Accelerating
the Path to GDPR Compliance
03/19/2018 - Hernan Huwyler - Cyprus

2
What does May 25th 2018 means?
Demonstrate compliance efforts
• Documented privacy program
• Documented legal basis for processing
activities
• Ongoing data lifecycle management according
to the privacy policy
• Data consents
• Monitoring data flows and audit trails
• Data privacy impact assessment procedure
• Incident response and breach notification
procedure
• Privacy audits plan
• Budget for privacy control maintenance
#GDPR at @DeloitteCY

3
What does May 25th 2018 means?
End of the readiness actions
• Appointment of a Data Protection Officer >
mandatory or voluntary
• Implemented procedures to support new
rights of data subjects
• Updated records of processing activities
• Checked consent procedures
• Updated privacy notices and statements
• Renegotiated contracts with 3rd parties
• Reviewed user access and data quality
• Minimized data breach risks and completed
de-risking actions
• Completed training and awareness
#GDPR at @DeloitteCY

4
Need to define the
priority of GDPR
compliance in the
corporate data
security program

5
Tips for data governance
Accountability
• Clear ownership of data in the privacy policy to
coordinate GDPR compliance efforts
• Data custodian for technical control > system
administration and technical measures such as
encryption and backups
• Data owner for functional control > data
management practices to comply with GDPR
• All types of data > ERP/CMR, cloud, on-premises,
big data, and unstructured data
• Involve project stakeholders

6
Tips for data governance
Destroy
Transfer
Use
Store
Internal rules
Data
controller
Privacy policy
Collect
GDPR
requirements
Legitimate
interests
Safeguarding
controls
Accountability
Privacy
preferences
Providing personal information
Data
subject
Assuring privacy and compliance controls
Data
processor

7
Tips for discovery efforts
A good map of records of processing
activities (ROPA) saves time
• Track personal information from the data subject
through processes, systems and database
• Consider all techniques
• Interviews and workshops with data owners
and process experts > accelerate with surveys
• Functional documentation and data flow maps
• eDiscovery
• Classify data > confidential, restricted, private,
public
• New personal data > online identifiers, location,
biometric
• Prepare to maintain the records of processing
activities

8
Tips for discovery efforts
Good to add
• Owner, custodian and BU
• Notice, choice and consent
• Collection mechanism
• Technical information of
data > format, structure
• Storage location > paper
archives, cloud, in-house,
server, networks, email,
country
• Storage medium
• Security classification >
confidential, restricted
• Source > system
generated, manual input
• Where data is processed
• Collected by
• Used by
• Deletion type
• Audit trail
• Volume > gigas, records
• Transfer > recipients,
countries, contract
details,
processor/controller
relationship
• Privacy risk rating
Essential
• Inventory > definition,
data subjects, category
and contact details
• Purpose and legal basis
• Data flow to/from
• Disclosed to
• Retention period
• Security measures

9
Tips for discovery efforts
• are the data subjects?
• has access to their personal data?
Who
• the personal data is stored?
• the personal data is transfered?
Where
• the personal data is under the
organization control?
Why
• the personal data is kept until?
• is shared with third-parties?
When
• safety mechanisms and controls are
in place?
What

10
Tips for de-risking
Discard irrelevant personal data to
reduce risks
• Minimize the collection and holding of personal
information
• Validate the need for relevant personal data with
business owners
• Keep cardholder data storage to a minimum
• Delete duplicate copies, personal copies and just-
in-case backups
• Create a workable document retention policy for
comprehensive categories of documents
• Logically, group actions
• Use last access time date metadata in files and
databases

11
Tips for privacy risk-approach
Identify the crown jewels
• Personal data that makes money
• Major business impact if compromised
• Clients, prospects, marketing database
• Financial data
• Human resources
• Large consolidated databases
• Special category data
#GDPR at @DeloitteCY

