BUSINESS
CONTINUITYBusiness Continuity & Privacy Data Protection (GDPR)
Stefanidou Maria
Agenda Style
01
02
03
04
Business Continuity Plan (BCP)
General Data Protection Regulation (GDPR)
Comparing BC – GDPR
Comparison BCM – DPO Role
00Resilience
ResilienceContinuity and Dependencies
Business Resilience vs
Business Continuity
• Design and Activate IRP / Action per incident
• Choose the «right» people as Coordinator
• Protect People, Secure Assets
• Spread Knowledge
• Train staff about his role
• Define and Ensure Communication Flow
• Be detailed, Improve procedures
• Encourage Initiative
• Reward new Ideas and Innovation
• Evaluate Risk, Estimate Impact
• Test, Review Regularly
• Report
U
N
I
T
S
Business ContinuityDefinition of Business Continuity Planning
Business Continuity Planning is an holistic process, a combination of
Risk Management and an Enrichment of Procedures underneath a
continuously review through an «audit eye», so that to decide what
appropriate Physical, Technical and Organizational Measures must be
taken to protect assets.
“ “How I can do this
Analyze, Manage
Keep environment in mind
Basic Elements of BCPAreas for Building up "a right" to Continuity and Development of Resilience
Strategy for protection
Communication Flow Training
Test and Review «your chart»
Policy & Procedures
Set Goal - Responsibilities, Roles
Plan in Time
Strengthen communication
Everyone has to know
Keep in mind your goal to improve and expand
your business
Be precise, detailed and clear
Inform for the scope / way of planning
Try to be always proactive
Common Culture
Build up transparency, trust, co-operation
SteCommittee – Support Teams
HR, Physical / IT Security, Risk, IT, Administration *
* Constructions, Buildings, Assets, System Development, Procedures
Board - CommitteeCo-operative Sectors for Planning Continuity
Basic Knowledge for Building
up a mechanism of Privacy
Data Protection
Remember !
01 02 03 04
Sh
are
ho
lders
-
Dir
ecto
rs
Secu
rity
(Ph
ysic
al
/IT
)
Hu
man
Reco
urs
es /
Org
an
isati
on
Fin
an
cia
l / A
ss
ets
Co
mp
lian
ce / L
eg
al
/ R
isk /
Au
dit
Pre
ss M
ed
ia /
Ma
rketi
ng
-Sale
s
05 06
Depend on the structure of an organization
Business Continuity-Data Protection PlanStrong Combination for Resilience
The «marriage» creates new Technological
and Organisational solutions,
causes Innovation
Based on GDPR, new ideas come into sight
and methods of technologies must be strictly
enforced
Data Protection
Business Continuity
Resilience
CIA*
* Confidentiality, Integrity, Availability
Data ProtectionDefinition of General Data Protection Regulation - GDPR
The GDPR (EU) 2016/679 ("GDPR") is a regulation on data protection and privacy
for all individuals within the European Economic Area (EEA) and refers rules about
the export of personal data outside the EU and EEA.
The GDPR and Data Protection Directive IP/17/386 aims to :
• give control to individuals over their personal data
• simplify legal procedures under common rule for companies in involved countries
• suggest how to protect personal rights and data in the Digital Single Market
“ “
How I can protect
Analyze, Manage
Keep environment in mind
Rights of Data SubjectProtect Personal - Sensitive Data
Right to Informed
Consent
You can see and change
your personal information
Right to Access
You can even ask
deletion
Right to be Forgotten
You can ask to
change processor
Right to Portability
The Data Subject has
the right to be known
high risk breaches
undue delay to take
measures
Right to
Awareness
What data is needed,
for what reason.
How long and by
whom data processed
Specific purpose,
Retention periodOnly if it is necessary
GDPRNew Business Opportunities
GDPR implies Business ContinuityDPO is responsible for managing compliance with
the GDPR
• The GDPR was adopted on 14 April 2016 and became
forceable beginning 25 May 2018.
• Controllers / Processors of personal data must
put in place appropriate Technical and Organisational
measures
• Businesses must report any data breaches within 72
hours, if they have an adverse effect on user privacy.
Sanctions can be imposed penalties :
• A fine up to €10 or €20 million or up to 2% or 4% of the
annual worldwide turnover – the maximum.
Unless an organization follows GDPR, its Reputation or its
Existence is in danger.
