Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
INFORMATION
SECURITY &
DATA PROTETION
DATA PROTECTION
@TommyVandepitte
BUSINESS
Price
Profit
Cost
External
Cost
Internal
Cost
(perceived)
value for
customer
Value proposition
Value creation
Val...
VALUE CAPTURE
IS HARD
Value captured = Value of the business
THE SAUCE IS
ALWAYS AT RISK
• Financial risk
• Solvability
• Liquidity
• Cash flow
• Operational risk
• Counterparty risk
...
THE WORLD IS “VUCA”
4 KEY CHALLENGES
“Change comes from outside. And that is what you should
use to challenge how your team has got to the end...
APPLY
Whatwecomprehend
What there is to know
What we
don’t know
we know
What we
know we
know
What we
don’t know
we don’t
k...
MODELS &
FRAMEWORKS
• Business threats
a.o. disruption / creative destruction
RISK
MANAGEMENT
RISK
APPROACH
Impact
Likelihood
Share
Accept
Avoid
Mitigate
High
High
Low
Low
Impact
Likelihood
Mitigate
Cont. monitoring
...
THE IDEAL
FOR REAL ?!
ISDPP IS
(JUST) ANOTHER RISK
• Customers
• Who are your customers?
• What do your customers value?
• Why do your customers...
INFORMATION MANAGEMENT
ARCHITECTURE LIFECYCLE
• Databases
• Links
• Silos v transversal
Information asset ownership
ISDPP “INTELLIGENCE”
WHAT IS OUT THERE?
• (Information) Threat Intelligence
• network
• peers
• vendor information
• threa...
Environment
Physical
Human
Device
Application
Repository
Carrier
LAYERS & DIMENSIONS
Risk Assessment
Risk Decision
Control...
LEGAL OVERVIEW
Control
Data
Subject
Processing personal data
Data
Controller
Data
processor
Finality Legitimacy
Transparen...
GDPR - NEW
• Processor now also an addressee
• Organisation
• ”Accountability” (reversal of the burden of proof), concrete...
GDPR – CHANGE - VISUAL
Control
Data
Subject
Processing personal data
Data
Controller
Data
processor
Finality Legitimacy
Tr...
CHANGE PROGRAM
PROJECT
• Change management
• HR review
• Roles and function review, a.o.
o DPO needed?
o Information asset...
CHANGE RISK
CONTROL
THE CHANGE
Change management
• Decisions
• Action plan
• Tone at the top
• Budget and skilled people
• Multination...
GDPR project board deck (example)
Nächste SlideShare
Wird geladen in …5
×

GDPR project board deck (example)

420 Aufrufe

Veröffentlicht am

This is an example of a deck for the decision makers (generally the board of directors) to first explain that data protection is a (reputational, legal, operational) risk that - like any other business risk needs to be managed. Then it allows for some explanation of the status of data protection (law) and the main novelties under the GDPR. It then highlights the main changes required in project mode and (later on, after the handover) in business-as-usual mode.

Extra reference to the Vlerick reference (because published after the publication of this slide deck): http://www.vlerick.com/en/programmes/management-programmes/digital-transformation/digital-transformation-insights/insight-1)

Veröffentlicht in: Recht
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

GDPR project board deck (example)

