 So, Stefan, welcome to this session, how are you doing? Yeah, thanks Martin, doing well, thanks very much for having me. So, today Stefan is going to highlight some of the work Blackboard have done around implementing GDPR for Blackboard, but also, I think as part of that, just do some general awareness erasing around GDPR and some hopefully useful tips and guidance that you can apply to other aspects outside of Blackboard. Without further ado, I'll hand it over to you, Stefan. Thanks very much Martin, and thanks everyone for joining. I mean, it's good to see that quite a few have decided to join this webinar over lunchtime. It's not necessarily easily a chestable topic that you GDPR, but I think many of you have seen this now in newspapers, and even my wife now knows what GDPR stands for. It doesn't mean she's interested in it yet, but at least that's the first step. So, I just want to quickly introduce myself before we go into the content, and as Martin mentioned, feel free to use the chat to ask any questions. I also make sure that I stop at some of the sections so you can ask some questions there, and obviously try to make sure we have some time at the end for any questions you may have. So, my name is Stefan Göring. I've joined Blackboard almost a year ago as their global privacy officers. I'm not just responsible for the EU and the GDPR, but just for data privacy compliance globally. I think it's not a coincidence that I'm based here in London, so Blackboard wants to hire someone here in the EU, or at least Europe, very much aware that obviously Europe is the epicentre of data privacy at the moment, and they want to have someone who understands the cultural background of data privacy, and not just someone in the US. As you can tell from the accent, I'm originally from Switzerland. I've worked for a long time in front of the regional data protection authorities in Switzerland in my last job as a deputy data protection commissioner, and in that capacity also I've worked a lot with universities and schools to help make sure that they can comply with the data protection laws and help the individuals and their students. When I moved over to the UK 10 years ago, I first joined Barclays in a privacy role, and then later on moved over to city groups at two financial services, and in my last role was Demi and Asia Park Chief Privacy Officer at city group before I moved over to Blackboard. So what do we want to cover today? As Martin mentioned, I'm going to talk a little bit about the GDPR in general, but not too much, because I think most of you will be now, and I feel if I'm familiar with the requirements, I'm not going to go through them in all detail. I just want to highlight a few things around why we think that data privacy is so important, and also explain a little bit, but not too much detail, how we set up a program just in terms of, because I think it can be helpful for others as well, and explain what we do think helps our clients, but I think the focus here, and I'm going to try to spend most of the time really on, first of all, some implementation tips from our experience, and also showing how we translated some of the specific GDPR requirements into practice, because I think that's probably the most helpful for everyone on this webinar. I also included some helpful resources and appendix. I'm not sure, Martin, if you're going to share the slides later on, otherwise I can circulate it and what we normally do, so we have a community webpage where we publish all our webinars and slides, that really, so you can definitely find it there later. So as mentioned, I'm not going to talk about all the GDPR requirements in all detail, but I think it's quite helpful to take a step back in terms of why do we have the GDPR all? Why is there a new loan? And many of you will have been involved in that. There was long negotiations in Brussels around exactly all the relevant provisions should look like, but if you look at the driver behind of this, it was the EU Data Protection Directive that we have currently that's implemented in the UK through the Data Protection Act 1998, was really kind of getting a bit old in terms of some of the aspect of it. And even though some of the principle was still good and usable and technology neutral, the regulators and the legislators really felt that we need to have a better approach, and their concern was mainly around the kind of new technologies and new internet services, and they felt that particularly US internet services weren't being able to be targeted. And if you look at this as a background, you kind of understand quite a few of those kind of massive changes that we see with the GDPR. I mean, first of all, the enormous big finding level of up to 4% of global turnover is a clear sign that anyone should really take Data Protection really, really seriously, is not something you can just kind of balance against other interests. And secondly, also, if you think about the extended territorial scope, there are now also organizations outside the EU need to apply the GDPR if they provide offer products and services to EU residents, that's quite clearly kind of the aspect of some of the US companies so far not having to be fully under the regulatory power of our Data Protection authorities here in the EU. And then if you think about the right to erasure, the right to data portability, these are all rights that are very much kind of tailored for internet services to make sure that obviously if you use a service on the internet that you can delete data as required and you can pour some of your data over to competitor services and you're not locked into a specific service. I think that that's quite important to keep in mind, and I think that's also kind of differentiated us and similar vendors like us from these kind of companies because we don't have a business model where we monetize data of users. We're using data that's provided by universities to make sure they can use our learning management systems or tools like this that we're just using right now that they collaborate ultraversion to make sure that that has all the data that's required for it to work and for clients to make sure it works effectively. So that's a big difference, but like any other company here based in the EU or provides services, we obviously need to make sure that they're compliant with the GDPR and we take it very seriously. So I wanted to talk about a few of what I call the GDPR myths and debunk some of them. You've seen these kind of in conversation with clients. You can see those on some kind of, sometimes on the internet, linked in Twitter. And it's understandable because there has been, first of all, quite a lot of developments