Our objective: You ♥ GDPR
Introduction
Peter Czernecki – CEO
20 years building businesses with IT.
$300M value created with Private Equity investors.
Tough guy: IT & business background. Top schools.
Funny. Deadly.
Our objective: You ♥ GDPR
iAGE – Our Team
15 years+ experience each
Trusted partners of CEO’s, CFO’s, CTO’s & users
A Hungarian is who enters the revolving door last
and leaves it first (Leo Szilard, father of H-bomb)
Our objective: You ♥ GDPR
iAGE – What We Do?
We create precise software design & code
↓
We deliver software that works & users love ♥
on time, within budget.
Multi-platform skills + cloud.
Hungarians Founded Hollywood & later invented
the less dangerous A-bomb (Economist)
Our objective: You ♥ GDPR
iAGE – Numbers
10 years
200+ projects
3 continents
100% success rate
GDPR – Basics
Note: Do you like videos better? Check the bottom of the page, or click here.
GDPR – What You Will NOT Need
Data protection policyTraining policyInformation security policyData protection impact assessment procedureRetention of records procedureSubject access request form and procedurePrivacy procedureInternational data transfer procedureData portability procedure- Data protection officer (DPO) job description
Complaints procedureAudit checklist for compliancePrivacy noticeAnd much more
Contact us
iAGE GDPR Offering
1) GDPR Analysis Toolset ⇒
2) Pseudonymization Solution
100% tailored GDPR solution: practical, fast, no fluff.
No, we do not sell 1000 hours of consulting.
How about you?
-
Who has a head of IT Security / CSO?
-
Who has ISO27001?
-
Who is ready for GDPR?
-
Who is worried about GDPR?
-
Who thinks his/her business is better prepared for GDPR than the average?
-
Who thinks GDPR is complex?
EXCITING Good news
GDPR is
Simple. Practical.
It is COMMON SENSE
(= EVERYDAY WISDOM)
…just think of Tax Evasion
… and the BORING basics
What is the KEY WORD here?
IDENTIFIED
Personal data (Art4)
(any data that relates to the Data subject in an identifiable way)
Special categories of personal data (Art9)*
Data subject (Art4) (=natural person (Art1))
(the person who can be IDENTIFIED
(the Personal data relates to him / her))
e.g. customer, employee, recruitee
*Special categories: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
He is Peter Czernecki
Passport num: 123456BA
21/08/1973
Height: 173 cm
Weight: 73 kg
Age: 44 years
Data subject
She is ???
Passport num: ???
21/08/1973
Height: 173 cm
Weight: 73 kg
Age: 44 years
NOT A Data subject
1) Added
He is Peter Czernecki
Passport num: 123456BA
2) Personal data added
21/08/1973
Height: 173 cm
Weight: 73 kg
Age: 44 years
Data subject
3) Pseudonymization
She is ???
Passport num: ???
21/08/1973
Height: 173 cm
Weight: 73 kg
Age: 44 years
NOT A Data subject
20% of GDPR… 80% of essence
GDPR – making it work – the simple, practical
solution you will love
Exciting news – continued
GDPR asks no more than what you have in a good
e-mail newsletter software
Consent
(what you have to do all the time)
Data breach
(what happens if someone f#*ks up your system)
<-> what you do against it:
„data protection by default & design”
iAGE: We start with business
iAGE says:
Processes, Processes, Processes
„Yeah. Another boring topic.”
iAGE says:
For GDPR to work you need 2 new processes. OK, 3.
P1 – GDPR governance and reporting
P2 – GDPR analysis and compliance
P3 – GDPR data subject lifecycle management
Contact us
1) GDPR Governance & reporting
Official Objective | To prove that you did something |
Unofficial Objective | To have a GDPR compliance that makes $$$ sense |
Project Organization | CEO & DPO & Process managers & Business Analysts |
Permanent Organization | CEO & DPO & Process managers |
Process steps | Regular (quarterly) review meetings
Regular or ad-hoc reporting -events -number of systems, data subjects affected |
Documents | GDPR governance manual
GDPR regular reports GDPR data breach reporting (Art 33 & 34) |
2) GDPR Analysis and compliance
Official Objective | To prove that you did something |
Unofficial Objective | To have a GDPR compliance that makes $$$ sense |
Project Organization | CEO & DPO & Process managers & Business Analysts |
Permanent Organization | CEO & DPO & Process managers |
Process steps | Analyze & document – personal data
Determine rules for personal data Execute rules for personal data |
Documents | GDPR governance manual |
A)
Analyze: all your systems: a list:
System → personal data items
B)
Rules: create easy to follow & understand rules
E.g. Pseudonymize & then delete after 9 months
C)
Execute rules
E.g. Pseudonymize & then delete after 9 months
3) GDPR Data subject lifecycle management
Official Objective | To prove that you did something |
Unofficial Objective | to have a GDPR compliance that makes $$$ sense |
Project Organization | CEO & DPO & Process managers & Business Analysts |
Permanent Organization | CEO & DPO & Process managers |
Process steps | Ask for consent (from a data subject)
Show data stored (to a data subject) Remove data (regarding a data subject) |
Documents | Data subject lifecycle records |
A)
Explicitly ask for consent to store personal data
(„ I agree… (X) ”)
B)
Show: being transparent what you store about him / her
(„ Your profile…I agree (X) ”)
C)
Withdraw: allow people to get removed
(„ Remove my data …” )
OR Pseudonymizes
GDPR – making it
deadly practicle
iAGE GDPR Offering
1) GDPR Analysis Toolset ⇒
2) Pseudonymization Solution
100% tailored GDPR solution: practical, fast, no fluff.
