190 likes | 210 Views
Join Dublin-based Data Protection Manager, Gonzalo Caro, in a discussion on the journey of GDPR compliance, lessons learned so far, data subject rights, governance, and the future of data protection in the evolving regulatory landscape.
E N D
6 months into GDPR: challenges and lessons learned Gonzalo Caro Data Protection Manager
Gonzalo Caro, CDPO, CIPP/E Dublin-based Data Protection Manager. Worked for 17+ years at Microsoft and will be soon starting a new chapter in his Data Protection career by joining a large social media company. Gonzalo has played a number of roles in the areas of Data Protection and Governance, Risk Management and Compliance in Microsoft. Most recently, Gonzalo led the implementation of GDPR compliance globally for the Microsoft Operations organisation and prior to that, he was responsible for controls and compliance for the Microsoft EMEA Commercial business (~$15bn p.a.) across different risk and compliance domains. Former Chairman of the Microsoft's Ireland (Risk & Compliance) Board of Directors, Gonzalo graduated with First Class Honours in Business Management through Dublin Business School and also completed studies in Philosophy and Logic in his native Badajoz (Spain). Gonzalo obtained the Certified Data Protection Officer qualification in May 2017 and has also co-chaired the IAPP KnowledgeNet in Ireland since 2016. On a personal note, Gonzalo lives in Dublin with his wife and 13-years’ old daughter and is an avid flamenco guitar player.
Agenda • GDPR scenario setting • The journey so far • Q&A PART I • What have we learned? • Q&A PART II
GDPR scenario setting • EU Regulation took effect on May 25th, 2018 • Comprehensive regulation with several impacts • Expand rights for data subjects • Imposes obligations to data controllers and processors • Up to 4% annual global turnover fines • Global territorial scope This Photo by Unknown Author is licensed under CC BY-NC-ND
May 25, 2018 The End of the Beginning
The journey so far • GDPR is not Y2K • May 25 was only the start • Awareness has increased • Rights are being exercised – volumes are up! • Still wait-and-see mode for many • A lot more coming… This Photo by Unknown Author is licensed under CC BY
DSRs are real! • Data Subject Requests (DSRs) have increased as reported by companies • Individuals are taking DSRs seriously and exercising their rights e.g. millions of accounts are being deleted or access requests submitted • Self-manage privacy dashboards are common in the industry but might present some backend challenges if no robust foundation is in place Source: https://blogs.microsoft.com/uploads/prod/sites/5/2018/09/MS_Privacy-Dash-by-Country-Map_Blue_AK.jpg
A robust foundation is critical • Comprehensive data strategy preceded by in-depth assessment and preparedness • The complexity of the ecosystem will determine the model to follow • What data do you have? • Where’s that data? • Data taxonomy – what data that I have is considered personal data? • ID types beyond the traditional • Data tagging – identify that data so it is retrievable • Systems inventory – centralized solution. This is a must. You need to know what data you have an where it is at any given time.
Governance and monitoring • A Governance model must be in place regularly reviewing and providing strategic direction as decisions are required – tone-at-the-top! • Continuous monitoring / Audit plans with Key Performance Indicators – some issues need immediate remediation such as breaches • Ensure data synchronization between systems – offline copies may become your worst enemy! • Data Retention Policies are crucial to success! • Policies must reflect the data strategy and be aligned with supporting processes e.g. ‘deleting data’ This Photo by Unknown Author is licensed under CC BY-NC
The 3 amigos • Technical dependencies have increased for DP professionals and further knowledge is required e.g. understanding data lifecycle, taxonomies and tagging • Expertise needed to translate legal requirements into tangible engineering solutions e.g. understanding content moderation technologies such as hash images • Privacy engineering is a growing field • The key tool for professionals is the Privacy review / Privacy Impact Assessment which acts as a Change Management agent e.g. systems upgrades/launches, processes, cookie compliance. DP by design! • Artificial Intelligence and Machine Learning!
Your employees are critical! • A solid Change Management process adhered by employees to ensure updated systems & data sets • Your employees might play a critical role identifying and reporting incidents e.g. engagements with customers/developers through AI platforms • Clear policies e.g. offline copies, USBs, email rules • Mandatory training & being part of the data lifecycle • Encourage career development opportunities e.g. engineers migrating to business roles and vice versa
A lot more is coming! • Enforcement!!! • ePrivacy directive • Awareness will continue – more DSRs? • Unpredictable events • AI & ML • Other countries follow suit • And more… This Photo by Unknown Author is licensed under CC BY
Many thanks! Gonzalo Caro +353 87 662 51 72 https://www.linkedin.com/in/gonzalo-caro-8a068831/