  1. 1. INFORMATION SECURITY & DATA PROTETION DATA PROTECTION @TommyVandepitte
  2. 2. BUSINESS Price Profit Cost External Cost Internal Cost (perceived) value for customer Value proposition Value creation Value delivery Value capture experience convenience meeting the customers’ needs product design meeting the qualifiers image additional functionalities future proofquality people meeting the users’ needs culture
  3. 3. VALUE CAPTURE IS HARD Value captured = Value of the business
  4. 4. THE SAUCE IS ALWAYS AT RISK • Financial risk • Solvability • Liquidity • Cash flow • Operational risk • Counterparty risk • Customers • Credit risk • Suppliers • Market risk • Reputational risk • Legal risk • ...
  5. 5. THE WORLD IS “VUCA”
  6. 6. 4 KEY CHALLENGES “Change comes from outside. And that is what you should use to challenge how your team has got to the end product.” - Prof. Stijn Viaene - Use 4 key challenges: • Experience IS value, not just functionality. The reference experience is NOT the sector, it is Google, Facebook, Uber, … • Customers are moving targets. • You can’t (and shouldn’t) have it all in-house: data, skills, … What is core and should be owned? What can we outsource? • You need well architected information systems.
  7. 7. APPLY Whatwecomprehend What there is to know What we don’t know we know What we know we know What we don’t know we don’t know What we know we don’t know Unknown Unknown Known Known
  8. 8. MODELS & FRAMEWORKS • Business threats a.o. disruption / creative destruction
  9. 9. RISK MANAGEMENT
  10. 10. RISK APPROACH Impact Likelihood Share Accept Avoid Mitigate High High Low Low Impact Likelihood Mitigate Cont. monitoring Share Accept Per. monitoring Mitigate Cont. review Avoid Mitigate Per. Review High High Low Low
  11. 11. THE IDEAL
  12. 12. FOR REAL ?!
  13. 13. ISDPP IS (JUST) ANOTHER RISK • Customers • Who are your customers? • What do your customers value? • Why do your customers choose you? • Suppliers • Who are your customers? • What relationship do you have with your suppliers? (“value partition”) • Why do you have this relationship with your suppliers? • Competitive edge • Culture • Ideas • Operational excellence • Cost control • Trade secrets • Protectable intellectual property • … Part of the secret sauce
  14. 14. INFORMATION MANAGEMENT ARCHITECTURE LIFECYCLE • Databases • Links • Silos v transversal Information asset ownership
  15. 15. ISDPP “INTELLIGENCE” WHAT IS OUT THERE? • (Information) Threat Intelligence • network • peers • vendor information • threat reports • threat intelligence services • futurists • sci-fi • …
  16. 16. Environment Physical Human Device Application Repository Carrier LAYERS & DIMENSIONS Risk Assessment Risk Decision Controls Incident Management Changes • In the regulatory environment • In processes • In people (JLT) • In technology Network Data 3rd Parties • 1st line • 2nd line • 3rd line • Impact • Probability • Avoid • Mitigate • Share • Accept
  17. 17. LEGAL OVERVIEW Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
  18. 18. GDPR - NEW • Processor now also an addressee • Organisation • ”Accountability” (reversal of the burden of proof), concrete • Processing register (and risk register) • Privacy impact assessment (“PIA”) • Privacy by Design and Privacy by Default • Data Protection Officer • Acknowledgement of “frame”-mechanisms: certifications, codes of conduct, binding corporate rules,… • Incident management and data breach notification • Rights of individual are increased and further elaborated • Enforcement • Administrative fines universal and uniform • Collective actions of individuals universal and uniform
  19. 19. GDPR – CHANGE - VISUAL Control Data Subject Processing personal data Data Controller Data processor Finality Legitimacy Transparency Organisation proportional End-to-end
  20. 20. CHANGE PROGRAM PROJECT • Change management • HR review • Roles and function review, a.o. o DPO needed? o Information asset owners ? • HR processes review • Communication & Training • Processes review • Processing register • In iterations for legacy processes • Consent of data subjects • Incident management review • Project management review • PIA, PbD, • Documentation => register • Complaints management (rights update) • Outsourcing partner review • Access management • IT review • Archicture view • Security measures: comfortable? • Need to have • Nice to have BUSINESS AS USUAL • Tone at the top ! • “Money where your mouth is” • Decisions on data protection • Sponsor • HR • Communication & Training • Awareness (= top of mind) • Processes • Periodic review and update • IT • Security is moving target – upgrade, patch, decommission • New development - PbD • Monitoring & Reporting • Test • Firs tline controls (KPI, SL, etc.) • Board reporting to ISO and DPO • Consolidating dashboard to top management In parts / iterations
  21. 21. CHANGE RISK
  22. 22. CONTROL THE CHANGE Change management • Decisions • Action plan • Tone at the top • Budget and skilled people • Multinational coordination ?

×