This is the introductory slide deck for the joint event by the legal hackers (Brussels chapter) and the Belgian data scientists on 1 August 2017. The aim was mainly to introduce the session where everybody could ask questions and those with the answers could give them. The event's page is here: https://www.meetup.com/Brussels-Legal-Hackers/events/241266134/ The event's message board is here: https://www.meetup.com/Brussels-Legal-Hackers/messages/boards/thread/51045002 A second session is planned for 5 September 2017 at Digityser in Brussels.

3. ONE DOESN’T JUST… IMPLEMENT GDPR

4. WHAT IS IT LIKE?

5. COMMON GOAL
•SUPPORT THE BUSINESS IN HANDLING AND USING (PERSONAL) DATA
•“RESPONSABLY”,
•LIKE A “GOOD HEAD OF THE FAMILY”,
•IN LINE WITH THE STATE-OF-THE-ART AND THE LAW

6. SHOULD WE REINVENT THE WHEEL?

7. TO WIN / FINISH THE TOUR…

8. https://datasciencebe.com
https://www.facebook.com/Datasciencebe/
https://www.youtube.com/channel/UCUBG
Yn2sbKzVITW7y9D8dlQ
https://www.meetup.com/Data-Science-
Community-Meetup/
@DataScienceBe
Mission: educate, inspire, empower
scholars & experts to apply
#datascience to address humanity’s
grand challenges

10. Bien
Venue

12. CHATHAM HOUSE RULE
• THE CHATHAM HOUSE RULE ORIGINATED AT CHATHAM HOUSE WITH THE AIM OF PROVIDING ANONYMITY TO
SPEAKERS AND TO ENCOURAGE OPENNESS AND THE SHARING OF INFORMATION. IT IS NOW USED
THROUGHOUT THE WORLD AS AN AID TO FREE DISCUSSION.
• THE CHATHAM HOUSE RULE READS AS FOLLOWS:
•WHEN A MEETING, OR PART THEREOF, IS HELD UNDER THE CHATHAM
HOUSE RULE, PARTICIPANTS ARE FREE TO USE THE INFORMATION
RECEIVED, BUT NEITHER THE IDENTITY NOR THE AFFILIATION OF THE
SPEAKER(S), NOR THAT OF ANY OTHER PARTICIPANT, MAY BE REVEALED.
https://en.wikipedia.org/wiki/Chatham_House_Rule

13. STAND UP Q&A

14. DIVIDE AND CONQUER

15. QUESTIONS…
• RAISE QUESTIONS
• DID ANYONE PREPARE A PRESENTATION FOR HIS / HER QUESTION?
• QUESTIONS CAN BE LEGAL, TECHNICAL, ORGANISATIONAL, PRACTICAL,…
• QUESTIONS OF PEOPLE A BIT FURTHER FROM A PRACTICAL IMPLEMENTATION MAY SHED A FRESH LIGHT
ON THINGS.

16. … & ANSWERS
• WE HOPE WE HAVE GATHERED ALL TYPES OF SKILLS IN THE ROOM TO FIND THE ANSWERS.
• ANSWERS CAN BE
• A CLEAR VIEW ON THE THEORY,
• POTENTIAL TOOLING,
• TEMPLATES OR (ANONYMISED) EXAMPLES,
• …
• ANSWERS ARE NOT ADVICE , JUST A BEST EFFORT NUDGE IN A (GOOD) DIRECTION.

17. TALLY UP
KNOWLEDGE
• LAW
• DATA SCIENCE
• DATA GOVERNANCE
• BUSINESS INTELLIGENCE
• MARKETING
• HUMAN RESOURCES
• TOOLING
EXPERIENCE
• PROJECT LEAD
• EXPERT
• DATA STEWARD / IMPACTED BUSINESS
• COMPLAINTS HANDLING / DS RIGHTS

18. TALLY UP
SIZE
• ONE MAN
• SME
• LARGE COMPANY
• GROUP
• AFFILIATE
• (REGIONAL) TOP
SECTOR
• LOW ON (PERSONAL) DATA
• MANUFACTURNING
• IOT PRODUCTS
• DATA GOVERNANCE TOOLING
• BIG DATA MANAGEMENT TOOLING
• HIGH ON (PERONSONAL) DATA
• PROCESSOR
• CLOUDSERVICES
• MARKETING AGENCY
• R&S AGENCY
• PAYROLL AGENCY
• CONSULTANCY
• CONTROLLER
• DATA BROKERAGE
• HEALTH
• FINANCE
• R&S COMPANY (“INTERIM”)

19. TALLY UP
SYSTEMS
• NO LEGACY SYSTEMS
• WORKING WITH STANDARD SYSTEMS
• SYSTEMS SOMEWHAT CUSTOMIZED
• CORE SYSTEMS ARE CUSTOMIZED (= ”LEGACY”)
• CLOUD
• ALL CLOUD PRODUCTS
• SOME CLOUD PRODUCTS
• NO CLOUD PRODUCTS
PROFIT
• NOT-FOR-PROFIT
• GOVERNMENT
• ASSOCIATION
• FOR PROFIT
• COMMERCIAL ENTERPRISE
• COMMERCIAL CORPORATION

20. TIME MANAGEMENT
18:30 Welcome and introduction … that’s where we are now
19:00 Break-out 1 A:
B:
19:45 Break + switch Central stage - bar
20:00 Break–out 2 A:
B:
20:40 Re-assemble and short debrief (max. 5’ per BO) Central stage
21:15 The floor is open Central stage - bar

