to know what to prioritize
6. There is no easy way out
No one-size-fits-all strategy for GDPR compliance
GDPR does not impact all businesses the same way,
and the starting position is different
Most checklists are either incomplete or so vague that
they don’t really help.
First steps should be the same:
Establish a project team
A mapping of personal data processing activities
A mapping of compliance with existing requirements
on personal data protection and mapping of existing
policies, documentation etc.
7. Establish a project team
• A GDPR compliance project must have sufficient internal
resources to succeed
• Including the relevant people in your organization is key
• The project team needs to have basic knowledge of GDPR
and the reason for doing the mapping process
• The project manager and the team must be given
sufficient time and resources
• The project team should be able to make decisions
without time-consuming internal processes
• External advice if necessary; legal and information
security
8. Mapping the processing of personal data
• What types of personal data you process
• What are the purposes of the processing
• What are the legal bases for your processing activities
• What is the source of the data
• Where is the data and what systems are used
• Who is responsible for the processing and the data
systems
• How many persons does the processing comprise
• Use of data processors
• Transfer of data out of the EU/EEA
• Activities as data processor
• How to document this?
9. Mapping of your processing activities is
necessary for deciding how to go forward
• Knowing what processing of personal data the
business does is necessary to fulfill the requirements
in the GDPR
• Being able to understand which requirements are
relevant for your business
• Being able to concretize the principles etc. to
requirements
• Being able to make instructions and procedures that
actually work in practice
10. Mapping of your processing activities is
necessary for deciding how to go forward
• To be able to make priorities (if necessary)
• Priorities should not be made based on
assessing the article in itself
• Priorities should be made considering the
processing activities and the risks related
thereto
• Which processing operations are high risk
(to the rights and freedoms of natural
persons or legal risk) or business critical
11. Get it right from the start
• You have to structure your compliance
project based on your business
▪ Your data processing is the key
▪ Current compliance status is relevant –
depending on jurisdiction
• Even though the legal requirements are the
same for everyone, their practical effects
vary greatly
• A risk-based approach
15. EXPERIENCE FROM A PROJECT MANAGER: OVERWHELMING
AMOUNT OF GDPR TERMINOLOGY AND INSTRUCTIONS
Data minimizationIndividual Rights
Purpose
limitation
- Where do I start?
- Are there any guidelines?
- How does the GDPR
terminology and instructions
relate, or do they?
16. “REACHING COMPLIANCE LEVEL ON
GDPR IS KEY FOR OUR BUSINESS
AND THEREFORE
ONE OF OUR TOP PRIORITIES UNTIL
JUNE 2018.”
THIS IS THE GUIDANCE FROM TELIA CORPORATE
MANAGEMENT
GEM AMBITION
17. Business Vision and
Drivers - Privacy
GDPR Requirements
NO Legal Requirements
NO Privacy Strategy
Telia Company
Information Asset & Vendor
management –project,
GSO/ITAT
Processes, services
/products and IT
Asset and vendor
management
Telia Norge AS
EA and IT Governance –
GDPR NO
Business Architecture
Architecture Vision
Information and System
Architecture
Technology
Architecture
Telia Norge ASTelia Norge GDPR Compliance project
GDPR WORK STREAM
(in Group Security & Privacy)
Work stream management
Employee privacy
Awareness and com.
