Beltug

GDPR - Assessing your cloud providers, insights from Engie, and preparing for ‘The Day After’: Takeaways from the N-sight and special workshop of 05/10/2017


Date:05/10/2017


Beltug has developed and published the GDPR Vendor Assessment questionnaire, to help companies discuss compliance with cloud providers, and negotiate certain GDPR-required contract clauses. Under the GDPR, the 'data controller' always remains accountable, so it is up to you to be sure your processor/Cloud Service Provider (CSP) will treat data in a compliant way.

 

In the first part of this 2-part N-sight, we learned about what this tool includes, how it was developed, and how to use it. We also looked into what companies will need to do to monitor and maintain compliance after the GDPR is implemented. And we discovered how multinational company Engie Benelux is incorporating data protection into processes throughout the company.

 

Presentations from the event are available exclusively for Beltug members (after login):

 

Beltug: GDPR - Assessing your cloud providers, insights from Engie, and preparing for ‘The Day After’ Questionnaire

Cranium: GDPR: Preparing for May 26th 2018 (aka: “the day after”)

Engie: Real world challenges for GDPR compliance

DPOffice: CSP Vendor Assessment Questionnaire

DPOffice: workshop CSP Vendor Assessment Questionnaire

 

 

"The law doesn't oblige you to be fully compliant", a bold statement to start the session. After walking us through a few necessary steps on the current road towards compliance, Bavo Van den Heuvel, Managing Partner and Director of Product Innovation at Cranium, gave a close look at how to maintain that compliance.

 

Among the key considerations for 'the day after' the GDPR implementation, is your data register. The initial inventory of your data is just the beginning: this register needs to be modified for changing situations, such as mergers and acquisitions, new software used within the company, or new processing operations, to name only a few examples. And should you experience a data breach, make sure to adapt your register if the situation changes.

 

Your DPIAs must also be kept up-to-date: ensure those documents stay in line with changes in your company. Document the decisions you have made, and those resulting from your Data Protection Impact assessment, in it.

 

Make sure new processors are reflected: audit existing ones and perform 'due diligence' on new ones. The GDPR Vendor Assessment questionnaire (see below, Jean-Pierre Bernaerts’s presentation) can be of great help in that assessment of your (cloud) providers.

 

Measuring privacy metrics is a good thing, of course, but make sure it is properly described. The information should be relevant and stable, too.  It’s a good idea to have the metrics calculated automatically and review them regularly.

 

Employee awareness is a major pillar in your GDPR project! Keep track of your actions in this area.  Take a look at slide 6 for more actions.

 

Be ready for all kinds of questions from data subjects or third parties: treat them all equally.  But when responding to a question, always ensure you are absolutely certain about the identity of the data subject - otherwise you are part of the data breach! And act in a timely manner when questions are asked.

 

Last but not least, when your first data breach occurs, there are keep a few important things in mind:

 

  • Investigate discretely, within a small group. Make sure you can act quickly and in such a way as to avoid the breached information leaking to the outside world or press.
  • Maintain an internal list of all data breaches.
  • Prepare proactively for a data breach: have a press release ready, with as positive a message as possible.

 

 

Next up, Peter Van Rompaey, BU Data Privacy Manager at Engie Benelux, shared his experience with GDPR, and how Engie Benelux integrates privacy and the EU regulation in its processes. The Engie group has over 22,000 employees and is responsible for +/- 140 legal entities, in all kinds of domains: operations, nuclear power plants, traditional power plants, etc. A DPO will probably need to be nominated for 30 to 40 of these entities.

 

With the full support of the Engie management, the GDPR project at Engie started over a year ago. As a complex organisation, Engie faced many challenges:

 

  • Finding all kinds of personal data: biometric (for instance, collected by nuclear power plants to grant access to people), staff, camera-generated, etc.  The Privacy team works closely with business to locate all the data, yet the devil is always in the detail: there is less and less truly anonymous data.
  • Populating the Data Protection Register should be the first priority. The platform used is key to this exercise. Excel or SharePoint (offering only 2 dimensions of classification) may not be able to get the work done. Engie Benelux, for example, developed its own tool.
  • Determining the role of each company: this needs in-depth discussion with the business people in the company. Is it a data controller or data processor, or (in more complex cases) maybe both for different processings? An understanding of the data processing chains is necessary to determine these roles properly (see slide 10 for an example of the complexity of this challenge).
  • Making transfers GDPR-compliant - both those outside the European economic area, and inside the EU. (See slide 11 for more detail.)
  • Achieving and maintaining compliance!
  • The ultimate challenge: Proving that all organisations are fully compliant.  At this point in time, the GDPR is not precise enough to fully grasp what 100% compliance means.

 

 

The final speaker was Jean-Pierre Bernaerts, DPO & Director GDPR Compliance Services at DPOffice, who presented the Beltug Vendor Assessment Questionnaire (available after log-in). He emphasized yet again: you cannot delegate accountability! This was the main driver for building the Beltug Vendor Assessment questionnaire. If a controller does not take this assessment seriously, and appoints an unqualified processor, the controller (and not the processor) will probably be liable if an incident occurs.

 

All contracts after May 2018 need an addendum on data protection.  But don't renegotiate your contracts, Jean-Pierre added, because you might risk renegotiating other articles in it (such as pricing!). Limit the renegotiations to the clause as an addendum.

 

 

Workshop Questionnaire

 

Following the presentations, a one-hour workshop was arranged. Jean-Pierre Bernaerts and Tim Van Honsté, Large Enterprise account manager at Veritas Technologies, went over the various items in the Beltug Vendor Assessment Questionnaire in detail, and answered participants’ questions. They also repeated that the list was built primarily for working with larger CSPs.

 

One particularly important section in this list is about the sub-processors. Remember that, even when your processors have multiple levels of sub-processors, you remain, as a controller, accountable all the way down the line.  So, it is important to know where your data sits and who is managing/processing it.

 

All in all it was a lively and interested discussion. We are confident our members will find the Vendor Assessment questionnaire very useful on their path to achieving and maintaining GDPR compliance.

 

 

 

 

 

 

 

 

 

 

 




>>> Back to overview