There is a rush to solve the GDPR problem. However, it is important to secure the right approach at the right time with the right process and above all the right certification to be able to implement the whole range of GDPR articles. The GDPR directive is a strong data protection law. It gives data subjects more control over their data, and it includes new obligations for data controllers and organisations. The EU GDPR comes into force on and from 25 May 2018.

GDPR is both systems and technology, not only business processes, that are critical when implementing GDPR. The fact that GDPR implementation will bring sweeping changes to organisations is no secret as soon as the 99 articles of the legislation is read. (will be sent as part of the reading material).

This presentation is neither on the technical implementation nor the legal issues, but focusses primarily on managing a GDPR project in the implementation phase. The presentation focuses primarily on the HOW.

- Ideas and best practices to implement policies and controls to comply, what does the GDPR means in practice, implications for business
- Recipes for practical steps for GDPR compliance journey: methodologies, how we start, what we need to revise, theory to practice approach
- Motivation: energy to simply this process, get support from other functions, deal with the GRPD implications as a doer

Course Content The back ground of EU GDPR and the significant terminology.
The fundamental differences between the Data Protection Act and the EU GDPR.
The data subject’s rights to individual’s personal data.
Procedure for Processing Subject Access Requests (access to personal data)
GDPR Privacy rules; marketing requirements and breaches and summary.
The implementation track to EU GDPR compliance:

• Privacy by Design and Default
• The What, When and How of Privacy Impact Assessments (PIA)
• Data audits
• Training and competence requirements
• Incident response and breach reporting
• Updating policies and procedures

International data transfers.
Multijurisdictional & territorial scope of the EU GDPR

Are you in the right seminar? If you answered “yes” at least to one of these questions, you should continue this self study class.

Even if your business is not in the EU, you may have to be GDPR compliant
Organisations or companies located outside of the EU but do business in the EU with and above all with EU data subjects' data, should be prepared to comply with the GDPR Regulation. Those organisations or businesses that provide products or services to EU customers or process in any manner, their data must also be prepared to face the long arm of the GDPR mandate if an incident is reported or a breach of some sort takes place.

The GDPR extends the scope of current EU data protection legislation, most notably in that it applies now to processors and to companies based outside the EU which monitor the behavior of EU residents.

The key changes introduced by the Regulation

• The GDPR introduces several key changes for the organisation.
• The current DPD (Data Protection Directive) has been in place for twenty years;
• it sets a minimum standard for data protection law in the EU.
• Many states have gone significantly further to protect personally identifiable information (PII).

Understanding the transition and changes from DPD to GDPR
The two primary concerns before ensuring GDPR compliance principles:
Understanding the full scope of the principles under the GDPR.
DPD is limited & vague while GDPR is more and updated e.g. (accountability/transparency)
Ensure that all distinctions between DPD and the scope of the new GDPR articles are identified and understood.

Focus on project management, inspired by ISO continuous improvement, process driven, you can start from the step where you are now, easy to sell

It gives the practicalities in implementing a GDRP compliance program

Ideas for achieving, maintaining and improving GDPR compliance. The Copenhagen Compliance Framework and Roadmap (without narratives) is available on request.

Another option to do a planning exercise could be:
Step 1: Gap analysis
Step 2: Risk analysis
Step 3: Project steering and resource/budget planning
Step 4: Implementation of an integrated data protection structure
Step 5: Local Add-on Requirements

Clean the house is important.
Identifying Opportunities for Data Minimisation Data minimization – the practice of limiting personal data collected to the bare minimum required for the purpose – is explicitly required in the regulation, as seen in Article 5(1)(c):
“The personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).”
To determine exactly what personal data is required for a purpose, it’s helpful to look at the higher-level context. For example, if a web application requests users’ physical address during payment process, it’s important to look at what systems it’s transferred to, and what business requirements that piece of personal information satisfies (both to determine if that information is truly necessary, and if so, to have documentation demonstrating that in case of a data audit).

We will provide a GDPR private policy template upon request.

All of these DO points will be covered in the presentation, however it is good to know the sequence of priorities.

The DPIA identifies a set of risks unique to personal data or the data subject's rights. The risk management program then places them in categories and analyses these risks and determines an appropriate response. This is all part of the privacy compliance framework.