No, we do not sell 1000 hours of consulting.
GDPR compliance summarized
3 processes
P1 – GDPR governance and reporting
P2 – GDPR analysis and compliance – we help
P3 – GDPR data subject lifecycle management
↓
3 practical technical solutions
T1 – Delete (some) data (after a while) – we help
T2 – Encrypt – LIVE – we help
T3 – Anonimize – TEST & REPORTING – full solution
GDPR icing on the cake
Multiple environments
TEST, LIVE, DEVELOPMENT
Multiple countries
With their own legislative issues & regulations
Things you can do after May, 2018
Worry about Automated-decision making (profiling) (Art 22)
GDPR – iAGE’s
deadly practicle solution
iAGE GDPR deadly practical
1) Analysis tool
to document the P2 – GDPR analysis and compliance results →
you can prove that you did what was required
2) Pseudonymization – anonymization
in a way that the resulting data will be
VALID and will make sense business-wise
but will surely differ from the original live data. Typical use cases: test environment copies
3) LIVE: delete data scripts or encryption scripts
The product – Live Data
The product – Test Data
FAQ
How long does it run?
Depends on the complexity and size of the database. Approximately 5-8 hours.
How does it work?
We create a statistically randomized result of data in data tables
When do I have to use it?
At any time when you make a copy of your LIVE environment
How do I know that the results are the one I need?
Valid data for testing, related data move together (eg. First name, sex, client type, or date of birth and tax id), even if the data elements are in different database or environment. Mask sensitive data e.g. bank card number or fill default value. Set fields to change.
Can I change later the program?
You can change run parameters, anytime. Program change requires iAGE.
Contact us
Implementation
ANALYSIS
1) Map affected systems (applications) & relationships
Understand data ownership (“which system owns what data”)
Both IBM i (AS/400) and other systems
For each system (application) affected:
2) Identify which data tables are affected by anonimization needs
3) Identify dependencies between data fields of tables both
a) in a given application b) and across applications
Start with your core system(s) first.
ANALYSIS RESULTS & PRICES
PRODUCT | Analysis document
with system dependencies & data affected |
BENEFITS | Documentation of systems
GDPR compliance: proof of analysis of sensitive data |
DURATION | 2-4 weeks
Depending on number of systems |
PRICE | 3 000 – 10 000 EUR
Depending on number of systems & documentation available |
SET UP AND DEPLOYMENT
3) Setup: set parameters: systems, tables, fields
dependencies + sequence
4) Deploy, run on test
a)Do it yourself OR
- b) Do it with us – one-time implementation and training
OPERATION
4) After live support – for any new types of data tables: majority of them can be set up, no development is needed
SET UP AND DEPLOYMENT – RESULTS & PRICES
PRODUCT | Scrambled test environment
Plus a log that proves the fact that scrambling of data occurred Trained local operations personnel (“how to run & use?”) |
BENEFITS | GDPR compliance: scrambled sensitive data |
DURATION | 2 – 4 weeks
Depending on number of systems |
PRICE | Licence – market prices (competitors’ prices):
10 000 EUR for off the shelf solution (software only(!!!): no analysis, no deployment, no testing) 100 000 EUR for custom-developed (with many changes) +Implementation: 3 000 EUR < Depending on number of systems +Support & maintenance per year: 20% |
Offer
1) ANALYSIS
Core + all affected (connected) systems
RESULT: Analysis document + proof of analysis for GDPR
2) SET UP AND DEPLOYMENT
Core banking system ONLY: set up and testing and handover
RESULT: Scrambling works + proof for GDPR
TOTAL (1+2) PRICE
1 COUNTRY, 1 BUSINESS: 3000 – 10 000 EUR