as part of the GDPR and the legislative process around it. And also, I mean, the GDPR is some complex provisions and some provisions that are not absolutely clear. It's understandable that some of these myths have been appearing, but I think it's also important to kind of really clarify what's fact versus fiction. The first one I want to talk about is consent and quite often you hear that, well, with new GDPR needs consent for everything and that's just not true. The fact is that consent is one of several legal basis that it can use to legitimately use personal information or personal data. Other basis, for example, if you need data for the performance of a contract or if you need it for your own legitimate interest of a company, if that interest is not outweighed by the interest of the individual. And consent, quite frankly, is probably not the best legal basis to use for processing because the bar for consent has become very, very high. So unless there's a really genuine free choice of an individual, a choice of that individual wouldn't be considered valid consent. So for example, this has been debated in the context of employment. I as an employee need to use blackboards, time management system and goals system. Then I can't consent to that because I need to use the systems. That's kind of part and parcel of my employment here. So I don't really have a choice because I don't have a choice then consent is not really the right mechanism. I think that's very important to keep in mind because it's not that different in the student context where some of the students will be expected to use certain tools in the university and they don't really have a free choice. Again, consent from the students may not always be valid in those circumstances. The second aspect I want to talk about is the breach notification period and the mandatory breach notifications cause an important change from the GDPR but there's been a lot of confusion around it and it's only been recently that the Article 29 Working Party, the group of the European Data Protection Service has clarified that in a bit more detail in their guidance because a lot will be heard and will be saw in our RFPs and contract negotiations was that clients tried to give us very, very short notification periods of 24 hours and the reason why they did was that they thought well, if I have 72 hours then obviously I need to know from a vendor very, very quickly so that I still have 48 hours myself to kind of figure out what I need to do and that I can form the regulator. But that assumption is wrong and as mentioned, the Article 29 Working Party has clarified this and the fact is that we need as a vendor or any other vendor that you may have would need to notify you with undue delay and only once your vendor has notified you then the 72 hour periods though so that's when you become aware of that incident so there's no need to bake in kind of additional time for your vendors to notify in the 72 hours because the 72 hours only really starts once you are notified by your vendors or data processes. I think the other important thing to mention is that the GDP also mentions that the notification should be made in 72 hours to the regulators where feasible and I think that's quite important because I mean any of you that may have had already some experience in incidents will know it's very very difficult with very very difficult to provide meaningful information within 72 hours because a lot of the time in incidents there's little there's little information that you have you're still trying to figure out what's going on and therefore I think many of the regulators and the Information Commission New Yorkers already acknowledged that there may be some initial information that you can provide but it's quite likely that you need to provide more information later on. Then the third miss I wanted to talk about is data transfers outside the EU and this is we hear that a lot from our customers it's a big concern and I think there's also a bit of a misconception here that many people think that it's just not possible to have data transferred outside of the EU or only if the client can contain for each and every data transfer and that's not correct while the EU of course has very strict requirements around data transfer with the idea that if data is being transferred outside of the EU that all the rights and the obligation should follow that data so that an adequate level of data protection is ensured this still means that it is possible to do so as long as the right mechanisms are in place and I mean many of you will have heard there's the EU privacy shield mechanism that had to be certified off there also so-called model clauses or standard contractual clauses that allow data to be transferred outside the EU and they're binded corporate rules and the model mechanism plays as long as these mechanisms are used then it is possible and compliant to transfer data outside the EU and that really helps with the whole compliant aspect of data transfer and we also have in our data processing at the end of the middle client kind of a general instructional client and that is normally sufficient to make sure that data can be processed by processors on behalf of their controllers and I'm going to talk a little bit more about data transfers in one of the later slides to kind of explain our approach to data transfers in general a bit more the last miss I want to talk about was the right to be forgotten we hear that very often even internally from people who are implementing our requirements is that does it mean we need to delete each and every data from someone who requested and the answer is generally no because the right to erasure like many other writers not absolute so as long as you as an institution have a legitimate reason why you need to keep personal information about a student or about your staff then you don't need to delete that data you only really need to delete data if you have kept it too long and it's not required anymore if for example it was based on consent, consent has withdrawn and some other factors are basically when you don't have a legitimate reason to keep it anymore then of course you have to delete it as long as you still have a legitimate reason to keep it then you don't need to delete it okay so one thing I also want to talk a little bit is the importance of data privacy because with a GDPR it's quite easy to kind of look at everything you do kind of from a negative angle and say well we need to do this because otherwise you're going to be fined by 4% global turnover possibly 20 million euros and I think that's obviously true but we at Blackboard really kind of look at this from a kind of