Hi All,
I recently attended a workshop hosted here in Houston by TrustArc. They have a few more going on the rest of this year, schedule here. Surprisingly, it wasn't sales-y at all and really gave some great information. I wanted to share out the slides from the workshop and some notes I collected.
Notes:
Slide 10: GDPR effects data stored in the EU, not just EU data.
Slide 15: Databreach warning is applicable to customers OR anyone in your system with personal data.
Controller - you own the data, you use the data. ex. customers, employees, collect IP address & cookies - you're the controller
Processor - your vendors, people that use your product through partners, customer's customers, etc.
Need to document your status on all data you have.
Slide 16: "Adequacy" also depends on each country within the EU.
*Binding Corporate Rules* Not 100% sure on what this is, but it seemed like you want to get it in place.
Document how you transfer data and where it goes and who touches it.
Slide 17: I found this interesting. Service cannot be conditioned as consent unless necessary for the service. So, this seems to cover the email sent to a user to set up a password, but does a warning email about scheduled maintenance necessary for the service?
*Can't pre-check the consent box. They have to take action to give consent.
Slide 19: Carefully look at retention and distruction timeframe. "Undue Delay" is not defined.
"Automated" means you have to accommodate an automated way for a person to request their information to be removed.
Slide 21: Data Protection Officers were highly recommended. They can be outsourced.
You must have a privacy impact assessment program for any "high risk to rights and freedoms" from processing and may be required to consult with your regulator.
A lot of this "High risk" data is usually surrounded around genetic and bio metric data - not too common for B2B marketing.
Slide 23: Breach notification standards: 72 hours after awareness
Slide 26: You can be asked for your data inventory by regulators of GDPR. You have to have it unless you're under 250 people.
Slide 31: Great slide to help you start listing all the buckets your data goes into and all the sources it comes from. (Ex. Content Syndication, Integrate, Marketo, Datafox, Ringlead, SFDC, BrightTalk/GotToWebinar, etc.)
Slide 37: Provides a mock up of how you would map out data collection, storage, access, and transfer within excel. Again, this company also has a tool to do this. You can basically take a survey and it fills it out for you. However, I suggest you have a DPO, or legal, or a compliance officer review and add detail.
Slide 39: Data Mapping - can be really simple, and not even required. You just need it documented in some fashion.
Slide 47: DPIAs are required for controllers, PIAs are required for processors.
Slide 51: Something I didn't think about before, notifications of stolen laptops/company phones needs to also go to the DPO, or person that handles privacy policy.
SUMMARY:
Document everything about the data you collect, access, use, store, and transfer. I think that's a tough project to start and probably best to have your C-Level start with reviewing and understanding GDPR - then have a person in charge of documentation. Then, that person then contacts the head of every department in the organization, and so on until every employee submits their version of data processing. Then it's collected and reviewed by the person in charge of documentation.
I am no expert, and please don't take counsel from me. 
I'm just sharing information I collected from a workshop.
Tagging Groups where I've seen interest on this topic: Champion Program Houston User Group
A couple of things that are important to understand about the GDPR:
- The text is a Regulation and not a Directive (as the previous 1995 was). This means that it applies as is to every EU country (including the UK, that has announced they will comply to it even after the Brexit) and does not require any transposition in local laws and adaptations by each country's parliament
- The text is still quite vague on some aspects. For instance, the hierarchy of motives for using private data and in which case they apply or don't is not very clear. The Regulation says that in some case, a "legitimate interest" can be invoked, provided that this legitimate interest does not breach any fundamental right of the person whose data is processed. But the "Legitimate Interest" itself is not defined. This means that we will probably have to wait a few years before some lawsuits are completed and jurisprudence clarifies some points, if it ever does
- Local regulators (such as CNIL in France) are gathering to publish explanatory notices on a regular basis. These notices are discussed and harmonised across all the countries. Most of the notices that have been published so far are quite broad and do apply especially to Marketing activities and even less to B2B Marketing. We probably will have to wait until after May 2018 to get all these notices published.
-Greg
.png)