GDPR IMPLEMENTATION SISCON 2018 CONFERENCE 13/09/2018

Size: px

Start display at page:

Download "GDPR IMPLEMENTATION SISCON 2018 CONFERENCE 13/09/2018"

Kelly Blair
5 years ago
Views:

1 GDPR IMPLEMENTATION SISCON 208 CONFERENCE 3/09/208

2 FOUNDED IN 999 AND TODAY ~70 CONSULTANTS AND ~600 INTERVIEWERS SISCON CONFERENCE 208 2

3 WE CONDUCT FULL SERVICE MARKET RESEARCH YET SPECIALIZED ANALYZE INFORMATION SURVEY Business Units Public & Politics Aviation MARKET RESEARCH Transportation Commercial TREND EVALUATION STATISTICS SISCON CONFERENCE 208 3

90% OF WHAT WE DO INVOLVES PERSONAL DATA MOST EVEN SENSITIVE ID-number Name E-mail address Sexual conviction Date of birth Gender Race Credit card number Health information Photos Genetic information

4 90% OF WHAT WE DO INVOLVES PERSONAL DATA MOST EVEN SENSITIVE ID-number Name address Sexual conviction Date of birth Gender Race Credit card number Health information Photos Genetic information Address Interests Employee ID Phone number Personality test License number Religion! Access control Personal performance Political preference Severe social problems Family information System logs Login name/ initials Passport no. Position GPS information IP-address Size shoes and clothes Union memberships Electronic trails Travel information Biometric information Criminal record Video observations MACaddress SISCON CONFERENCE 208 4

5 WE WERE LATE AND NEEDED SPEED AND PRAGMATIC SOLUTIONS!! SISCON CONFERENCE 208 5

6 Probability GDPR COMPLIANCE WAS A SIGNIFICANT CHALLENGE FOR EPINION Risk matrix Main risks Mitigation Almost certain (5) 3 Almost certain/moderate: Delay, i.e. implementation after 25 th of May-8 Implementation of initiatives have been prioritized according to criticality e.g. VN tasks and SharePoint before 25 th of May-8 Likely (4) 2 Almost certain/moderate: Deep understanding across all employees difficult e.g. many locations and high in/out rate 2 New educational programme will incorporate training in GPDR and WOWs and signing of privacy and security policies Moderate (3) 3 Almost certain/moderate: Historical personal data overlooked, i.e.. not deleted or anonymized 3 Continuous and frequent communication of why we need to do this together with the possible upside = more control/less risk Unlikely (2) 4 Likely/severe: Breach towards respondent or client any of the 6 EU citizen rights 4 Admit (if we have a weak case), apologize and compensate if needed. Enforce a earnings loop across the whole of Epinion Remote () 5 Likely/minor: Stickiness towards old ways of working and cultural resistance 5 Keeping GDPR compliance high on the agenda going forward. Develop on-going internal audit checks and process updates Minimal () Minor (2) Moderate (3) Major (4) Severe (5) 6 Moderate/moderate: File and database server migration to MS Azure troublesome (time, loss of data, downtime etc.) 6 Migrate one-by-one and PS IT to be in DK for 4 weeks to assist the migration. Always ensure a back-up until new up and running. Impact Note: The numbers in the squares indicate the amount of risks with the given impact/probability score. 7 Moderate/minor: Missed sales opportunities due to internal resources being occupied with GDPR implementation 7 The new Operations Director will take the internal DPO role and be the overall accountable for GDPR => resources released SISCON CONFERENCE 208 6

7 VIETNAM IS A NON-SECURE COUNTRY, I.E. TASK TRANSFER TO DK Tasks which are to be transferred from VN to DK/NO before 25th of May-8: Norge Danmark Vietnam. Sample withdrawal 2. Phone number enrichment 3. Interview status 4. Sample processing 5. Sample uploading 6. invitation 7. Sample data maintenance 8. Uni-Login tool 9. Interview status 7 large projects which are to be transferred from VN to DK/NO before 25th of May-8:. AKU 2. RVU 3. TU 4. Ørsted 5. Dementia 6. SUF 7. Boligsiden SISCON CONFERENCE 208 7

8 OVERALL, WE IDENTIFIED 7 TO DOS TO ENSURE GPDR COMPLIANCE 2 Clean-up of historical data across all servers, applications, personal hardware etc. Having the contractual agreements in place working with clients a must have 7 3 Obtaining consent from data subjects e.g. web, focus groups, newsletters, invitations etc. 4 Strict and standard procedures when requests from data subjects 5 Transition of tasks from Professional Services to DK/NO as VN classified as non-secure country Market us as a trustworthy player taking privacy (very) seriously 6 Implement new ways to store, access and share data SISCON CONFERENCE 208 8