12
Tips for privacy risk-approach
CRM database
Financial data
Health
Payroll and tax
Vendor db
Insurance
Contact
directory
Employee travel Website visitors
GPS monitoring
Office visitors
Cameras
Sensitive Restricted Non-public
Low
Easy
to
replace
and
infrequent
access
High
Comercailly
critical
and
frequent
access
Crown
jewels
High value
Medium
value
High value
Medium
value
Low value
Personal information classification
Business
value

13
Tips for going live
Top-down risk-based approach
• Risk impact on data subjects' rights
• Prioritize remediation plans to riskier areas
• Most sensible data, most shared, most records
• Follow infosec standards > ISO 27001/2 & 29100
• Test procedures to address subject access
requests and data breach notification > are they
scalable?
• Operationalize changes such as data protection by
design and DPIAs
• Validate data transfers
• Scramble, anonymize and pseudo-anonymize
• Tools for vulnerabilities scanning on infrastructure
and networks

14
Priority matrix
Privacy policy
Data ownership
Training
Privacy audits
DPIA policy
Binding
Corporate Rules
Data consents
Data flow
monitoring
DPO training Contract review
Awareness
Incident mgmt
Notices
Effort
Low Medium High
Risk
Low
High
Do now Plan now
Plan major
project
Fill in Delegate Delegate

15
Team organization
Implementation team Operation team
• GDPR steering committee
• Core team (cross-functional)
• Compliance, infosec and
change mgmt > consultants
• Supporting functions
• Risk, audit, IT, RH, legal,
procurement, marketing
• Across BUs
• Build or repair strategy
• Manage implementation work
streams
Tip > separate budgets
• GDPR sponsor at the board >
legal director, CIO, CFO
• Data protection officer, privacy
leader or GDPR compliance unit
• Maintenance of compliance and
security controls
• Centralized or not strategy
• Clear defined roles

16
RACI matrix for coordination
Steering
committee
Implementation
team
GDPR Implementation
program
• Analyze gaps
(changes)
• Assess compliance
risks
• Design the
implementation
program
• Define technical
measures
• Monitor program
milestones
DPO CISO
A R C
A R C C
A R I I
A R
I
R C

SAP Example
Mapping personal information

18
SAP and GDPR
Assess Prevent Detect
• Privacy risk
assessment
• Profiles
• Data category
with data
classification
label
• Access control
with strong
autentification
• Security setting
evaluation
• Encryption,
pseudonymisation
, anonymization,
and data
masking
• Access control
• Privileged
access control
• Data retention
and deletion
policies
• Segregation of
duties
• Auditing
• Activity
monitoring
• Vulnerability
scanning
• Alerts for
anomalous
activities

19
Technical documentation
Master tables
• Customers > KNA1, KNBK,
KNVK
• Vendors > LFA1, LFBK
• Addresses > ADRC, ADR2,
ADR3, ADR6
• Business partners > BP000,
BP030
• Users > USR03
• Credit cards > VCNUM
Tip: Use Where-Used List for
Domain in Tables
(RSCRDOMA)
Scope
Environments
• SAP ERP Central
Component (ECC)
• Business Intelligence
(BI)
• Customer Relationship
Management (CRM)
• Digitalized documents
• Testing/pre-production
Backups
Legacy systems
Customized
functionalities
SAP HCM infotypes
• Ethical origin, military
status, and disability >
infotypes 0002 and 0077
• Severely challenged
persons > 0004
• Addresses > 0006
• Bank details > 0009
• Related person > 0021
• Internal medical services >
0028 + all the subtypes
• Residence status > 0094