21. SUGGESTION 1
1 2
A GDPR supporting tooling GDPR in SMEs
B GDPR and public information GDPR in the Business as Usual

22. SUGGESTION 2
1 2
A
B

23. SUGGESTION 3
1 2
A
B

24. PARTICIPATE
• ASK QUESTIONS
• ANSWER QUESTIONS WHERE YOU CAN

25. AVOID SYMANTIC DISCUSSIONS
• TRY TO USE OR LINK TO THE DEFINITIONS IN THE GDPR
• TRY TO CONNECT LANGUAGES: EXPLAIN TERMS (IN SHORT)

26. KEEP IT PRACTICAL
• DOES NOT MEAN: DON’T ABIDE THE LAW, OR PUT IT ASIDE,…
• IF RISK TAKING IS INVOLVED, MENTION IT
• TRY TO BE CONCRETE
• WHAT TOOL CAN YOU USE?
• WHAT ARE SPECIFIC STEPS?
• ….
• AVOID (PURELY) THEORETICAL QUESTIONS / ANDWERS

27. TRY TO GET FACTS STRAIGHT
• IF SOMETHING CAN BE CHECKED OR EXPRESSED OBJECTIVELY, DO IT
• USE THE TEXT OF THE GDPR
• CHECK IT ON THE INTERNET (WITH CARE)
• …

28. BINDING INTERPRETATION OF THE LAW
• EUROPEAN COURT OF JUSTICE : IS NOT HELPFUL SINCE ONLY AVAILABLE IN 3-5 YEARS AT BEST
• EUROPEAN LEGISLATOR (INTERPRETATIVE LAW): UNLIKELY
• NOT (BUT TO BE TAKEN INTO ACCOUNT DUE TO ENFORCEMENT MECHANISM)
• SINGLE EUROPEAN MEMBER OF THE LEGISLATOR (COMMISSION, PARLIAMENT, COUNCIL)
• ARTICLE 29 WORKING PARTY / EUROPEAN DATA PROTECTION BOARD
• NATIONAL DATA PROTECTION AUTHORITY

29. BE OPEN TO DIFFERENT OPINIONS

31. KEEP THE DISCUSSION RELEVANT
• AIM: GET A SPECIFIC ANSWER TO A SPECIFIC QUESTION
• STAY ON TARGET
• PERHAPS PARK SOME (SUB)QUESTIONS OR DISCUSSION TO RESEARCH A BIT FURTHER OR TO OUTSIDE OF THE
GROUP (TO LATER BRING IT BACK IN)
• WHEN SPEAKING TRY TO BE ON POINT AND CONCISE, BUT EXPLAIN TERMS AND ANSWER QUESTIONS IF NEED BE
• DON’T DRAG DISCUSSIONS
• SOMETIMES THERE IS NO SINGLE CORRECT ANSWER (E.G. IN TERMS OF RISK APPROACH)
• CHECK RELEVANCE REGULARLY

32. GAMESTORMING SUGGESTION
Every seven mintues, you can be Commodus

33. LEARN
• LISTEN TO WHAT OTHERS (HAVE TO) SAY
• A DIFFERENT APPROACH MAY BE USEFUL JUST AS A BENCHMARK
• ASK QUESTIONS IF YOU DON’T UNDERSTAND SOMETHING, BUT LET PEOPLE FINISH THEIR REASONING IF
POSSIBLE, SO WRITE DOWN FOLLOW UP QUESTIONS

35. HAVE FUN

36. TIME MANAGEMENT
18:30 Welcome and introduction … that’s where we are now
19:00 Break-out 1 A:
B:
19:45 Break + switch Central stage - bar
20:00 Break–out 2 A:
B:
20:40 Re-assemble and short debrief (max. 5’ per BO) Central stage
21:15 The floor is open Central stage - bar

39. RISK
MANAGEMENT

40. RISK
APPROACHImpact
Likelihood
Share
Accept
Avoid
Mitigate
High
High
Low
Low
Impact
Likelihood
Mitigate
Cont. monitoring
Share
Accept
Per. monitoring
Mitigate
Cont. review
Avoid
Mitigate
Per. Review
High
High
Low
Low

41. Whatwecomprehend
What there is to know
What we
don’t know
we know
What we
know we
know
What we
don’t know
we don’t
know
What we
know we
don’t know
Unknown
Unknown
Known
Known
FOCUS

42. GDPR - NEW
• PROCESSOR NOW ALSO AN ADDRESSEE
• ORGANISATION
• ”ACCOUNTABILITY” (REVERSAL OF THE BURDEN OF PROOF), CONCRETE
• PROCESSING REGISTER (AND RISK REGISTER)
• PRIVACY IMPACT ASSESSMENT (“PIA”)
• PRIVACY BY DESIGN AND PRIVACY BY DEFAULT
• DATA PROTECTION OFFICER
• ACKNOWLEDGEMENT OF “FRAME”-MECHANISMS: CERTIFICATIONS, CODES OF CONDUCT,
BINDING CORPORATE RULES,…
• INCIDENT MANAGEMENT AND DATA BREACH NOTIFICATION
• RIGHTS OF INDIVIDUAL ARE INCREASED AND FURTHER ELABORATED
• ENFORCEMENT
• ADMINISTRATIVE FINES UNIVERSAL AND UNIFORM
• COLLECTIVE ACTIONS OF INDIVIDUALS UNIVERSAL AND UNIFORM

43. Control
Data
Subject
Processing personal data
Data
Controller
Data
processor
Finality Legitimacy
Transparency Organisation
proportional
End-to-end

44. Environment
Physical
Human
Device
Application
Repository
Carrier
Risk Assessment
Risk Decision
Controls
Incident
Management
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
• 1st line
• 2nd line
• 3rd line
• Impact
• Probability
• Avoid
• Mitigate
• Share
• Accept

45. 47
Firm
Svc P
group
entities
Vendor
SC
MSA
Client Client ClientClientClient
Svc P
Client
Client
Client
Client
Client
Client
Client
GROUP