privacy by design @ pan net · pdf filedata privacy, legal affairs & compliance (dlc)...

23
Privacy by design @ Pan Net Frank Wagner, VP Business, Services & Infrastructure Deutsche Telekom Group Privacy

Upload: duongtruc

Post on 18-Mar-2018

215 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy by design @ Pan Net

Frank Wagner, VP Business, Services & Infrastructure Deutsche Telekom Group Privacy

Page 2: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

DATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION

Service Headquarters Key:

Service

Headquarters

Board Member Support Antitrust Law (GPRA) V DLC

Group Criminal

Law

Group Compliance Management

Group Security

Governance

Group Headquarters

Legal

Group Privacy

Group Legal Service

Group Security Services

10.03.2017 2 Privacy by design @ Pan Net

Page 3: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Strategic Framework

GROUP PRIVACY ORGANIZATION

Organization

Compete – Transform – Innovate

Innovation by cooperation

Our goal: Privacy is an integrated part of the brand Telekom Our mission: Creating areas of trust!

Top Excellence

Trust Simplicity

Privacy by Design

Group Privacy

Security

Board / GHS-

Units

Councils

Associations and

Regulators

Operating Units

Internal & External Interfaces

International

Privacy

Organization

10.03.2017 3 Privacy by design @ Pan Net

INT. PRIVACY LEADERSHIP MEETING (IPLM) MANAGEMENT JOUR FIXE GROUP PRIVACY

PRIVACY OFFICERS INTERNATIONAL

BUSINESS UNITS/ SUBSIDIARIES

EMPLOYEES, COMMUNI-CATIONS &

AWARENESS (Kluin)

CONSUMER, PRODUCTS & PARTNERING

(Eichhorn)

BUSINESS, SERVICES &

INFRA-STRUCTURE

(Wagner)

STRATEGY & STEERING

(Lichtenberg)

PRIVACY BRIDGEHEADS

PRIVACY COORDINATORS

PRIVACY AUDITS &

PROCESSES (Schrief)

GROUP PRIVACY – GROUP DATA PRIVACY OFFICER (DR. ULMER)

Page 4: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy by design principles

1) Proactive not reactive

2) Privacy as Default

3) Privacy embedded into design

4) Full functionality – positive sum, not zero-sum

5) End-to-end-security - lifecycle protection

6) Visibility and Transparency

7) Respect for User Privacy

Creating areas of trust !

10.03.2017 4 Privacy by design @ Pan Net

Page 5: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

basic prerequisite: early involvement

10.03.2017 5 Privacy by design @ Pan Net

Page 6: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Softwareentwicklung

idea plan build run

feasibility study design develop run

product backlog multiple sprint

backlogs

(final) product

run

waterfall:

agile (scrum):

10.03.2017 6 Privacy by design @ Pan Net

Page 7: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Softwareentwicklung:

feasibility study

gate design gate develop gate Betrieb

waterfall:

product backlog gate (multiple)

sprint backlogs

(final) product

gate run

agile (scrum):

Evaluation of business model, first fundamental requirements

Approval, probably under conditions, action plan

Evaluation of design, final requirements

Approval, probably under conditions, action plan

Evaluation of business model, ideally final requirements

10.03.2017 7 Privacy by design @ Pan Net

Page 8: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy & Security Assessment (PSA) PSA category

Category regarding security

Cat

egor

y re

gard

ing

data

pr

ivac

y

A project Involvement of a Chief Privacy

Officer in the project

B project Simplified process, support as

required

C project Project is not

relevant to data privacy

A project Involvement of a project

security manager in the project

B project

Simplified process, support as required

C project

Project is not relevant to security

Self-declaration and individual release by GPR and/or GIS

Self-declaration or assessment by

local DS/Sec. Mgmt.