Ensure that the DPIA methodology provides the outputs that can be turned into preventive measures and applied to the processing design from the very start.

Training see slide 108

  Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

ISO 27001 - framework, can be certified, aimed to safeguard confidentiality, availability and integrity of all information (Personal or not)
Vision: GDPR compliance needs a “meta framework” for managing data
The roadmap follows the ISO components How are data protection and privacy interconnected? Data protection is needed for privacy

1. Lady Olga has tried to get the CISO on board for the last four years on 3 continents,

Repair or rebuild strategy.

Answer these questions based on a company you have in mind and write down how you will enforce the above 7 actions. (write an essay)

It is a key factor to mention in the training, even it is not legal or IT related. Support for a budget, get help from other departments (HR, Marketing), political backup.Trying to support a GDPR only to avoid fines does not work. Cybersecurity projects were sold based on fears, and they do not always work.

You can not embark in a GRPD implementation program without the top-level support

The GDPR focus will be on the importance of documenting your organization’s data processes and architecture (use a GDPR documentation tool). Accurate documentation of the systems and processes handling user data will help you identify areas where you may or may not be compliant with GDPR, and in the future, serve as a reference in case of audit.

Avoiding fines is important, but there are other business needs to support a compliance project for GDPR
Protect the reputation when employees and customers have confidence in how their personal data is handed GDPR is important because;
It’s the biggest shake up of rules surrounding Data Protection since 1998.

• It’s a regulation that is relevant to all organisation, irrespective of size or sector
• If you get it wrong – you could face fines of up to 20 million Euros
• Accountability is at the heart of the regulation
• You will need to seek ‘Consent’ to control/process the data you hold
• You can’t “outsource” the requirements (Data Controllers and Processors will be impacted)
• You need to have a clear process for managing Data breach incidents
• You’ll need to decide who your Data Protection Officer is, probably not you!

When a breach occurs the most damaged areas for the business are reputation, revenue and repeat business. Protecting these means having strong controls in place to prevent the breach, and clear communications if (when) it happens. The EU-GDPR requires a breach to be notified within 72 hours of discovery, strong protection process allows the business to control what/who needs to be notified, and limit potential damage.

Canadian company under PIPEDA,

They were extortioned before the leakage
cybercriminals = possible a former employee by using a VPN access (the password was shared to everybody and stored in Google Drive)

Adult Friend Finder breach involved 412m accounts

The GDPR introduces the role of a 'data protection officer' who should be an individual with expert knowledge of data protection law and the ability to fulfil tasks set out in the GDPR

The appointment of a data protection officer (DPO) will be mandatory for certain companies

Article 35 of the GDPR states that data protection officers must be appointed by all public authorities. Also, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”

. Firms whose core business activities are not data processing are exempt from this obligation.

The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

Independent (no really internal), can be outsourced to a consultancy or legal firm, shared with other entities, can be an existing employee, part of the GRC departments, independent from business functions
Incompatibilities: ensuring compliance, not delivering compliance.
Large scale: different views during the proposal (from more than 250 employees to voluntary). Interpretation is done by country authorities (in SP: large or medium risks)

Independent (no really internal), can be oursourced to a consultancy or legal firm, shared with other entities, can be an existing employee, part of the GRC departments, independent from business fenctions, full or part time,
Incompatibilities: ensuring compliance, not delivering compliance.
Large scale: different views during the proposal (from more than 250 employees to voluntary). Interpretation is done by country authorities (in SP: large or medium risks)

Ask participants to talk and share their challenges. It is important for networking.
lf you have a DPO, you must identify them to the supervisory authority.
The controller develops an explicit and documented policy on the protection of personal data, based on the organisation's compliance needs. The DPO will monitor compliance with the EU Regulation, and with the policies of the Controller or Processor to protect personal data. (GDPR, Article 39, Clause I b). Because of this relationship between policy and compliance, the DPOs will monitor the organisation's compliance with the policy as part of ensuring overall compliance.

Material scope
  Any framework applies to a specific scope, the area of the organisation and its operations thai fall within it. For the purposes of compliance, the scope ofthe framework must be directly informed by the requirements of the Regulation, which is described in Article 2.

