Deloitte Bulgaria, March 2018

A Road To Compliance

Conceptual approach

• Privacy is a combination of knowledge of the law, acknowledging the enormous technical aspects that putting it into practice entails and the efforts that are required to embed this in an organization in a manner that it fits the structure and culture.

• We strongly believe that only organizations where privacy responsible staff come from each of these backgrounds and are willing to learn about those two that is not their own, will succeed in running efficient and effective privacy operations.

• We have therefore also modelled our own team accordingly: our team includes expertise in each of these three areas.

A multidisciplinary effort

Deloitte’s vision on privacy

Personal data needs to be processed efficiently and protected adequately. Furthermore, smart systems support organizations in keeping track of its personal data, and managing its privacy risk.

Technical Legal

Organizational

Organizations must understand the multitude of applicable laws, regulations and standards for privacy and data protection, as well as ensure compliance with those rules.

Almost every organization has to deal with privacy and data protection. Roles and responsibilities need to be assigned,

processes need to be aligned. We ensure that our solution allows for the most efficient integration of privacy within the

organization.

Deloitte’s privacy program defines six layers that can add value in the development of privacy within an organization

Road to maturity

A tailored transformation program helps organizations prepare in the optimal for GDPR compliance

Audit encompliance

Processing Inventory

Data Management

Data Transfers

Strategy

Policies & procedures

Auditand Certification

Privacy by Design

Organization and

Accountability

Communication, Training, Awareness

Privacy Impact Assessment

StrategyLayer 1• A strong starting point determining high level direction and risk appetite, upon which the

organization builds its privacy organization.

Organization and accountabilityLayer 2• Enabling effective implementation of the privacy strategy requires a strong and

multidisciplinary privacy organizational structure. This covers the structure of the privacy organization as well as the role and position of key players, such as the Data Protection officer. This layer also covers accountability; how to prove compliance?

Policy, process & dataLayer 3• Partnering with the Business to ensure data is protected, governed, managed and utilized

effectively in line with the organization’s strategy. Also covers technological challenges such as data access requests, data retention, right to be forgotten, breach notification and international and third party data transfers.

Culture, training & awarenessLayer 4 • Creating a high level of organizational awareness on privacy ensures that the organization’s

employees know and follow the rules.

Privacy operations Layer 5• Embedding privacy into the organizations project methodology. This is done by efficient and

practical guidance during conception of a new or changed product or service (Privacy by Design) as well as assessing new and existing systems following the established PIA method. Also covers audit guidance and research into privacy seal certification (new option in the GDPR).

Processing inventoryLayer 6• A processing inventory is a fundamental element of any privacy program, and will be a

mandatory requirement from the GDPR.

The gap assessment results in a roadmap that implements the six layers of a privacy programme in a phased approach

An approach for implementing the GDPR

Layer 2 | Organisation

Layer 3 | Policy, process & data

Layer 4 | Culture & awareness

Layer 1 | Strategy

Layer 5 | Privacy operations

Layer 6 | Processing inventory

2. Design1. Define 3. Implement 4. Operate

• Mobilise stakeholders

• Create buy-in• Collect baseline

information• Define (key)

stakeholders• Define scope,

objectives, stakeholders, timeline and involvement for design phase

• Collect and assess existing documentation

• Create commitment within organisation

• Gather necessary approvals

•Define business requirements

• (Re)design, optimise or harmonise draft deliverables

• (Re)design roles & responsibilities

•Develop implementation plan

• Complete relevant review cycles

•Gather necessary approvals

• Execute implementation plan

• Piloting new solutions

• Optimise and harmonise solutions

• Implement organisational changes

• Roll out new processes, roles & responsibilities

• Train in the use of new processes and solutions

• Starting daily operations in newly designed way

• Support of managers and staff to ensure that the new situation is operationalised

• Ensure continuous improvement by using the Plan-Do- Check-Act cycle

• Ensuring hand over to business

All possible actions necessary for implementing privacy and the GDPR are given in the layers of Deloitte’s privacy programme. Gap assessment can indicate in which of these layers what gaps exist

…gaps which can subsequently be addressed in a structured manner by using a phased approach of 4 phases. This provides for a clear way of working and make sure you remain in control of the phases and their progress

An approach for implementing the GDPR

Building a change program

Example of readiness asssessment

A gap assessment is:

• A powerful tool to create a baseline for privacy

• Based on our Privacy, Security and Governance framework, covering all elements of the described privacy program

• Instrumental in finding the areas with the biggest risk

• Used to focus on those areas which most urgently need action

• A good starting point for a tailored privacy program

• A method to see how mature the organization currently is

Knowing where your organization stands

Objective of GDPR gap / readiness assessment

Understand the business and current status-quo by conducting workshopsfor each relevant business process within the organization

Documented understanding of the processes dealing with PI and existing technical and organizational measures for protection

PI data inventory and data-flow mapping

Establish compliance framework (based on EU and local regulations) and conduct GAP assessment

Documented all identified gaps with prioritization and recommendations

Insight of the current level of maturity against the framework

Define action plan – design and implementation of relevant changes

Roadmap, including implementation packages (processes, legal, technology)

The gap assessment provides clarity on the following privacy domains

Key focus areas of the GDPR Gap Assessment

• What are the roles and responsibilities with regards to personal data protection?

• What organization model (e.g., centralized / decentralized) is used?

• Who is accountable?

Governance

• Are processing detection processes in place?

• Are risk management processes implemented?