20
Audit access rights
to t-codes and objects
Master tables
• Create, change and display
customers, prospects, and
contact persons > XD0*,
VD0*, VAP*
• Customer reports >
S_ALR_87012179,
S_ALR_87012180
• Create, change, and display
vendors > XK0*, MK0*
• Vendor report >
S_ALR_87012086
• Maintain general tables >
SE11, SM30, SM31
• Browse data > SE16
Tips
• Validate with the data
owner
• Explain the least
privilege principle
• Obtain or update
consents for SAP users
• Activate SAP logs
SAP HCM
• Create, change, and display
employee > PA10, PA20,
PA30
• Create, change, and display
candidate > PB10, PB20,
PB30

21
Encryption
Unstructured data
• Reports from SAP data
• Data transfers (ETLs)
• Document management
systems (e.g.
Documentum)
Databases
• SAP tables
• SAP log
• Testing environment
Encryption at data level,
not only at server level
Tip > before encrypting,
depurate productive
environments from old
data (according the
document retention
policy)
SAP Cloud Platform
• Used during cloud instances
• applications built by SAP
partners
• Interfaces with eCommerce
solutions (e.g. Amazon,
Azure)

22
Data scrambling
SAP testing
environments
• Principle > real data should not
be used in testing
• Techniques to maintain
referential integrity >
scrambling, pseudo-
anonymization, de-
identification and removal of
sensitive information
• Tip > Review the access
administration in testing
environments / avoid data
masking

23
The review of listing and
display access for personal
information is generally not
covered in the SAP user
reviews
02
01
Cover the risks of users
exporting or downloading SAP
tables or reports containing
personal information and
privileged access management
04
03
05
06
The GDPR leader should
communicate requirements
to the SAP system managers
involved in access security
The data owner is accountable
for performing and documenting
the access review for each
respective SAP module
Use the ROPA to review the
most critical datasets of
personal information to
ensure the principle of least
privilege
Document tasks to revoke
viewing accesses for roles and
users and the approvals
User review

24
Additional solutions
ROPA management
Managing the data inventory and flows with an
online application or by SAP GRC
File transfer
Sending and receiving encrypted and
posteriorly deleted files and SAP downloads
(only inside the EU)
Archiving and backups
Archive SAP bases to reduce the personal data
in production (including cloud-based solutions)
Awareness and e-learning
Videos and “skill pills” to raise awareness of
changes
Data loss prevention
Detecting, monitoring and confirming the
transfer of personal information (eg. emails)
File transfer
Archiving
and
backups
Awareness and
e-learning

Updating policies

26
Corporate privacy policy
How the right people use the right data
for the right purpose
• Clear personal data security objectives
• how to protect the confidentiality, availability
and integrity
• how to support new data subject rights
• how to provide access of personal information
only to authorized employees and 3rd parties
• support of privacy awareness trainings
• Approved and endorsed by upper management
• Responsibilities to data owners, data custodian,
data users, DPO, IT, risk management and internal
audit
• Communicated across the organization and 3rd
parties and regularly updated
#GDPR at @DeloitteCY

27
Corporate privacy policy
Privacy statements
• Being transparent in handing personal data of
employees, candidates, clients, prospects, suppliers
and business partners
• Processing and transferring personal data only for
specific business purposes before consent
• Using sensitive data only if necessary and where
legally allowed
• Ensuring that personal data are up-to-date, complete
and accurate
• Allowing data subjects to access, correct, deleted, limit
and block of their personal data
• Protecting the personal data from unauthorized loss,
alteration, disclosure and access
• Tip > divide the policy for groups of employees, clients
and vendors, or when acting as processor
#GDPR at @DeloitteCY

28
• data breach incident management
• duty of disclosure
• classification and acceptable use of information assets
• backup and business continuity
• access control y password
• handling international transfers
• clear desk and clear screen policy
• use of network services
• software development
• data processing agreements
Organizational
Operational
Corporate privacy policy
Policy on Privacy
Management
Supporting
policies on
Hierarchy

29
Corporate privacy policy
Content
• Privacy vision, objectives and responsibilities
• Principles and roles to limit
• the collection
• how the consents are ensured, when risk
impacts are done
• the use
• how data is secured and given access to,
• the disclosing
• define circumstances for disclosure, and
complains, notification of breaches
• Data categories
• Transfers to other business units and third parties
#GDPR at @DeloitteCY