IncidentsCommon Facts
Rapid Growth, resulting in an
increased exchange of personal data
Technological Evolution
Data Loss
Data Breach
Increase of Violence, Crime, Terrorism
Globalization,
Economic Crisis
Increasing catastrophic natural
disasters
Climate Change
Not acceptable procedure (audit)
Human Error
01
02
03
04
05
06
BCM – DPO RoleQUALIFICATIONS BCM DPO
• Knowledge of Subject /
Organisation√ √
• Culture Management Skills of
an Organization√ √
• Expert Knowledge of
Information Technology & Data
Security - Data Protection Law
Optional Prerequisite
• Personal Strong
Communications Skills
• Project Management Skills
• Thinks Strategically
• Plans / Designs
• Implements
√
BCM – DPO RoleQUALIFICATIONS BCM DPO
• Organizational Skills
• Risk Analysers
o Focus on Details
• Skilled in complex
problem analysis
• Analyses Technical and
Business Requirement
• Evaluates
business functions
as critical
√
• Good Trainer
o Explain, Direct, Motivate
• Transmissibility
• Teaching staff or
managers
• Awareness
employees,
clients, customers
BCM – DPO Tasks
TASKS BCM DPO
• Serve an «on-going»
process
• Support
• Foresees possible issues
• Helps companies face
with them
• Guides teams to be ready
• Assists them to be always
pro-active
• Not for all Businesses
• Legal Requirement
if you do business with
EU Customers, Clients
• It is as a point of contact
for employees, individuals
• Commit to
Confidentiality and
Privacy
√ √
BCM – DPO RolePOSITION BCM DPO
• Act «independently»,
as a consultant
• Give opinions
• Ability to work with
a great degree of
autonomy
• Not receive orders
from employer
• Takes decisions that
promote compliance
• Follow the Rule-Principle:
“By Design & By Default”• For each processing • Esp. data privacy
• Both of them are :
o granted the required
resources
or infrastructure
o accountable to the
Supreme Administrative
Level
• Depends on
the structure
of an Organization
• DPO should not be placed
in an organizational chart
that specifies goals and
means of processing (e.g.
IT Security).
• Not dismissed since
he acts under his
responsibilities as DPO
BCM – DPO – Designed StepsBCM DPO
• Define Coordination / Committee • Define DPO / Committee
• Train involved staff
(definitions, terminology,
restrictions, proposals to change
processes)
• Aware Shareholders, Staff but also Clients,
Customers in a plain understandable
manner
• DPO advises the organization on its
obligations regarding GDPR and personal
data provisions
• Evaluate Risk, Estimate Impact
(BIA)
• Design Plans
• Review Plans (in a regular base)
• Test BCP (annually, complicated
scenario)
• Personal Data Mapping
(Records of Processing Activities)
• Privacy Impact Assessment (PIA)
• Review PIA
• Involved in IT Security Plan
• Prepare IRP
BCM – DPO – Designed StepsBCM DPO
• Perform “Informal” Internal Audit
• Improves Plans
• Enhances Procedures
• Assists in the development
• Carries out Tests
• Monitors Internal Compliance
• Report (resources used or needed)• Reports Directly to Highest Level of
Management
• Ask for Alternative Procedures
and/or Support
• Set Specific terms for concluding a data
transfer agreement outside the EU (DPA)
• Check whether partner contracts comply
with GDPR. Alternatively, find alternative
outlets (NDA)
BCM – DPO – Designed StepsBCM DPO
• Prepare Communication Flow
• Ask teams for Sharing Roles and
Responsibilities
in their plans for the moment of crisis
• Prepare External Communication with
Authorities & Customers
• Incident Management
• Breach Notification
• No Active Role to External Commu
nication
• The affected inform Senior
Management, waiting for a common
public notification and/or further
actions
• Has the right to communicate directly
with Supervisory Authorities
• Manages Customer Requests to disclose
an Incident that DPO believes it affects
the Protection of Personal Data
• Registry Incident Book
• Keeping records of communication,
fines, expenses (Registry Book of Data
Breach / Data Subject Requests)
Resilience
U
N
I
T
S
Org
an
izatio
nH
um
an
Reco
urs
es
Marketing,
Sales, Units
Thank youDon’ t let to luck Contact :
M.Stefa
BCM Specialist