BUSINESS

CONTINUITYBusiness Continuity & Privacy Data Protection (GDPR)

Stefanidou Maria

Agenda Style

01

02

03

04

Business Continuity Plan (BCP)

General Data Protection Regulation (GDPR)

Comparing BC – GDPR

Comparison BCM – DPO Role

00Resilience

ResilienceContinuity and Dependencies

Business Resilience vs

Business Continuity

• Design and Activate IRP / Action per incident

• Choose the «right» people as Coordinator

• Protect People, Secure Assets

• Spread Knowledge

• Train staff about his role

• Define and Ensure Communication Flow

• Be detailed, Improve procedures

• Encourage Initiative

• Reward new Ideas and Innovation

• Evaluate Risk, Estimate Impact

• Test, Review Regularly

• Report

U

N

I

T

S

Business ContinuityDefinition of Business Continuity Planning

Business Continuity Planning is an holistic process, a combination of

Risk Management and an Enrichment of Procedures underneath a

continuously review through an «audit eye», so that to decide what

appropriate Physical, Technical and Organizational Measures must be

taken to protect assets.

“ “How I can do this

Analyze, Manage

Keep environment in mind

Basic Elements of BCPAreas for Building up "a right" to Continuity and Development of Resilience

Strategy for protection

Communication Flow Training

Test and Review «your chart»

Policy & Procedures

Set Goal - Responsibilities, Roles

Plan in Time

Strengthen communication

Everyone has to know

Keep in mind your goal to improve and expand

your business

Be precise, detailed and clear

Inform for the scope / way of planning

Try to be always proactive

Common Culture

Build up transparency, trust, co-operation

SteCommittee – Support Teams

HR, Physical / IT Security, Risk, IT, Administration *

* Constructions, Buildings, Assets, System Development, Procedures

Board - CommitteeCo-operative Sectors for Planning Continuity

Basic Knowledge for Building

up a mechanism of Privacy

Data Protection

Remember !

01 02 03 04

Sh

are

ho

lders

-

Dir

ecto

rs

Secu

rity

(Ph

ysic

al

/IT

)

Hu

man

Reco

urs

es /

Org

an

isati

on

Fin

an

cia

l / A

ss

ets

Co

mp

lian

ce / L

eg

al

/ R

isk /

Au

dit

Pre

ss M

ed

ia /

Ma

rketi

ng

-Sale

s

05 06

Depend on the structure of an organization

Business Continuity-Data Protection PlanStrong Combination for Resilience

The «marriage» creates new Technological

and Organisational solutions,

causes Innovation

Based on GDPR, new ideas come into sight

and methods of technologies must be strictly

enforced

Data Protection

Business Continuity

Resilience

CIA*

* Confidentiality, Integrity, Availability

Data ProtectionDefinition of General Data Protection Regulation - GDPR

The GDPR (EU) 2016/679 ("GDPR") is a regulation on data protection and privacy

for all individuals within the European Economic Area (EEA) and refers rules about

the export of personal data outside the EU and EEA.

The GDPR and Data Protection Directive IP/17/386 aims to :

• give control to individuals over their personal data

• simplify legal procedures under common rule for companies in involved countries

• suggest how to protect personal rights and data in the Digital Single Market

“ “

How I can protect

Analyze, Manage

Keep environment in mind

Rights of Data SubjectProtect Personal - Sensitive Data

Right to Informed

Consent

You can see and change

your personal information

Right to Access

You can even ask

deletion

Right to be Forgotten

You can ask to

change processor

Right to Portability

The Data Subject has

the right to be known

high risk breaches

undue delay to take

measures

Right to

Awareness

What data is needed,

for what reason.

How long and by

whom data processed

Specific purpose,

Retention periodOnly if it is necessary

GDPRNew Business Opportunities

GDPR implies Business ContinuityDPO is responsible for managing compliance with

the GDPR

• The GDPR was adopted on 14 April 2016 and became

forceable beginning 25 May 2018.

• Controllers / Processors of personal data must

put in place appropriate Technical and Organisational

measures

• Businesses must report any data breaches within 72

hours, if they have an adverse effect on user privacy.

Sanctions can be imposed penalties :

• A fine up to €10 or €20 million or up to 2% or 4% of the

annual worldwide turnover – the maximum.

Unless an organization follows GDPR, its Reputation or its

Existence is in danger.