  This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Territorial scope
  The GDPR is explicit9 in saying that it applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Objective for this step: set the general strategy
2 strategies: Can I use the privacy system to improve it for GDPR compliance, or do I need to create something completely new?
For repair: we added the “new” icon for significant changes from existing legislation

- paper/filling system and electronic data in databases, servers, spreadsheets
- Living person, not dead or unborn, legal persons are not covered
- Identificability: degree that the personal information can be associated with the natural person and
- Personal information = personal data
- Identifier: account numbers, PINs, passwords, voice scans and credit card numbers

Let´s play a game, you can identify any person… if you the proper identifiers

Less and less people..

A combination of several attributes taken together distinguishes this natural person from other natural persons.. For instance, the combination of the attributes “female”, “45” and “lawyer” can be sufficient to identify a natural person within a particular company, but will often be insufficient to identify that natural person outside of that company

The opposite of identifiable data is anonymous data, which is not covered by the GRPR

'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Pseudonymisation the GDPR presents pseudonymisation as a method of securing personal data. Given the emphasis placed on this, it's safe to assume thai the Commission considers it one of the better ways of protecting personal data.
The existence of appropriate safeguards, which may include encryption or pseudonymisation.

Using an alias. Clarify that if a hacker steal one database in any server, they can not link the sensitive data
Pseudonymisation and encryption, for instance, would be valid measures, as would restricting access to such information on the basis of role and the requirements of a given set of procedures.
Pseudonymisation is one solution to storing personal data, but presents its own issues with regard to usability. lf that personal data must be regularly processed, the time spent reversing the pseudonymisation may be onerous or represent a poor ROI.

Clarify that if a hacker steal one database in any server, they can not link the sensitive data
Strong encryption take personal data out of scope of the GDPR
Data must be encrypted or split into separate databases to prevent identification of the data subject.
In order to maintain security and to prevent processing in infringement, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption!

Explain that phone numbers and personal and work addresses are not sensitive
Examples of biometric: fingerprints to open a door at the company, facial recognition to unlock a company computer
Implications: Prohibited if not an explicit consent;, should not be used to automatic decisions (automatic refusal of an online credit application or e-recruiting practices)
Sensitive personal data requires an explicit consent.

Some information is naturally sensitive, such as medical information and political allegiances. The "special categories of personal data“ is always sensitive. Less sensitive information could have secondary uses or be significantly more sensitive in context. For instance, possession of both the data subject's national identification number and their mother's maiden name could be used to gain access to more sensitive information and commit fraud or identity theft.

Personal data can be stored in both the digital and analogue forms, and in several locations simultaneously, so it's important to track all sites that stores personal data across the organisation and data bases.

For data stored in a database, this should be relatively straightforward to record when consent was given so that it can be reconciled against the data collected and the individual processes.

These are the hidden databases

Also a Game plan
Go thru the chart step by step and write a couple opf § on the scope on one or more of the headings.

Ask participants to talk and share their challenges. It is important for networking
Talk about customer services

Clarify that both internal and external information should be mapped (eg. PI hold by vendors)
There are more questions we may need to add: From whom is data collected?

• Why is the data being collected? • How is the data being processed?
• What is the legal basis for each processing operation?
• How long is the data retained? • Who has access to the data?
• To where and to whom is the data being transferred?

Take note of all misunderstandings in defining personal data for latter employee training clarifications.
Use a single repository (e.g. a shared document) to allow different departments to populate and to relate their information
Understand the future business and IT plans (system roll-out, opening operations in other countries, created IT shared services offices in other countries,…)

The 5 Ws in data mapping.

The definition of personal data in GDPR is broad because it brings additional data into the regulated sphere.
Data privacy includes several other factors that can be used to identify an individual (data subject). These can be their genetic, mental, economic, cultural or social identity etc. Companies, however, should take measures to reduce the amount of personally identifiable information (PII) they store in their data bases, repositories or data inventory. Above all companies must ensure that PII or data is not stored any information for longer than necessary.

Clarify: Simple template, you can add more useful fields: consents, accesses, sensitive or not, source (how the info was obtained), where data is stored (cloud, disk partition, SAAS, hard copies, physical location), The IT department may already have a data inventory to start working with. Also, invite the person who will continue updating this inventory to learn how to complete it.

