gdpr project board deck (example)
TRANSCRIPT
INFORMATION
SECURITY &
DATA PROTETION
DATA PROTECTION
@To
mm
yV
andepitte
BUSINESS
Price
Profit
Cost
External
Cost
Internal
Cost
(perceived)
value for
customer
Value proposition
Value creation
Value delivery
Value capture
experience
convenience
meeting the customers’ needs
product design
meeting the qualifiers
imageadditional functionalities
future proofquality
peoplemeeting the users’ needs
culture
VALUE CAPTURE
IS HARD
Value captured = Value of the business
THE SAUCE IS
ALWAYS AT RISK
• Financial risk
• Solvability
• Liquidity
• Cash flow
• Operational risk
• Counterparty risk
• Customers
• Credit risk
• Suppliers
• Market risk
• Reputational risk
• Legal risk
• ...
THE WORLD IS “VUCA”
4 KEY CHALLENGES
“Change comes from outside. And that is what you should
use to challenge how your team has got to the end product.”
- Prof. Stijn Viaene -
Use 4 key challenges:
• Experience IS value, not just functionality. The reference
experience is NOT the sector, it is Google, Facebook, Uber, …
• Customers are moving targets.
• You can’t (and shouldn’t) have it all in-house: data, skills, …
What is core and should be owned? What can we outsource?
• You need well architected information systems.
APPLY
What w
e c
om
pre
hend
What there is to know
What we
don’t know
we know
What we
know we
know
What we
don’t know
we don’t
know
What we
know we
don’t know
Unknow
n
Unknown
Know
n
Known
MODELS &
FRAMEWORKS
• Business threats
a.o. disruption / creative destruction
RISK
MANAGEMENT
RISK
APPROACH
Impact
Likelihood
Share
Accept
Avoid
Mitigate
Hig
h
High
Low
Low
Impact
Likelihood
Mitigate
Cont. monitoring
Share
Accept
Per. monitoring
Mitigate
Cont. review
Avoid
Mitigate
Per. Review
Hig
h
High
Low
Low
THE IDEAL
FOR REAL ?!
ISDPP IS
(JUST) ANOTHER RISK
• Customers
• Who are your customers?
• What do your customers value?
• Why do your customers choose you?
• Suppliers
• Who are your customers?
• What relationship do you have with
your suppliers? (“value partition”)
• Why do you have this relationship with
your suppliers?
• Competitive edge
• Culture
• Ideas
• Operational
excellence
• Cost control
• Trade secrets
• Protectable
intellectual property
• …
Part of the secret sauce
INFORMATION MANAGEMENT
ARCHITECTURE LIFECYCLE
• Databases
• Links
• Silos v transversal
Information asset ownership
ISDPP “INTELLIGENCE”
WHAT IS OUT THERE?
• (Information) Threat Intelligence
• network
• peers
• vendor information
• threat reports
• threat intelligence services
• futurists
• sci-fi
• …
Environment
Physical
Human
Device
Application
Repository
Carrier
LAYERS & DIMENSIONS
Risk Assessment
Risk Decision
Controls
Incident
Management
Changes• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Netw
ork
Data
3rd Parties
• 1st line
• 2nd line
• 3rd line
• Impact
• Probability
• Avoid
• Mitigate
• Share
• Accept
LEGAL OVERVIEW
Control
Data Subject
Processing personal data
Data Controller
Data processor
Finality Legitimacy
Transparency Organisation
proportional
End-to-end
GDPR - NEW
• Processor now also an addressee
• Organisation
• ”Accountability” (reversal of the burden of proof), concrete• Processing register (and risk register)
• Privacy impact assessment (“PIA”)
• Privacy by Design and Privacy by Default
• Data Protection Officer
• Acknowledgement of “frame”-mechanisms: certifications, codes of conduct, binding corporate rules,…
• Incident management and data breach notification
• Rights of individual are increased and further elaborated
• Enforcement
• Administrative fines universal and uniform
• Collective actions of individuals universal and uniform
GDPR – CHANGE - VISUAL
Control
Data Subject
Processing personal data
Data Controller
Data processor
Finality Legitimacy
Transparency Organisation
proportional
End-to-end
CHANGE PROGRAM
PROJECT
• Change management
• HR review
• Roles and function review, a.o.o DPO needed?
o Information asset owners ?
• HR processes review
• Communication & Training
• Processes review
• Processing register• In iterations for legacy processes
• Consent of data subjects
• Incident management review
• Project management review• PIA, PbD,
• Documentation => register
• Complaints management (rights update)
• Outsourcing partner review
• Access management
• IT review
• Archicture view
• Security measures: comfortable?• Need to have
• Nice to have
BUSINESS AS USUAL
• Tone at the top !
• “Money where your mouth is”
• Decisions on data protection
• Sponsor
• HR
• Communication & Training
• Awareness (= top of mind)
• Processes
• Periodic review and update
• IT
• Security is moving target –upgrade, patch, decommission
• New development - PbD
• Monitoring & Reporting
• Test
• Firs tline controls (KPI, SL, etc.)
• Board reporting to ISO and DPO
• Consolidating dashboard to top management
In parts / iterations
CHANGE RISK
CONTROL
THE CHANGE
Change management
• Decisions
• Action plan
• Tone at the top
• Budget and skilled people
• Multinational coordination ?