Spot check by GBR or GIS

10.03.2017 8 Privacy by design @ Pan Net

Page 9: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy & Security Assessment (PSA) PSA category C

Idea Feasibility Design Implement. Live operation

A projects: Consultation/review by GIS

B projects: Self-assessment (+ review)

C projects: Irrelevant

Dat

a pr

ivac

y &

sec

urity

Spot checks by the Data Privacy, Legal Affairs, and Compliance Board department

Categorization (tool-based)

Self certification (specialist department)

10.03.2017 9 Privacy by design @ Pan Net

Page 10: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy & Security Assessment (PSA) PSA category B

Idea Feasibility Design Implement. Live operation

A projects: Consultation/review by GIS

B projects: Self-assessment (+ review)

C projects: Irrelevant

Dat

a pr

ivac

y &

sec

urity

Categorization (tool-based)

Self certification (specialist department)

If applicable, review by local Project Security Manager and local Chief Privacy Officer

Spot checks by the Data Privacy, Legal Affairs, and Compliance Board department

10.03.2017 10 Privacy by design @ Pan Net

Page 11: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy & Security Assessment (PSA) PSA category A

Idea Feasibility Design Implement. Live operation

A projects: Consultation/review by GIS Categorization (tool-based) B projects: Self-assessment (+ review) Self certification (specialist

department)

C projects: Irrelevant

GIS release

Sec

urity

Categorization (tool-based)

Idea Feasibility Design Implement. Live operation

Dat

a pr

ivac

y

A projects: Consultation/review by GPR

B projects: Self-assessment (+ review)

C projects: Irrelevant

Personal initial consultation, verification and validation of categorization

GPR framework approval based on test report from initial consultation

Reality checks through optional focus audits *)

Self certification (specialist department)

Confirmation of implementation by specialist department + GPR approval

*) Once a decision has been made by the CPO (Chief Privacy Officer), the focus audit can either take place before or after gate 3.

GPR – Group Privacy; GIS – Group IT Security

10.03.2017 11 Privacy by design @ Pan Net

Page 12: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

PAN IP STORY VIDEO

10.03.2017 12 Privacy by design @ Pan Net

Page 13: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

There are Many Privacy Challenges to be tackled

Terra Incognita

Complexity of Business and Production Model

new way of production agile SW development

cloudification virtualization

Participation of 10 – 13 NatCos -> 13 controlling parties

Differing national legal standards ->

Data Privacy Requirement

Alignment with all NatCos ->imple-

mentation in CFSS

High Level of Privacy

established and implemented within PAN IP

Collaboration and Steering

Privacy Ressources Project – Line Functions

Pan IP

10.03.2017 13 Privacy by design @ Pan Net

Page 14: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Privacy Solution Bricks@PAN IP

Reporting

Roles&Responsibilities

Service Introduction Process (SIP)

Privacy Community

PRIVACY GOVERNANCE

CDPA Templates

CONTRACTUAL FRAMEWORK

Evaluation Business Model

Support Procurement

Area description – SDSK Structure, Approval Process Requirement Cascade

Requirement Alignment

Cycle – ICG Tool

PRIVACY ASSESSMENT

10.03.2017 14 Privacy by design @ Pan Net

Page 15: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

From Requirement collection to approval (Program)

DE

AT NL

AL

ME HU

GR

SK

MK PL

HR

RO

CZ

Project

Description

Requirement

collection: Req. due to country specific law

DE

AT NL

AL

ME HU

GR

SK

MK PL

HR

RO

CZ

Project

Consolidation of

requirements

Implementation

Documentation

Project

receive approval ,

when indicated: conditional

placing into operation

NatCo DPO NatCo DPO

identify and provide requirements from

local law perspective (ICG)

approval based on documentation

(SDSK) according to local law (ICG)

10.03.2017 15 Privacy by design @ Pan Net

Page 16: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Requirement lifecycle