2.8 Technical solutions favoring privacy
The Court of Justice of the European Union has implemented the following technological solutions which respect privacy:
- The viewpoints and the camera lenses have been chosen to cover only the areas to be monitored;
- The areas of the buildings where the expectation of privacy is even higher are not monitored by cameras;
- Specific software, a user profile and a password are required for the persons authorised, that is to say a small number of members of the Security and Safety Section, to access the images recorded;
- All activity on the system is recorded (recording of the activity and the relevant active user).

2.8 Technical solutions favoring privacy
The Court of Justice of the European Union has implemented the following technological solutions which respect privacy:
- The viewpoints and the camera lenses have been chosen to cover only the areas to be monitored;
- The areas of the buildings where the expectation of privacy is even higher are not monitored by cameras;
- Specific software, a user profile and a password are required for the persons authorised, that is to say a small number of members of the Security and Safety Section, to access the images recorded;
- All activity on the system is recorded (recording of the activity and the relevant active user).

The 3 P's  (Path, Processing and Payload) and GDPR
Several GDPR articles when implemented might tell/teach something that you didn't already know about your organisation.
Article 30 (Each controller shall maintain a record of processing activities under its responsibility) is one of them. It isn't about data maps. Organise your records of processing around purpose rather than data flow and you'll be on the right path for meeting this obligation. However, if you don't know the data flow into, through and out of the organisation you don't know if the data is being used for the right purposes. Using data for specific purposes is article 5 rather than article 30, but you have to know your '3 P's  (Path, Processing and Payload)

  Some organizations however get stuck into creating registers on a "every object in the dataset" level and sigh over the burden GDPR puts on them. While it may be a useful exercise it is not what art. 30 asks for processing activities does not always equal data stream.

http://www.wired.co.uk/article/wetherspoons-email-database-gdpr

http://www.wired.co.uk/article/wetherspoons-email-database-gdpr

The organisation's privacy policy should reflect its adherence to the Principles and make specific reference to its compliance with the Principles. As described earlier, the privacy policy also needs to identify the organisation's independent recourse mechanism to inform data subjects of the process to lodge a complaint or seek other form of recourse. The privacy policy should then be made publicly available, potentially as a physical copy if your organisation doesn't have a public website.

The privacy policy should then be made publicly available, potentially as a physical copy if your organisation doesn't have a public website. The formal data protection and privacy policy is of interest to potential partners and clients. Article 13 of GDPR lists what information should be provided within a privacy policy. This includes those details that should be provided whenever personal data is collected, such as the identity and contact details for the controller, any relevant DPO, whether the controller intends to transfer the personal data to a third country or international organisation.

The privacy policy should also provide additional information relating to fair and transparent processing, such as the retention period, the data subject's rights (e.g. the rights to access, erasure and restriction of processing), the right to withdraw consent (where applicable), the right to lodge a complaint with a supervisory authority)

A privacy policy that is available to the public should be a primary consideration for ensuring that processing abides by the principles of the Regulation. A publicly-available policy supports transparency, allows customers and partners to assess it, and provides a clear statement that supervisory authorities and other regulators can assess compliance.

Remember to publish these policies (Company intranet, distribute by email, involve vendors and consultants).
Organizational: Policy
Operational:
General IT policy
Policies and guidelines for the handling of personal data - preferably arranged by type (e.g. employee data, customer data, etc. ) - to lay down your rules on collection, regular processing, erasure, blocking, etc.
Duty of disclosure procedures
Policy for the handling of requests for access to data - should be drafted in such a way that it can be read by third parties
Policy for the handling of other rights of data subjects
Handling of international data transfers
Procedure for the handling of security breaches, including the duty of notification to the Danish Data Protection Agency from 25 May 2018 onwards
Handling of data processing agreements - when to have them, how to draft them, etc.
Guidelines on the use of cloud-based solutions and/or services from IT suppliers in general
Privacy policy for the company's website

Antivirus should scan all drives for malware
Actively manage the reuse and disposal of removable media:

Ideas to improve personal information security?
E.g. moving encrypted servers with personal information from one data room to other during a move

The Scope, Data Consent and Portability are the biggest GDPR worries.
The most significant concerns for any team is the GDPR’s requirement for explicit consent, not only of the primary reason but getting consent from data subjects to secondary processing as well.
The concern for consent frequently kindles from the often misplaced idea that consent is required to provide the lawful basis for the treatment of personal data. However, the key is the realisation whether the data should be used at all;

  ‘explicit consents’ for sensitive data and international transfers
Link the consents to the personal data inventory
Confirm that the consents are clear and transparent
Update the data subject rights
Audit how the consents are documented and retained

  Another big issue for concern is the right to data portability as only tele, energy and financial sectors have some experience of data portability. Organisations are struggling to come to grips with how data portability will work and what technological and process changes are needed to implement or to make data portability possible.