positive perspective we think that first of all data privacy is human rights so we as a good corporate citizen want to make sure that we have good data privacy practices but we also think data privacy is a competitive advantage in today's environment where a lot of people feel they have kind of lost control over their data and there's a lot of uncertainty I mean Facebook and Cambridge Analytica is one of the latest scandals so we feel if we do the right thing and have good data privacy practices that builds trust with our clients that will trust with our end users and then obviously students will be much happier to use our tools and to share data with them so they know they can trust us so I think that's really one of the biggest intentions that we have to get this right but of course there's also the negative case that there is reputational damage there will be the fines, there will be the loss of trust and there could be individual claims if you don't get it right and that's one of the reasons I'm not going to go through this slide in detail you don't need to worry it's just to kind of show that really take this seriously and data privacy is not just me as the global privacy officer I represented at each level of our institution it's an important topic for the board I'm regularly updating the audit committee of a board on our efforts and just today I'm actually going to talk to the compliance committee again and brief them and make sure that they're comfortable with our approach and with that documentation that we're pulling together and we also have on the working level we have a security council and my privacy program working group that we're making sure we can drive all the privacy related changes so I'm going to spend sorry I'm going to stop here just in case any questions from anyone feel free to mention those in the chat or use the microphone option it doesn't look like it so I'm going to continue and just explain our program in a bit more detail not in every detail stand silent is good but I hope it's good our approach is very much that I mean we have and I particularly we have spent a lot of time obviously kind of enhancing all the processes but I think many organizations you don't really start from zero I mean data protection is not new the principles they have been in existence for a long time so hopefully there's something good that you can build on just like we have a privacy shield certification we have to make sure that we have really good contract with our vendors and then the oversight etc and you can build on all these good efforts in the past and the approach we've taken with those three phases is quite a typical approach I mean obviously need to start the kind of information gathering and be conduct I think 25 workshops last summer to make sure we fully understand how we process personal information what kind of vendor we engage in what kind of systems and application we use and I mean to be fair I mean this is for every company this is a very difficult process and obviously I got two previous companies in city group of bar places has been an enormous effort to make sure that you understand the full picture of data processing I mean they moved on into the phase two which is really making sure that we have to write internal privacy documentation that we're going to talk about in a little bit and also making sure that we have implementation work stream to make sure that each functional area implements their required actions and that we do all the central aspect of rolling out training making sure we have privacy by design and privacy impact assessment etc. On this slide I'm not just including this because I think there's a few things that how we set up our governance are quite helpful and I think we wouldn't be at the point where we are now without a setup and I think the most important thing is on the right side we decided from the start that we need in each area we need leads we call them GDPR leads that can help us with the implementation with the information gathering with completing those actions and we've made them responsible for that and I think that's quite important so we have people in in our corporate areas like IT HR client support, finance etc but also in all our product groups that can help us with all the requirements for the GDPR and that has been very very important to drive through our changes and make sure that we're meeting GDPR requirements on this slide it's just giving a brief overview of the admissible end state of the program some of the key aspects of our program and I'm not going to go through in detail but we're going to talk a lot about them around documentation, what we're changing documentation wise both internally or internally standard as well as externally like our privacy statement or policy what we're changing in terms of systems and also processes regarding privacy by design and also what we do in terms of how we change areas around people making sure we have the right governance in place we're rolling out enhanced training and obviously make sure that we also can review our own state of compliance and on a regular basis so this is kind of a typical slide that I use with meetings with our clients and this is kind of the nice overview so we have various aspects where we really can help our clients and I'm going to talk about two of them and some of the other areas we're going to talk actually as part of the tips a bit later on we obviously need to make sure we have two DPR ready products we're going to talk about that privacy by design is very important that going forward we have a good process to make sure that privacy is considered from the start in any kind of changes and product modifications there's a transfer as we talked about very important point and we continue with what we call our multi-layered approach I'm going to talk about that in a second a bit we're also making sure that from your perspective you need to have a contact with us so we have a two DPR ready data processing addendum and I'm going to talk about that a little bit in a second as well very important is of course that we also can manage our vendors so that when we engage so-called sub-processes that help us provide the services to our clients that these vendors meet the same standards that we expected to meet and then security we've got to talk about that in a second a little bit as well obviously we want to make sure that we continue to have good industry standard controls and continues to enhance those and the last but not least a very important with the new mandatory breach notification requirement is that we and I mean everyone really needs to have a good process in terms of if any kind of security