Im plementation of requirements in

project

3

NatCo specific requirements Specific requirements due to

national privacy law, defined by Data Privacy Officer

of each NatCo

2

Generic requirements Group specific, defined by GPR

Process to guarantee a consistent and adequately high data privacy level

1 5 c ons olidated NatCo

r eq uirements AL

ME HU

GR

SK

MK

PL

HR

RO

CZ

Product Fami l y Requi rement

I mplementat io n of r equir ements i n project

I mplementat io n of r equir ements i n project

I mplementat io n of r equir ements i n project

Product Family Requirement

I mplementat io n of r equir ements i n project

I mplementat io n of r equir ements i n project

I mplementat io n of r equir ements i n project

consolidated NatCo requirements

AL

ME HU

GR

SK

MK

PL

HR

RO

CZ

4a

Product (Family) Requirement

I m plementation o f requirements

i n project

I m plementation o f requirements

i n project

I m plementation o f requirements

i n project

4a

10.03.2017 16 Privacy by design @ Pan Net

Page 17: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

will gdpr make our life easier ?

Yes, but…

devil is always in detail:

ePrivacy

local law exemptions

privacy by design in finished solutions provided by vendors

10.03.2017 17 Privacy by design @ Pan Net

Page 18: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

thank you ! [email protected]

10.03.2017 18 Privacy by design @ Pan Net

Page 19: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

PanIP in a nutshell – privacy view

AL

ME HU

GR

SK

MK PL

HR

RO

CZ BDC

iOSS

Infastructure

Service 1

Service

2

Service

3

Service

Service …

Service

n

Pan Net SOC

KC OC

RO DE

FDC

Module PS

Module M Module N or T

AL

ME HU

GR

SK

MK PL

HR

RO

CZ

10.03.2017 19 Privacy by design @ Pan Net

Page 20: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

DE

AT NL

AL

ME HU

GR

SK

MK PL

HR

RO

CZ

Requirement Cascade

GPR

DPO

CPM

DPA

Implementation of requirements in

project

NatCo specific requirements Specific requirements due to

national privacy law, defined by Data Privacy Officer

of each NatCo

Generic requirements Group specific, defined by GPR

Process to guarantee a consistent and adequately high data privacy level

Initial

Consultation Guide

All NatCo local

requirement Sheet

Group

TOM/Greek TOM

10.03.2017 20 Privacy by design @ Pan Net

Page 21: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Initial Consultation Guide ICG - Tool

10-13 NatCo versions per

Implementation Project

One ICG for each Implementation

Project with Privacy related information for DPO to check and contribute NatCo specific project related requirements Requirement Consolidation Tool

10.03.2017 21 Privacy by design @ Pan Net

Page 22: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

SDSK Structure PAN IP program Approval responsibilities

- INTERNAL -

Service … Service … Service 3

Dat

a C

ente

r (B

DC

& F

DC

)

Service 1 Service 2 Service … Applications & Virtual Network Function

Cloud Infrastructure & Management

Distribution Network

Physical Security/IT Workplace

SoC / OC - KC GSG/IT WP

Basis for all SDSK in Pan IP • Admittance and Access control

SDSK GPR NatCo DPO

NatCo DPO SDSK

NatCo DPO SDSK

SDSK for every service/application with a description of the technical and organizational measures: • Access

Authorization control

• Disclosure control • Input control • Job control • Availability control • Intended use control • Organizational

control

10.03.2017 22 Privacy by design @ Pan Net

Page 23: Privacy by design @ Pan Net · PDF fileDATA PRIVACY, LEGAL AFFAIRS & COMPLIANCE (DLC) ORGANIZATION Key: Headquarters Service e s Antitrust Law (GPRA) Board Member Support V DLC Group

Survey conducted by IfD Allensbach (Institut für Demoskopie), June 2014

DEUTSCHE TELEKOM CLEAR LEADER IN CUSTOMER TRUST

Which company do you consider to be trustworthy when it comes to dealing with personal data?

Alice

8%

Facebook

9%

Yahoo

11%

Google

15%

1 & 1

17%

O2

18%

Amazon

19%

E-Plus

21%

eBay

21%

GMX

21%

Web.de

23%

Vodafone

24%

Apple

24%

Microsoft

24%

Telekom

46%

10.03.2017 23 Privacy by design @ Pan Net