  Lessons from the SOX implementation, interpretation and enforcement
GDPR regulation defines the scope in one way, the current guidance from most regulators widens the scope and the European Commission has recently said that regulators have gone too far. Management and the DPO are the confronted with the problem of deciding who to follow and which GDPR components are in scope. The decision is important due to the enormous and different cost implications. The same was the case in SOX implementation, interpretation and enforcement action in the good old days.

  When mapping the data, you find where your data and data bases are stored, understand the contents and may sometimes give an opportunity for new services or products. Therefore it is critical for GDPR staff to go to GDPR workshops, seminars and boot camps to see the pitfalls of this so called harmonised regulation, get precise definitions and sort out the risks. Because of the multi jurisdictional reach of the GDPR, it is both a threat and a challenge for global or pan European companies operating across Europe to know exactly how the regulation will play out in different countries.

  But the above GDPR issues are no excuse, not to streamline the GDPR technicality, address the IT security risks and challenges and nail the information governance, risk management and compliance once and for all.
https://iapp.org/news/a/european-commission-experts-uneasy-over-wp29-data-portability-interpretation/
Repair or rebuild strategy

Clarify that the review to enter and alter information is usually covered by IT specialists and auditors, but the right to display is a secondary issue for these departments. DBS Data Base Administrators.

Limit accesses
Process access requests
the capability of responding to subject access requests within the allowed time frame;
the capacity to restore the availability of and access to personal data promptly in the event of a physical or technical incident;
Risks: poor access control
rights of data subjects

The Database Scripts is a series of command line scripts which will dump, erase, restore and merge databases. They are specifically set up to work the best when developing within a version control environment.

Article 5
Not changes in the basis principles
Processed lawfully, fairly and in a transparent manner.
Purpose limitation Collected for specified, explicit and legitimate purposes and not further, eg. provision of goods or services, direct marketing activities, comply legal obligations
Processed in an incompatible manner.
Data minimisation Adequate, relevant and limited to what is necessary.
Accuracy Kept accurate and up-to-date.
Storage limitation Not kept, any longer than necessary, in a form which permits identification of a Data Subject.
Integrity and confidentiality Appropriate security ensuring protection against unauthorised or unlawful
Processing and against accidental loss, destruction or damage.

Embedding accountability for the data controller may be difficult if GDPR is not implemented correctly because you are asking the employee to be accountable for the suppliers' actions. Therefore building a corporate culture that believes in the virtue of data protection, and in which responsibility and accountability are corporate values, will often be the difference between success and failure.
An employee who feels they have ownership of the corporate relationship with the processor, or a duty to protect the information in question, should be encouraged to feel it a matter of professional pride to ensure personal data is protected.

  A culture of accountability must be fed from the top. It is very simple for an employee to feel no sense of responsibility if senior managers and the compliance manager do not show the same level of ownership or dedication. Training and staff awareness programs should be developed to ensure that all staff understand their various duties and responsibilities in relation to privacy and data protection.

Review and assessment of the necessity and proportionality of processing all of the data is a must.

This final principle requires organisations to process personal data "in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Gaining consent is a simple way of ensuring that your processing is lawful (in accordance with the first privacy principle), so the Regulation has strict conditions to make sure that consent is fairly gained and not abused.
If processing is lawful under other grounds, then most often you do not need to secure consent from a child.
However GDPR states that data subjects must "be aware of, and verify, the lawfulness of the processing.

Access: charge reasonable fee (€10/20?, according to costs) when a request is manifestly unfounded or excessive, particularly if it is repetitive. One month to attend the request. many requests are received.