30
Corporate privacy policy
Privacy vision, objectives and
responsibilities
• Staff should manage personal data under GDPR
and local laws with reasonable safeguards
measures
• DPO (or equivalent) is responsible for updating the
policy after regulatory or business changes
• Definition of cases of legitimate interest
• Performing contracts
• Business process execution and reporting
• Commercial activities and marketing
• Compliance with legal obligations
• Protecting the vital interests
#GDPR at @DeloitteCY

31
Corporate privacy policy
Tip >
test for legitimate interest
• purpose
• Are you pursuing a legitimate interest?
• necessity
• Is the processing necessary for that purpose?
• balancing
• Do the individual’s interests override the
legitimate interest?
#GDPR at @DeloitteCY

32
Corporate privacy policy
Data managing practices
• Staff should manage personal data under GDPR and
local laws with best safeguards measures
• DPO (or equivalent) is responsible for updating the
policy after regulatory or business changes
• Original purpose > personal data only used for the
purposes for which they were originally collected
• Secondary purpose > personal data may be
processed for legitimate purposes different from the
original purpose only if the secondary purpose is
closely related (e.g. audits, dispute resolution,
insurance)
• Retention period limited to > 1 the period to serve
the legitimate purpose, and 2 the reasonable period
to comply with an applicable legal requirement
#GDPR at @DeloitteCY

A roadmap to
demonstrate compliance

34
Act
Sustain
Plan
Program
Prepare
Data minimization
Privacy policy
Remediation
DPIA
Cyber capabilities
Security controls
Train and
awareness
Data audits
The GDPR roadmap
Stakeholders buy-in
Implementation team

35
Demonstrate compliance
Evidence
Objective Board engagement in communicating privacy and GDPR
compliance
• Privacy program approved by the board
• Board agendas and minutes covering GDPR issues
• Evaluation of privacy reports, action plans involving board
members, list of project stakeholders, budgets, approval
• Nice to have: job roles assigning privacy responsibilities,
privacy core team and experts, meetings and guidance with
other internal functions dealing with personal data
• General: ISO/IEC 27001 compliance certificate
Related to
article
5

36
Demonstrate compliance
Evidence
Objective
• If required, board minute designating a DPO (art. 37, 38)
• including evidence of independent reporting (org. chart,
reports to the board), delegated tasks (contract, job
description), proper budget, qualifications and certifications
(CV, identity and background checks) and communication to
supervisory authority
• For non-EU data controllers/processors
• mandate to designate a representative in the EU and
external communication in privacy notes and website (art.
27) Privacy Officer, Privacy Counsel, CPO, Representative
Board engagement in communicating privacy and GDPR
compliance
Related to
article
5

37
Demonstrate compliance
Evidence
Objective
• A data privacy policy approved by the board or top
management
• Integrated with the data security policy
• Addressing privacy principles, lawfulness of processing,
purpose limitation, transparency, data minimization,
accountability, deletion after use quality integrity and
confidentiality
• Mechanisms to maintain the data quality: data owner
• Annually updated
Board engagement in a privacy policy Related to
article
5

38
Demonstrate compliance
Evidence
Objective
• Supporting privacy policies
• Code of conduct including privacy, staff handbooks, use of IT
assets, information classification, document retention,
document destruction, marketing
• DPIA procedure
• for new or changing high risks programs, systems and
processes
The board is engaged in supporting the privacy policy Related to
article
5

39
Demonstrate compliance
Evidence
Objective
• Contracts and data processing agreements with 3rd
parties details the legal reasons for processing
• Procedure for secondary uses of personal data
• How to manage personal information for other purposes
other than it was originally collected
• Mechanism for de-identifying data (art 89) for archiving
purposes in the public interest, or scientific and historical
research purposes, or statistical purposes
The lawfulness of processing is ensured Related to
article
6