• Is incident management in place?

• Are there written policies and procedures with regards to the data protection?

Processes

• What personal data (entity) types can be distinguished?

• How sensitive is the personal data?

• Is data transferred to other parties and across borders?

• Where is data physically stored?

• Are external parties/processors involved?

Data

• Which systems are used for processing personal data?

• What support systems are in place (registration, detection)?

• How are systems secured?

Technology

Gap assessment provides insight in:• State of affairs of key

personal data management processes

• Privacy risks • Key focus areas for

privacy• Priorities • Timing

• How does the (online) commercial use of personal data relate to privacy requirements (i.e. Privacy, Cookie and Spam legislation)?

Legalrequirements

Commercial use

Example results:

• Effective data protection looks across the data lifecycle to allow an enterprise to tailor policy in a way that keeps information safe, yet available to those authorized to access it.

• Creating a personal data inventory and/or personal data flow maps will allow to understand and analyze the scope of privacy in your organization.

Inconsistent

methodsDistributed storage

Accidental

loss

Inappropriate third-

party controls

Partial deletion

Accidental

deletionSpecific

ris

ks

Inappropriate

classification

Inappropriate

security controls

Data distributed

across network

Unnecessary

retention

Improper

duplication

Theft or breach

Improper

access/sharing

Unnecessary

retentionMisuse

Collection Storage Use SharingRetention &

Destruction

Data

lifecycle

Process PurposeData

subjectsData types

Repository

LocationRecipient

sRetention period

RiskSecurityMeasure

s

Personal Data Inventory and Data Flows mapping

Example results:

Personal Data Inventory and Data Flows mapping (continued)

Detailed report on all identified gaps with prioritization and recommendations

Example results:

Privacy compliance Requirements based on current legislation. 1

Requirements are focused on future legal requirements from the GDPR.2

Privacy requirements are based on standards, relevant jurisdictions, industry standards and best practices3

Each requirement can be used to measure the current state of privacy within your organization 4

Identified Gaps

№ Privacy domain (area)

Requirement Description of non-compliance

Risk classification

Next steps

1 "Lorem ipsum dolor sit amet, consecteturadipiscing elit, sed do eiusmod temporincididunt ut labore et dolore magna aliqua. Utenim ad minim veniam, quis nostrudexercitation ullamcolaboris nisi ut aliquip ex ea commodo consequat.

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

"Sed ut perspiciatis undeomnis iste natus error sit voluptatem accusantiumdoloremque laudantium, totamrem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quiavoluptas sit aspernatur autodit aut fugit, sed quiaconsequuntur magni

Висок риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit, sed quia non numquameius modi temporaincidunt ut labore et dolore magnam aliquamquaerat voluptatem.

2 sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo

Среден риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit, sed quia non

3 sed do eiusmod tempor qui dolorem ipsum Sed ut perspiciatis unde omnis iste natus error sit voluptatem

Нисък риск qui dolorem ipsum quiadolor sit amet, consectetur, adipisci velit,

The Roadmap shows the timing and priority of the various actions that have emerged from the gap assessment

Example results for next steps: Roadmap

MonthDomain

1 2 3 4 5 6 7 8 9 10 11 12

Strategy WP 1

Roles & responsibilities WP 2

Policies, procedures & guidelines

WP 3

Training & awareness QW 1 WP 4

Transparency WP 5

Privacy rights WP 6

Records of processing activities

WP 7

Third party data transfers WP 8 WP 9 & WP 10 WP 11

Data retention WP 12

Security measures WP 13

Incident management WP 14

Privacy impact assessment WP 15

Audit WP 16

Supervising authorities WP 17

Example results for next steps: Roadmap – working package

Work Package 1 Estimated Duration

Privacy Training 3 – 4 months

Objective Nature of requirement

Provide function- or department-specific privacy training to employees who process personal data in order to explain how they can help to avoid privacy incidents.

• Legal requirement.

Recommended activities Control Domain Stakeholders Dependencies

• Build a company-specific privacy training that allows employees to understand all privacy-risks related to the personal data they process.

• Link with existing IT Policy. • Ensure that training & examples

are function- or department-specific.

• Training & Awareness • Legal & Compliance• HR• Heads business

departments

• WP 1

Risks Mitigated Estimated Effort Comments

• There are no training or guidelines for employees related to privacy compliance (e.g. no instructions about storing personal data in tools like ABC CRM). A lack of privacy awareness is the cause of a considerable percentage of privacy breaches.

• External training: 5 days to adapt to company environment, 1 day to provide face-to-face training.

• Building own training: 3 – 4 weeks.

Useful resources

• Bulgarian Data Protection Authority site – bulletins, practice, Q&As

• ISACA Data Privacy Impact Assessment – guidelines and toolkit

• ISO 29134:2017 Information technology — Security techniques — Guidelines for privacy impact assessment

• ISO 29151:2017 Information technology — Security techniques — Code of practice for personally identifiable information protection; note goes together with ISO 27001

• EU Data protection working party 29 guidelines on DPIA, right to data portability, data protection officer, guidance on automated individual decision making and profiling, guidance on data processing at work and other

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte Central Europe is a regional organization of entities organized under the umbrella of Deloitte Central Europe Holdings Limited, the member firm in Central Europe of Deloitte Touche Tohmatsu Limited. Services are provided by the subsidiaries and affiliates of Deloitte Central Europe Holdings Limited, which are separate and independent legal entities.

Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

© 2017 Deloitte Bulgaria