GDPR requires you to provide data subjects with access to their information; this can quickly become a privacy risk. lf you suffer a business continuity incident and cannot provide data subjects with that access for any extended period, you're not just suffering from your loss of access, you're also incidentally inhibiting the data subject's ability to get information on their rights.
The right to rectification; Article I6 of the GDPR states that "the data subject shall have the right to obtain from the controller without undue delay the correction of inaccurate personal data concerning the data subject. Incorrect data includes incomplete data.
The right to be forgotten; Under Article 17 of the GDPR, data subjects can request that their information is erased, if they withdraw consent or if there is an issue with the underlying legality of the processing.
The right to the restriction of processing; The right to limit of processing allows data subjects, under certain circumstances, to prevent controllers from conducting accurate processing of their data. (legal issues, unlawful)
The right to the notification; GDPR grants, the right to information (notification) is not one that data subjects themselves can actively exercise. Rather, it is the controller's duty to ensure that the data subject is notified of specific activities, and that third parties are notified if the data subject exercises any of their rights in a manner that might be relevant to them.
The right to data portability; ensures that the data subject can see the specific data that the controller holds, as well as being able to transfer that data to another controller. For instance, if the data subject is trying to change banks, they will be able to readily obtain all of the pertinent information that their new bank needs.
The right to object; Under the GDPR, once a data subject objects, the onus is on the controller to demonstrate "legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims

Ask participants to talk and share their challenges. It is important for networking
Talk about customer services

Both apply to vendors, employees, visitors, customers,…
When obtaining personal data, the controller shall provide the data subject with the following information (Privacy Notice):
- the identity and contact details of the controller and their representative; - the contact details of the data protection officer; - the purposes of the processing of as well as the legal basis for the processing; - the legitimate interests pursued by the controller or by a third party; - the recipients or categories of recipients of the personal data, if any; - the fact that the controller intends to transfer personal data to a third country and the existence of adequacy conditions.

Written in plain language: explicit purpose of processing, identity of the controller and recipients of the data, scope and consequences of processing, list of rights
Specific consents for processing sensitive data
Presented separately from terms and conditions and contracts
Genuine choice to withdrawn any time
Renewed when the use of data change
With parental authorisation bellow the age of 16
Given by a statement or a clear affirmative action: silence, pre-ticked boxes, failure to opt-out, and inactivity are inadequate

Other means: answering yes to a clear oral consent request volunteering optional information for a specific purpose – e.g. filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box

Example of a seminar. Questions on the use of data. Based on the answers we could almost not conduct the seminar. Silly questions; to promote healthy foods could we inform the participants that ABC was a vegetarian? Each had to sign in with inexplicit links of consent.

Example of a consent declaration for candidates. Even there is not any contract in place, the consent is needed because it is a necessary step to get a contract.

Consent declaration *

2 months more means 3 months in total
When time is extended, we need to explain the reasons to the data requester

Importance of using a standard form

Information proliferates, it is always being copied and transmitted.
Special arrangements exist to make data transfers between the USA and EU possible
The controller has assessed all the circumstances surrounding the data transfer and provided suitable safeguards to the protection of personal data.
Cloud services may transmit data to a third country, however the controllers will meet the usual requirements (legitimate reason, asserting the data protection principles, controls or measures to protect the personal data) of the Regulation, model contract clauses approved by the Commission, and informing the data subject of the transfer of their data.

Simplified actions Which personal information is scoped by the GDPR? Processed wholly or partly by automated means

Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be a requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

Key: where the personal data is processed is irrelevant
Nationality or habitual residence is also irrelevant

If the data processor is not established in the EU, it must appoint a representative based within the territory of the EU (unless the processing is occasional, small-scale and does not involve Sensitive Personal Data.) Under the GDPR a representative may be liable for the controller's failure to comply with the GDPR. Organizations should therefore be wary of agreeing to act as representatives for third parties without strong contractual indemnities in place.

Offering services in the EU: not sufficient: access to a website/ domain outside EU with contact dates Iindications: - usinga specific languages poken in the EU, references to Union based customers or users , option to place orders in EURO or other currency in EU, delivery of goods to EU sites, operations of linked subcontractors in the EU

Privacy laws are highly different across the globe

Clarify: personal data can not be transfected to countries in grey
Countries with adequate level of processing: Andorra, Argentina, Canada (not all kind of processing, only organizations that are subject to Canada's PIPEDA), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

'Binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers of a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Ensuring that data minimisation is accounted for in supplier agreements and binding corporate rules should be included in procurement and supply procedures.