40
Demonstrate compliance
Evidence
Objective
• Policy for collection and use of sensitive personal data
• How to document legal basis for processing sensitive data
contract, vital interests
• How to identify racial or ethnic origin, political opinions,
biometric data and other sensitive data
• Additional controls linked to the data classification policy
• Ensure that specific written consents are retained
• Contact clauses limiting processed after prior instructions
from the controller
Lawfulness of processing of special categories of personal
data and criminal convictions and offences is ensured
Related to
articles
9 & 10

41
Demonstrate compliance
Evidence
Objective
• Procedure to obtain valid consents
• Consents are gotten before processing data with relevance,
clear and plain language, simplicity and accessibility
• Clear responsibility who is responsible for controlling that
processing is consistent with consents
• Procedures to respond to requests to opt-out of,
restrict or object to processing how to effectively stop
processing, responsible person and response actions
• Procedure for children’s consents how to verify
parents/guardians identities
Consents are valid Related to
articles
7 & 8

42
Demonstrate compliance
Evidence
Objective
• Records of consent are stored in a secure environment
(including how and when consent was provided)
• The purpose of the processing and the consent language the
user has agreed to is stored at the time consent is provided
• Relevant metadata associated to consent (IP address,
geolocation, browser type and device type) is recorded along
with consent
• Terms of service acceptance and its version are recorded at
the point of registration, including whether a social identity
is used to register
Consents are properly retained Related to
articles
7 & 8

43
Demonstrate compliance
Evidence
Objective
• Procedure to obtain valid data privacy notices
• Effective communication of how to exercise the rights of the
data subject, notices are gotten before collecting data,
defined the mechanisms such as statements, icons, pop-up
notifications, scripts, who approves and control the notices
(legal knowledge), who is responsible for controlling that
processing is consistent with notices and the description of
activities is accurate
• Protocol for a data breach notification to affected
individuals, to regulators, credit agencies, law enforcement
Processing of personal data is transparent Related to
articles
12, 13 & 14

44
Demonstrate compliance
Evidence
Objective
• Subject Access Request procedure and similar
• Defined channels: email, online form, in writing
• Formalized who is responsible for responding (on time), who
is authorized to access data to respond, who controls /
approves the final action, coordinating with other operative
units, cover internal data and external data used by other
processors and third parties, KPI reports (number of
request, complains, explanations of root causes)
• Minutes of management meetings justifying any refusal
Right of access is ensured
Also managed for: rectification (art 16) erasure (art 17) restrict
processing (art 18) update (art 19) portability (art 20) object (art 21)
and limit profiling (art 22)
Related to
article
15

45
Demonstrate compliance
Evidence
Objective
• Clear instructions from the controller to the processor
• Document how they are given and how they are accepted
• Annual review contracts with third party data processors
• Approval of a privacy expert (or DPO)
• Use of an approved contract template or approve exceptions
Tip: document the meetings with vendors when discussing
privacy issues
Responsibility of the controller in outsourcing is defined Related to
article
28

46
Demonstrate compliance
Evidence
Objective
• Linked to the data inventory and data flows
• List of all processing activities
• Where, type of data, type of processing by third parties,
cross border data transfers
• Evidence of updates
• Approvals of information
Proper records of processing activities (ROPA) are
maintained
Related to
article
30

47
Demonstrate compliance
Evidence
Objective
• Records of the transfer mechanism used for cross-
border data flows
• standard contractual clauses, binding corporate rules, EU-US
privacy shield, approvals from regulators
• authorized transfer (e.g. consent, performance of a contract,
public interest)
• linked to the ROPA
Proper data transfers mechanisms are in place Related to
articles
45 to 49