IT and enterprise
architecture
Stakeholders
DPO Norway
PSG GDPR Norway
Projects and activities
Project Vega - Security
NO IT EA Governance
NO IT Architecture project
Digital Telco initiative
Development
Trust as a Service
System Dev Teams
Line org
Orderchange
Project Management and business readiness
Run Project and
coordinate with Group
Align with other Projects
and activities in Norway
Prepare business to operate
new GDPR requirements
Transition planning and
execution
Opportunities and
solutions
Migration planning
Implementation
Goverance
Accountable (business)
B2B Management
B2C Management
OneCall Management
MyCall Management
Chess Management
HR Management
Procurement Management
Legal / Privacy Management
Technology Management
Security Management
Privacy Policies and Objectives
Input change (EPICs) - Observations
Privacy
Requirements
Guidance
Plans
Architecture principles
GSO
Deliverables
IN JANUARY 2017 I STARTED STRUCTURING THE PROJECT, AFTER WHICH WE
SPENT 2 MONTHS ON THE AS-IS ANALYSIS, AND 1 MONTH ON GAP ANALYSIS
GDPRITProject
18. AFTERWARDS I REALIZED THAT GDPR RIGHTS AND
PRINCIPLES ARE BASED ON THE MANAGEMENT OF
CUSTOMER AND EMPLOYEE PERSONAL DATA
Resources
OSS
BSS
Portal
Employee
Customer
Portal
GDPR
Individual rights
Authority
CLI
DataBase
PrivacyData
Goverance
Data
protection
principles
Telia Norge AS
Partners
Data Processors
Employee
Accountability
19. BUSINESS ARCHITECTURE – HOW DOES GDPR RELATE TO
TODAY’S OPERATIONS?
Accountability
Purposes
Legal
grounds
CustomerEmployee
Privacy
Data - BO
Business
Process Roles
Processes
Systems
OSS
BSS
Portal
IT System Roles
GDPR Individual
rights functionality
GDPR Data protection
principles functionality
Legal
requirement
TM Forum
eTOM L3 Performance of
contract
Legitimate
interests
Individual’s
consent
IT System Roles
in IdM
GDPR Privacy
Data
Will be defined by
GDPR Project
Will be defined by
GDPR Project
Will be defined by
GDPR Project
Privacy by
Design -
Policies
20. ACCOUNTABILITY IS CENTRAL –
TARGET ARCHITECTURE QUALITY SYSTEM (NOW BUILT IN ARDOQ)
Common Information
Model
Management
Data (AS-IS)
Accountability GDPR
GDPR law
Single consistent representation for
all management data
Management
Data (TO-BE)
Controls (Gap)
Observations
21. THE MODEL WE USE FOR WORKING IN ARDOQ
AS-IS
GDPR
compliance
TO-BE
TO-BE
TO-BE
Observations
24. HOW WE LINK THE REGULATION TO TELIA NORGE’S DAILY
OPERATIONS
25. WHY DO WE USE ARDOQ AND NOT
EXCEL?
1. Value adding
• When we first gather so much information, it should be useable across the organization
• Our IT solution to provide automated GDR Individual rights and related GDPR Data protection
principles are using Ardoq as a Policy/Rule engine
2. Maintenance – keeping information up-to-date continuously
• Ardoq has support for automating via integrations (input and output) and simplifies manual documentation
• We can automate Controls (Gaps) to verify compliance to GDPR (Observations)
• GDPR Training for Personell will be using data from Ardoq – will be personalized
3. Traceability
• We need to be able to trace how everything is connected and how they impact each other
• We now have an AS-IS status of the relations between data elements in the CIM and can run
predefined queries
34. Think Structured:
handling attendees’ personal data
Org Unit
Personal
Data
Captured
Sensitive
Data?
Processing
Purpose
Source
Lawful
Basis
Systems
handling
personal
data
System
Owner
# of Data
Subjects
Transfered
externally?
Handled
outside of
EU?
Marketing
Name, Email,
Telephone
(optional),
company
No
Manage
Attendee
Registration
Eventbrite
webform
Consent
Eventbrite,
Prosperworks,
Excel
Marketing /
Sales
50
Yes, systems
are cloud
SaaS
solutions
No
Marketing
Name, Email,
Telephone
(optional),
company
No
Send Thank You
and
Presentations
Eventbrite
webform
? MailChimp Marketing 50
Yes, systems
are cloud
SaaS
solutions
No
Marketing
Name, Email,
Telephone
(optional),
company
No
Register for
Webinar
Eventbrite
webform
Consent Eventbrite Marketing 50
Yes, systems
are cloud
SaaS
solutions
No