The data controller must ensure that privacy principles are met wherever the personal data goes: external processors and internal organisations/divisions must be required by contract and binding corporate rules to adhere to the privacy principles.

Additional processes must be built into third party service agreements to demonstrate that the personal data is processed in compliance with these principles at every stage.

Cross-Border Data Transfer within a corporate group may take place on the basis of Binding Corporate Rules ("BCRs"). The BCRs require approval from DPAs, but once such approval is obtained, individual transfers made under the BCRs do not require further approval.

Ask participants to talk and share their challenges. It is important for networking

Examples of processors: cloud providers, data centers, payroll companies, accountants, market research companies, call centers, financial companies,

It is the responsibility of the data controller to ensure DPIAs are carried out "where processing operations are likely to result in a high risk to the rights and freedoms of natural persons'?". It is the controller's responsibility because the controller determines the purpose of the processing.

Responsibilities of the data controller

  Responsibility for complying with a subject access request lies with the data controller and this places new obligations on organisations seeking compliance. Data controllers will need to ensure that data processors are able to provide all relevant information within the one month allotted by the Regulation to respond to a subject access request. It would make sense to design, document and deploy a subject access request process that complies with the specific GDPR requirements, and to train relevant staff in its use, in advance of receiving any such requests.

The Data Controller remains legally responsible for the data processing carried out by the contracted Data Processor
Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery but from the inception of the product concept.

There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discard the data when it is no longer required, to protect data subject rights.

When: Record the moment of the breach discovery and response efforts (activating the response), data processors must inform data controller without undue delay
Who to notify: always communicate to employees with facts about the breach, develop a notification protocol
Ponemon Report, the average time that the bad guy is inside an organization is 243 days, so clearly 72 hours to report is challenge for lots of organizations who don’t know they have been breached, but also that remediation afterwards once that inevitable breach happens, on average, globally, is anywhere from 40 to 47 days.

Information can be compromised in a number of ways: it can be distributed outside the organisation (e.g. by theft and resale on the dark web), damaged or made inaccurate (e.g. by vandalism), or it can be rendered inaccessible (e.g. by ransomware). These are violations of the information's confidentiality, integrity or availability, also called the "CIA" of information security.

'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data security failures and cyber breaches can be catastrophic events for any organisation. SmalI organisations may well be wiped out simply by the nature of the breach and/or the immediate costs of dealing with it, and large corporations can be hit by enormous fines, class-action lawsuits and Joss of reputation, all of which can have significant repercussions and inflict significant damage to both the organisation's reputation and its bottom line.

Scenario planning a major data breach

  the recent Equifax data breach is one of the largest and most damaging cyber-attacks to date. 143 million personally identifiable records stolen. Hackers may have accessed highly valuable information, including our social security numbers, addresses, birth dates and credit card information.

  What can we do do contain the damage as consumers, as well as organizations? How can we move on from this breach? 

  - The key takeaways consumers and enterprises should act on to protect against cyber scams and attacks related to this breach
- Managing IT risk and vulnerabilities
- How to improve breach prevention, detection and response
- What to expect in the future

Data security Rec.83; Art.32
The idea that controllers should ensure the security of the personal data

The aim of a good data security program is to ensure that there is full support for the information security program throughout and at all levels of the organisation. If he board and senior management regularly engages in the program they can align its various goals of the information security program to gain importance in the eyes of all employees. In an ideal business, all functions should contribute positively to the organisation's goals and generate business enablers to improve the organisation's competitiveness theu the GDPR implementation.

Translate the case into Europe and the GPDR
- How to notify the users? Private emails, public warnings,…?

Repair or rebuild strategy

Key task of the DPO

In a damning report on the December 2011 blunder, the ICO said: "The council was aware that employees in the legal team regularly sent such emails in contravention of these policies, yet it took no action to prevent this or to train employees in the correct procedures."

Stephen Eckersley, head of enforcement at the ICO, said: "If this data had been encrypted the information would have stayed secure. Instead the authority has received a significant penalty for failing to adopt a simple and widely used measure.

Ask participants to talk and share their challenges. It is important for networking
Talk about customer services

Article 33(3) provides that the DPIA shall contain at least:
'(a) a systematic description of the envisaged processing operations and the purposes of the processing, including where applicable the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1;
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.'

