úterý 19. září 2017

Complying with the GDPR - Callenges and project

Complying with the GDPR 
Uplatnění GDPR vyžaduje projektové řízení. Níže uvádím jeden příklad, jak může být projekt členěn do 6-ti milestounů a v čem může pomoci v jednotlivých etapách poradenská firma. Tou je v tomto příkladě firma Stibbe.
Článek najdete na adrese: http://tinyurl.com/ycvlgxt2
What and how? How Stibbe could assist
Because of the implications, companies should adopt a project-based approach to implementation across the company. Fact finding, objective gap analysis, realistic milestones, clearly defined roles, tasks and responsibilities will help you break down such an implementation into easily manageable units
What are the challenges?
1. Many new requirements
2.Very process-driven
3.Very tangible and visible/verifiable functions and steps need to be realized
4.Increased fines and sanctions
5.A moving target
6.Need for a company-wide project
Milestone 1: Initiation

Goal: Position the project, explain the rationale and secure internal support
Action items:
- Create (C-level) awareness within your company
- Set project boundaries, milestones, budget and tooling
- Assign a project leader and select project team members
How Stibbe could assist:
Provide an outline of the key focus points of the GDPR
Conduct on-site awareness session(s) 
Assist in scoping the project in light of the company/group profile
Milestone 2: Analysis and assessment
Goal: Identify the “as-is” and the “to-be” situations and conduct a gap analysis
Action items:
- Review and obtain a clear understanding of the “as is”, particularly in terms of (i) all types of data processed, (ii) data lifecycle management strategies (e.g. storage, retention, anonymisation) (iii) use of third party processors, (iv) all data flows inside and outside the EU, iv) technical and organizational security measures taken, and (vi) all underlying contracts and policies
- Determine the applicable GDPR requirements (e.g. the presence of high risk processing, sensitive data, the need for a DPO)
How Stibbe could assist:
Provide a due diligence toolkit
Conduct interviews with key users
Review the related documents
Prepare Privacy Impact Assessment (PIA) as required, including gap analysis
Assist in appointing and setting up the DPO or data protection role (if no formal DPO needed)
Milestone 3: Design your future state
Goal: prepare a blue print for future GDPR compliance
Action items:
- Reconcile the assessment findings with the relevant GDPR obligations
- Design required process improvements, measures and steps required
- Forecast the timeline and estimate the level of effort and amount of resources needed
How Stibbe could assist:
Prepare pre design notes and schemes setting forth the new architecture
Prepare the blueprint
Suggest improvement measures (e.g. the pseudonymization)
Milestone 4: Development (in agile modus)
Goal: Transform the blueprint into compliant products, services, and processes
Action items:
- Make sure to embrace privacy by design/by default requirements
- Implement procedures to meet new/enhanced data subject rights
- Adjust/draft appropriate contracts, notices and policies
- Incorporate approved codes of conduct and/or earn certification
How Stibbe could assist:
Provide guidance on implementation of processes (e.g. obtaining consent, data portability, right to be forgotten…)
Identify best practices
Drafting of the required documents (e.g. information notices towards data subjects and data breach notification form)
Work in various iterations, seeking interim validation from key users
Liaise with the supervisory authorities and/or the certification bodies, as the case may be
Milestone 5: Implementation
Goal: Launch the new processes, policies and tooling
Action items:
- Present the new processes, policies, documents and contracts
- Familiarize the key users with the new tooling
- Introduce training materials and train users
How Stibbe could assist:
Presentation of new state to C-Level
Conduct key user training sessions
Prepare manuals and detailed documentation
Conduct Q&A
Milestone 6: Run/maintenance mode
Goal: maintain compliance, ensure regulatory, corrective and evolutive maintenance
Action items:
- Conduct regular reviews (e.g.: the evolving “state-of-the-art” requirement for data security)
- Capture further guidance coming from the regulators (from the European Data Protection Board, which replaces the Art29 Working Party, and others)
- Monitor training of new users
How Stibbe could assist:
Provide briefing notes on new regulatory guidance or legal developments
Set up a helpline
Provide on-site support if needed
Keep contracts, policies and notices updated
Conduct regular updates with DPO or data protection contact on FAQs and overall state of GDPR compliance