IncidentsCommon Facts

Rapid Growth, resulting in an

increased exchange of personal data

Technological Evolution

Data Loss

Data Breach

Increase of Violence, Crime, Terrorism

Globalization,

Economic Crisis

Increasing catastrophic natural

disasters

Climate Change

Not acceptable procedure (audit)

Human Error

01

02

03

04

05

06

BCM – DPO RoleQUALIFICATIONS BCM DPO

• Knowledge of Subject /

Organisation√ √

• Culture Management Skills of

an Organization√ √

• Expert Knowledge of

Information Technology & Data

Security - Data Protection Law

Optional Prerequisite

• Personal Strong

Communications Skills

• Project Management Skills

• Thinks Strategically

• Plans / Designs

• Implements

√

BCM – DPO RoleQUALIFICATIONS BCM DPO

• Organizational Skills

• Risk Analysers

o Focus on Details

• Skilled in complex

problem analysis

• Analyses Technical and

Business Requirement

• Evaluates

business functions

as critical

√

• Good Trainer

o Explain, Direct, Motivate

• Transmissibility

• Teaching staff or

managers

• Awareness

employees,

clients, customers

BCM – DPO Tasks

TASKS BCM DPO

• Serve an «on-going»

process

• Support

• Foresees possible issues

• Helps companies face

with them

• Guides teams to be ready

• Assists them to be always

pro-active

• Not for all Businesses

• Legal Requirement

if you do business with

EU Customers, Clients

• It is as a point of contact

for employees, individuals

• Commit to

Confidentiality and

Privacy

√ √

BCM – DPO RolePOSITION BCM DPO

• Act «independently»,

as a consultant

• Give opinions

• Ability to work with

a great degree of

autonomy

• Not receive orders

from employer

• Takes decisions that

promote compliance

• Follow the Rule-Principle:

“By Design & By Default”• For each processing • Esp. data privacy

• Both of them are :

o granted the required

resources

or infrastructure

o accountable to the

Supreme Administrative

Level

• Depends on

the structure

of an Organization

• DPO should not be placed

in an organizational chart

that specifies goals and

means of processing (e.g.

IT Security).

• Not dismissed since

he acts under his

responsibilities as DPO

BCM – DPO – Designed StepsBCM DPO

• Define Coordination / Committee • Define DPO / Committee

• Train involved staff

(definitions, terminology,

restrictions, proposals to change

processes)

• Aware Shareholders, Staff but also Clients,

Customers in a plain understandable

manner

• DPO advises the organization on its

obligations regarding GDPR and personal

data provisions

• Evaluate Risk, Estimate Impact

(BIA)

• Design Plans

• Review Plans (in a regular base)

• Test BCP (annually, complicated

scenario)

• Personal Data Mapping

(Records of Processing Activities)

• Privacy Impact Assessment (PIA)

• Review PIA

• Involved in IT Security Plan

• Prepare IRP

BCM – DPO – Designed StepsBCM DPO

• Perform “Informal” Internal Audit

• Improves Plans

• Enhances Procedures

• Assists in the development

• Carries out Tests

• Monitors Internal Compliance

• Report (resources used or needed)• Reports Directly to Highest Level of

Management

• Ask for Alternative Procedures

and/or Support

• Set Specific terms for concluding a data

transfer agreement outside the EU (DPA)

• Check whether partner contracts comply

with GDPR. Alternatively, find alternative

outlets (NDA)

BCM – DPO – Designed StepsBCM DPO

• Prepare Communication Flow

• Ask teams for Sharing Roles and

Responsibilities

in their plans for the moment of crisis

• Prepare External Communication with

Authorities & Customers

• Incident Management

• Breach Notification

• No Active Role to External Commu

nication

• The affected inform Senior

Management, waiting for a common

public notification and/or further

actions

• Has the right to communicate directly

with Supervisory Authorities

• Manages Customer Requests to disclose

an Incident that DPO believes it affects

the Protection of Personal Data

• Registry Incident Book

• Keeping records of communication,

fines, expenses (Registry Book of Data

Breach / Data Subject Requests)

Resilience

U

N

I

T

S

Org

an

izatio

nH

um

an

Reco

urs

es

Marketing,

Sales, Units

Thank youDon’ t let to luck Contact :

M.Stefa

BCM Specialist