Beneath the data protection policy, define and document the essential data protection processes that convert the policy into practice.
This is done with a set of process maps. Each specific process should be sufficiently documented so that anyone who has identified responsibilities within the process is clear about what has to be done, by whom, and by when, in a way that will deliver consistent outcomes. Typically, this is done by means of a RACI chart. A RACI chart defines, for each process (or step in a process) in an organisation, who is:  

• responsible,
• accountable,
 
• consulted,
 
• informed.

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (PII);
describes privacy safeguarding considerations; and
provides references to known privacy principles for information technology.

Risk to individuals

The actual risks to personal data might include:

• hacking,
• viruses and other malware,
 
• intruders stealing or damaging data,
 
• phishing scams,
 
• inadequately trained staff,
 
• unencrypted laptops outside the premises,
• poor access control,
• weak passwords

When identifying a risk to privacy, you need to assess the potential impact. In a DPIA, you are specifically looking for harm to the data subject rather than harm to the organisation, which would be covered in a broader information security risk assessment.

With risks identified and the harm established, you can now begin to identify and evaluate privacy solutions. These are the measures you put in place in order to prevent the risks from doing harm. In Chapter 6, we identified four possible responses to risk:

  I. Treat 2. Tolerate 3. Terminate 4. Transfer

Prioritize & link to data classification policy: this policy classifies data in confidential, sensible and private,… it is a way to prioritize (impact)

Post-implementation reviews
Article 33(8) provides:
 'Where necessary, the controller shall carry out a review to assess if the processing of personal data is performed in compliance with the data protection impact assessment at least when there is a change of the risk represented by the processing operations.'
 Regular post-implementation reviews or audits can be used to assess whether the risks have changed, and ensure the solutions identified during the DPIA have been and continue to be adopted appropriately.

Implementing appropriate controls is a part of the data controller's commitment to establishing data protection by design and by default. Establishing the most secure ways of processing the personal data must be done "both at the time of the determination of the means for processing and at the time of the processing itself.

In order to be able to demonstrate compliance with GDPR, the controller should adopt policies and implement measures which meet in particular the principles of data protection by design and data protection by default

In addition to the Regulation's requirements for when to conduct a DPIA, you may wish to consider voluntarily conducting one in a number of situations as DPI As are a core part of good practice in complying with the Regulation, especially with regard to data protection by design and by default.

Changes in developing products and services,
Privacy was usually considered at the end of a new service or product, now it needs to be planned in advance
Does privacy by design make the planning more efficient? Can privacy be embedded in all the new services?

address this obligation by conducting audits of your data protection notices and polices to ensure individuals are told about their right to object, and processes must be put in place to enable you to respond to data subjects' requests. It will be difficult to comply with the law if you cannot find ways to quickly and effectively suspend processing of an individual's personal data.

Although records will demonstrate to your supervisory authority your claim that processing activities are in compliance with the Regulation, records will not show that these activities are actually conducted in accordance with the law. Without submitting to an audit, there's no real way to provide conclusive evidence that you are compliant and, due to limited time and resources, supervisory authorities are unlikely to want to subject every organisation to regular audits.  

Identify areas to audit
Also measure external data: GDPR fines applied in Denmark, in general,

Repair or rebuild strategy

Red is KP

In November Finanslov- can result in Folketingsvalg
Denmark is the approx. size of Hamburg!

New culture to protect privacy

- Ideas and best practices to implement policies and controls to comply, what does the GDPR means in practice, implications for business
- Recipes for practical steps for GDPR compliance journey: methodologies, how we start, what we need to revise, theory to practice approach
- Motivation: energy to simply this process, get support from other functions, deal with the GRPD implications as a doer

Course Content
The background of EU GDPR and the significant terminology.
The fundamental differences between the Data Protection Act and the EU GDPR.
The data subject’s rights to individual’s personal data.
Procedure for Processing Subject Access Requests (access to personal data)
GDPR Privacy rules; marketing requirements and breaches and summary.
The implementation track to EU GDPR compliance:
- Privacy by Design and Default
- The What, When and How of Privacy Impact Assessments (PIA)
- Data audits
- Training and competence requirements
- Incident response and breach reporting
- Updating policies and procedures

International data transfers.
Multi jurisdictional & territorial scope of the EU GDPR