incident happens we can respond to and react to those quickly we're going to talk a little bit about that as well so the two things I wanted to highlight just kind of very quickly and other aspects as mentioned I'm going to touch on later bit in the tips and implementation approach the first one is around data transfers I mentioned we have a privacy shield certified we have the so-called model clauses or data transfer agreement in place but I think it's also important that we there's kind of two things I mean first of all we always kind of convey the message that it's okay to have data moving out to the US as long as data transfers and we think that kind of all these kind of data localization requirements or kind of decides to kind of keep data local are not necessarily helpful because we think quite often if you kind of take a global approach where you have global vendors then the security is actually strong because you have something localized under your own desk because that's quite often less secure so I think the idea that just because it's somewhere close with you it's more secure is quite often not correct so that's why we try to kind of also show that if you really want to kind of use scalable offers not just from us but from many other big providers that means that data has to move but obviously need to make sure that data moves compliantly but on the other hand we also know that many clients despite all of that they still want to have the data in the EU and we want to respect that and that's why we have a hosting strategy that's very much regional so for all EU clients we have all kind of our main products hosted in EU environments and we do the same in Asia-Pac and the US etc so security I'm not going to go through this slide in all detail I mean I work very very closely with our chief information security officer and the security team and we have been spending a lot of time kind of enhancing our information security programs and we have for example last year brought together the kind of the product security team and the corporate security team that was before that separately and kind of combined it in one big kind of central security team and that has helped us kind of to really drive changes across the company in a much more effective way we've worked on lots of kind of certifications in the US for example on the federal certifications to make sure that we meet the client expectations and continuously improve our security but now I think I want to get to really the meat of the presentation the webinar here is really around the kind of some of the tips in terms of implementation and kind of explaining how we translated some of the requirements but before we go into that I just also wanted to check if there are any questions on the chat before I move on. Okay very good so the first two slides are really more kind of tips how you start up your program and project so I mean I hope that everyone by this time and about less than a month away from GDPR has kind of already has these stages way behind them and I've been kind of in the implementation of it but I think just to highlight a few things I think as mentioned it's very important to have kind of a network of people who can support you if you don't have that it's very very hard to do this yourself because it's hard to understand where all the data is it's hard to kind of get things done if you don't have the support in the various functional departments. Secondly kind of if you look at number four on the top of this slide I think that that has been very crucial for us and I have to admit it was quite easy here at Blackboard because there was very very a high commitment from a senior management that GDPR and data privacy is very very important that you're going to need to support this but quite frankly my previous companies it has been a bit harder where obviously as a financial services there's a lot of competing priorities and making sure that you have your senior managers to help you and make sure that people understand the importance of GDPR that you get resources that you need that you get the support from each area that you need that if things don't move as fast forward in certain areas as there should be because everyone is just busy and most of the people do this as kind of a second or third or fourth role you can make sure that your senior manager is going to help making sure that this becomes a priority and they have time to do that. I think that that's really really key. But what I wanted to focus on here is really kind of some of the tips for the implementation phase that you can really use now in one of the last months or if your program needs to continue longer than the 25th made over the next few months. I already mentioned that I think the most important thing really is to make sure that you're not the only responsible person but you have people who support you and that you have the department and someone in the department that is responsible for making sure that they implement all the GDPR requirements based on you or your colleagues defined requirements. One important thing I think the 25th of May is really just the beginning from kind of two point of view. One is that first of all it's obviously important to make sure that you GDPR compliance from the 25th of May but then a lot of the important processes and documentation that has been created they only really start to kick in so making sure that you do the data protection impact assessments where you need to making sure that if you engage new vendor that actually all the required contracts are in there and that you're comfortable that they're meeting your security and privacy standards. That's all work that's going to start if it hasn't started already 25th of May so a lot of work has probably in many organizations and many universities have happened so far but there's also a lot of work that will continue to happen under your data protection of the legal team and otherwise. The second aspect of the 25th at the beginning is and you may have seen that from the UK Information Commissioner and we've seen that from other regulators like the French Canile or the Belgian Privacy Commission is that our regulators recognize that many companies have worked hard on GDPR but GDPR is really a big challenge and they understand that many organizations will not be able to complete all the action plans fully by the 25th of May and Elizabeth Denham has said that very clearly in one of her recent newsletter and the ICO conference recently so I think that there will be some regulatory leniency for those who have first of all kind of proved that they have action plans and they have been working on GDPR but may not have been