This document introduces a GDPR remediation programme to help organizations achieve compliance with the new General Data Protection Regulation (GDPR) that takes effect in May 2018. It discusses the motivation for GDPR including updating outdated privacy laws for the digital age. The programme will assess key areas like individuals' rights, consent, data transfers, and accountability. It will be a corporate-wide change effort governed by control boards at the corporate and business unit levels. Project managers and teams will implement new procedures, processes, technologies, roles, and training needed by the fixed deadline.
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
Achieving GDPR Compliance with a Remediation Programme
1. Achieving Compliance with the
General Data Protection Regulation
(GDPR)
Project GDPR
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 1
2. General Data Protection
Regulation (GDPR)
by Dr Sami Zahran
July 2017
Introduction to the:
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 2
3. Contents
1.Motivation & Rationale (why ?)
2. Scope – The target change (What ?)
3. Programme of Change (How ?)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 3
4. 1. Motivation & Rationale (why ?)
The existing legislative landscape for data protection across the European Union
is fragmented, causing confusion to individuals and businesses.
The current regulations in place to protect EU citizen data are out of date and
have long been overtaken both by technology and by way of the way data is
stored and secured.
The outgoing legislation (EU Data Protection Directive 95/46/ec- came in force
1955, and since then the way data is collected and used has changed
fundamentally.
The incoming General Data Protection (GDPR) will address the gap and make EU
privacy and data laws fit-for-purpose in the digital age – harmonising data
protection laws in the EU.
GDPR is a regulation, and when it comes into effect in spring 2018, it will
directly applicable in all EU members. From May 2018, it will be directly
applicable in all in all EU member states as a single laws.
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 4
5. GDPR Privacy Principles
GDPR Six Privacy Principles:
1) Lawfulness, fairness and transparency (*)
2) Purpose limitations
3) Data minimisation
4) Accuracy
5) Storage limitations
6) Integrity and confidentiality
(*) Transparency: (Tell the subject what data processing will be done)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 5
6. The six Principles of GDPR
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 6
7. Scope – What information does the GDPR apply to (GDPR versus DPA)?
The GDPR rules apply to “personal data”
GDPR’s definition of personal data includes online plus any enablers of
personal identification information–e.g. IP address –
The new rules reflect changes in technology and the way organizations collect
information about people.
Any information that falls within the scope of the DPA (Data Protection Act),
will also fall within the scope of GDPR.
The GDPR applies to both automated personal data and to manual filing
systems. (Wider DPA definition)
Personal data that has been pseudonymised – e.g. key-coded
GDPR refers to sensitive personal data as “special categories of personal
data” which also include generic data, and biometric data when processed
can lead to identify an individual
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 7
8. Contents
1. Motivation & Rationale (why ?)
2.Scope – The target change (What ?)
3. Programme of Change (How ?)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 8
9. The target change (New Capabilities)
Key new capabilities to be created:
1. Individuals’ rights
2. The right to be informed
3. The right of access
4. The right to recertification
5. The right to erasure
6. The right to restrict processing
7. The right ti data portability
8. The right to object
9. Right related to automated decision making and profiling
10. Accountability and governance
11. Breach notification
12. Transfer of data
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 9
10. GDPR Requirements of Personal Data
GPDR requires that Personal Data shall be:
a) Processed lawfully, fairly and in a transparent manner.
b) Collected for specified, explicit and legitimate purposes and no
further.
c) Adequate, relevant and limited to what is necessary.
d) Accurate and where necessary kept up-to date.
e) Kept in a form that permits identification of data subjects for
no longer than is necessary (except for archiving purposes)
f) Processed in a way that ensures appropriate security of the
personal data (e.g. protection against unauthorized or unlawful
processing)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 10
11. Target areas for assessment and remediation
Key Areas to be assessed and remediated: (1/2)
1. Lawful processing
2. Consent
3. Children’s personal data
4. Individuals’ rights
5. The right to be informed
6. The right of access
7. The right to recertification
8. The right to restrict processing
9. The right to data portability
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 11
12. Key Areas to be assessed and remediated: (2/2)
10. The right to object
11. Rights related to automated decision making and profiling
12. Accountability and governance
13. Data protection impact assessments.
14. Breach notification
15. Transfer of data
16. National derogations
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 12
Target areas for assessment and remediation
13. Contents
1. Motivation & Rationale (why ?)
2. Scope – The target change (What ?)
3.GDPR: A Programme of Change (How ?)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 13
14. GDPR - Programme of Change
(Main Features)
Corporate-wide Change/Multi-Sites - Covers all business areas and all locations
Regulatory - mandatory
Fixed end-date - date cannot be moved
Critical - if target date is missed, financial penalties will be imposed
New procedures - for recording and processing people data
Business Process Changes - remediating current processes and creating new
People involvement - awareness and training, new role sand responsibilities
Technology - possible changes to current applications, possible new tools
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 14
15. GDPR - Programme of Change
(Governance levels)
Level-1) Corporate GDPR Control Board
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 15
Level-2) Business Unit (BU) project Control Board(s)
Level-3) Business Unit (BU) Project Manager(s)
Level-4) Team Leader(s)
16. GDPR - Programme of Change
(Governance levels)
Level-1) Corporate GDPR Control Board
Senior management financial support and oversight of the overall progress of GDPR and
resolving major issues
Level-2) Business Unit (BU) project Control Board:
Project Control Board to support the project manager by providing advice and resolving
project level issues
Level-3) Business Unit (BU) Project Manager:
Project Manager to conduct the day-today running of the project through a number of team
leaders taking responsibility of one or more workpackages
Level-4) Team Leaders:
Take responsibility for one or more workpackages (or sprints)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 16
17. GDPR - Programme of Change
(Programme-Level Management and Support)
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 17
• Central Governance: Central (corporate level) GDPR Control Board
• Central admin support: programme support office (PMO)
• Strategic Alignment: with the company strategy
• Programme & Project Assurance: Independent Quality Assurance of the various projects
• Accountability Clear roles and responsibilities (at the programme and the projects level)
• management of projects, stakeholders and suppliers is in place (at the programme and the projects level)
• Integration of the outputs of the various projects (this is critical for the success of the programme)
• Finances: Monitoring the finance statuses of the individual projects, and collectively of the
programme
• Planning: programme level outline plan and projects-levels detailed plans
18. End
End of the Quick Intro to DGPR by Dr Sami Zahran
GDPR Remediation Programme .. Intro by Dr. Sami Zahran 18