9 OUR CAR ANALOGY TO CREATE COMMON UNDERSTANDING AND BACKING Would you agree it is good manners to... Ask if you may borrow it 6 Be careful nothing unwanted happens while you borrow it (speeding tickets, damages etc.) State what purpose you need to borrow it for 2 7 If an accident does happen, while you borrow it, tell the owner as quickly as possible Say how long you need to borrow it 3 8 Correct any mistakes while in your possession (e.g. pay parking or speeding tickets) Deliver it back on time 4 9 Return it at once if the owner wants it back Not use it for other purposes than you have stated 5 0 Not keep a copy of the key just in case you want to use it again? Now replace the words borrow with treat and it with personal data then you have an overview of many of the principles for treating personal data in the GDPR. All of a sudden, it is a lot less complicated, right? SISCON CONFERENCE 208 9

10 THE COST OF GDPR HAS BEEN SIGNIFICANT AND SALES HAVE SUFFERED GDPR/cost Sales/budget SISCON CONFERENCE 208 0

11 WE MARKET OURSELVES AS A GDPR PARAGON BECAUSE WE ARE Epinion Privacy Policy Since analyzing data is our core business, we handle loads of data every day. These data take various forms: Market data, brand data, institutional data - and obviously also personal data such as s, phone numbers, political beliefs, travel experiences and sociodemographics. Being one of the leading companies within market research and analysis - and being privileged with more than 0 years of experience with handling of personal data - we know the importance of privacy and trust and not least we apply the highest market standards. When you trust us with your personal data, it is our responsibility and privilege to earn that trust and safeguard your data in all possible ways. This means that we: Only use data for the specific purpose we obtain it for Always ask up-front for your consent to use the relevant data Never transfer data to 3rd parties without your explicit consent (or if we are legally bound to do so) Make sure to restrict access to data within the data processing period Anonymize data as soon as possible Delete data when it is no longer needed Have all necessary means of IT-security in place to protect our systems SISCON CONFERENCE 208

12 COMPLIANCE IS NOW OUR CORE FOCUS USING CONTROL MANAGER COMPLIANCE RULES POLICIES REGULATIONS LAW STANDARDS REQUIREMENTS TRANSPARENCY SISCON CONFERENCE 208 2

EPINION AARHUS EPINION COPENHAGEN EPINION HAMBURG EPINION LONDON HACK KAMPMANNS PLADS -3 8000 AARHUS C DENMARK T: +45 87 30 95 00 E: AARHUS@EPINIONGLOBAL.

13 EPINION AARHUS EPINION COPENHAGEN EPINION HAMBURG EPINION LONDON HACK KAMPMANNS PLADS AARHUS C DENMARK T: E: AARHUS@EPINIONGLOBAL.COM RYESGADE 3F 2200 COPENHAGEN N DENMARK T: E: COPENHAGEN@EPINIONGLOBAL.COM ERICUSSPITZE HAMBURG GERMANY T: +43 (0) E: HAMBURG@EPINIONGLOBAL.COM D ALBIAC HOUSE (ROOM 05-07) CROMER ROAD, HEATHROW CENTRAL AREA HOUNSLOW, TW6 SD T: +44 (0) E: LONDON@EPINIONGLOBAL.COM THANK YOU! EPINION SAIGON TH FL, DINH LE BUILDING, DINH LE, DIST. 4, HCMC VIETNAM T: E: HCMC@EPINIONGLOBAL.COM EPINION SINGAPORE 60 PAYA LEBAR ROAD #08-43 PAYA LEBAR SQUARE SINGAPORE E: CONTACT@EPINIONGLOBAL.COM EPINION STAVANGER EPINION VIENNA EPINION MALMÖ EPINION OSLO KLUBBGATEN STAVANGER NORWAY T: E: STAVANGER@EPINIONGLOBAL.COM HAINBURGERSTRASSE 20/7 030 VIENNA AUSTRIA T: +43 (0) E: VIENNA@EPINIONGLOBAL.COM ADELGATAN MALMÖ SWEDEN E: CONTACT@EPINIONGLOBAL.COM BISKOP GUNNERUS GATE OSLO NORWAY T: E: OSLO@EPINIONGLOBAL.COM

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals GDPR Awareness Kevin Styles Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals Introduction Privacy and data protection are fundamental rights