48
Demonstrate compliance
Evidence
Objective
• User management policy
• role-based accesses and segregation of duties
• defined responsible for approving access rights
• Technical security measures
• risk-based controls such as intrusion detection, firewalls,
monitoring or encrypting personal data
• documented user accesses and security measures
• confidentiality and privacy provisions in employment/vendor
contracts
• internal security audits and mitigation responses
Security of processing is implemented by technical and
organizational measures
Related to
article
32

49
Demonstrate compliance
Evidence
Objective
• DPIA guidelines and templates
• Consultation to all stakeholders
• Follow-up of action plans for detected risks
• Evidence of monitoring to close issues and action plans
• Changes to systems and controls are tested as effective
• Eventual consultation to the supervisory authority
Data protection impact assessment is documented Related to
articles
35 & 36

50
Demonstrate compliance
Evidence
Objective
• Data privacy incident or breach response plan
• Monitoring of abnormal data activity (e.g. downloads)
• Escalation procedures involving the privacy expert
• Protocols for
• Breach notification to affected individuals
• Breach reporting to regulators, credit agencies, law
enforcement
• Log of incidents with forensic analysis
• Periodic testing and simulation
• Insurance
A procedure for a data breach notification is in place Related to
article
33

51
Demonstrate compliance
Evidence
Objective
• DPIA procedure covering
• new or
• changes to existing systems and procedures
• Integrated into system development and business processes
• Access controls to least privilege
• Involvement of a privacy expert (or DPO)
• Assessed the risk of affecting data subject rights
• Assessed technical measures (e.g. pseudonymisation)
A procedure for a privacy by design and by default is in
place
Related to
article
25

52
Demonstrate compliance
Evidence
Objective
• Evidence of full access to information and staff
• Reasonable budget
• Autonomous and free from other incompatible tasks
• Documented tasks for a privacy program
• Advising on privacy risks
• Facilitate changes to embed privacy controls in all policies
and updating them annually!
A DPO acts as an independent oversight role Related to
articles
37 to 39

53
Demonstrate compliance
Evidence
Objective
• Documented training and awareness campaigns
• Materials: training course notes, posters, presentations,
leaflets, briefings, web pages, emails, quizzes and privacy
competitions
• Metrics: attendance, test results and training quality
• Conducted an enterprise privacy risk assessment
• Cooperated as point of contact for the supervisory
authority
A DPO acts as an effective oversight role Related to
articles
37 to 39

54
Demonstrate compliance
Evidence
Objective
• Documentation of periodic risk-based data audits
• started from the ROPA, focused on processes with complains
or incidents, sensitive information, low security and
international transfers, both internal and third party audits
• Compared practices against policies and GDPR
requirements
• walk-throughs documents, selected samples to test how
consents are obtained and how contracts are monitored
• Reported compliance issues and metrics to the board
and all stakeholders
A DPO monitors GDPR compliance Related to
articles
37 to 39

55
Demonstrate compliance
Evidence
Objective
• Evidence of
• monitoring changes in GDPR requirements
• participation in training and conferences
• subscription to legal services to receive updates
• meetings with the legal counsel
The DPO tracks new risks and changes in GDPR Related to
articles
37 to 39

56
Who is responsible for
GDPR compliance?
#GDPR at @DeloitteCY

57
Who should own and
coordinate the privacy
program?
#GDPR at @DeloitteCY

58
Who can be the DPO?
#GDPR at @DeloitteCY

59
Does GDPR require a
consent for all
processing of
personal data?
#GDPR at @DeloitteCY

60
Who is responsible for
a personal data
breach?
#GDPR at @DeloitteCY

61
Who should report a
personal data breach?
#GDPR at @DeloitteCY

62
Can a client deny to
provide a piece of
personal information?
#GDPR at @DeloitteCY

63
What are the key
messages from this
session?
#GDPR at @DeloitteCY

First step for GDPR
compliance is to realize this
is a journey
If problems weren’t created overnight, nor
can solutions be implemented overnight