able to finish everything but obviously that leniency will not apply to people who just take a wait-and-see approach. A few other key points from our experience and from discussions with clients and other privacy colleagues, I think that the privacy statement as the first one is really important because in the past and maybe even now if you kind of google around a little bit with privacy statement, they have been written by lawyers like myself and quite often in illegalese that is not very easily understandable GDPR really doesn't accept this anymore so the language should be much more clear and it should be plain so that everyone should be able to understand what kind of data has been collected how is it being used, who is it shared with, so I think I'm putting a lot of effort in making our privacy policy which is already a decent privacy policy but making it much better easily understandable but at the same time the GDPR also requires that a lot of detail is included in the privacy statement or privacy policy and that becomes difficult because you want to make this a privacy statement that people are actually able to read but at the same time you need to put in a lot of information so I think what you see is a lot of companies and we're trying to do the same trying to kind of some kind of layered approach where you can get some high level information if you don't have much time to understand the key points and then if you want to understand a bit more there's more detail around and I think that's kind of going forward will be the best practice standard that those who have more time and those who are interested in a lot of detail they can find it but generally that you start the kind of a shorter version that people can get through quickly and don't have to spend hours to read it. Training training and awareness is very important of course but I think at the same time you receive quite a lot of kind of client questionnaires on our GDPR readiness and what a lot of questions are will you have GDPR training and I think while it's important to have training that also explains the GDPR I think it's much more important that your staff understand what they need to do than the specific GDPR requirements. I don't think it's very helpful to just have training that explains all the GDPR requirements I think it's much more helpful if you tell your staff or the students if you train them how can they actually make this happen so what kind of processes do they need to follow if there's an incident so that you can follow all the breach notification requirements what do they need to do in their everyday life if they have a new project or there's a new use of personal information that should be reviewed that's much more important in my view than kind of laying out all the kind of detail GDPR requirements because quite frankly I mean as many of you will know from your experience I mean at the end of the training there's maybe 5 to 7 points that people take away I think it's very important that those 5 to 7 points are actually points that people can take some action on not just kind of abstract GDPR requirements then in terms of data protection officer that's obviously a key aspect for public authorities and private organisations as well if they meet certain requirements I think it's important for universities and other institutions to remember that you can actually have one single DPO for several public authorities which the article 20 of the American Party has clarified as long as kind of this makes sense based on the structure of the university what kind of data is used etc but it's a possibility and that's maybe something where there could be some synergies marketing I think it's quite interesting because I mean you probably just like I have received lots of emails from different organisations that ask you to kind of re-consent or kind of subscribe in again for the various email newsletters that you receive and this is quite interesting and this is highly debated by kind of the privacy community because the marketing rules don't really change with GDPR there's a specific different piece it's called the ePrivacy Directive and then the UK the PECA that's defined the requirements for sending onto listed marketing the change that we have is that because the standard for consent becomes higher a lot of people I guess start to doubt that is the consent they've had in the past good enough to still be able to send them email marketing but it should really be if you follow kind of the ePrivacy Directive and PECA in the past I think one other important aspect is individual rights because two things on that one I think is processes I think while we actually conducted a survey with some of the people on the privacy newsletter to see kind of what they think how many more individual rights requests they will receive and most people said they think they're going to be an increase but not a significantly increase in terms of those requests but anyway I think you need to have an institution some kind of process that you know okay who needs to look at this first how do you make sure that you can find out where all the information is stored for example if you a learning management provider like us how do you make sure you reach out to us then you can support that as required so those processes really need to be in place so you don't have to think about it when you receive those requests the second aspect I think is that around managing expectations as I mentioned a lot of these rights have limitations there are exemptions I think through kind of the information that has been received a lot there is a wrong expectation that some of these rights are absolute and I think it's very important that when you train staff when you explain the rights to your students and other users that you make sure that they understand while they have rights these rights also have limitations so that they're not getting disappointed and you don't have issues explaining that later on I think one of the things that many organizations grapple with are legacy issues I mean with legacy issues I really mean things that you should have had done in the past but that are really hard to accomplish for example typical thing is records management many organizations aren't very good at records management it's very difficult to make sure that you only keep data as long as required and deleted when you no longer need it similar with security it's very hard in kind of smaller organizations to make sure that you have a consistent approach that people don't use unapproved tools like SurveyMonkey for personal information that you make sure that people don't use USB sticks if it's not encrypted that's easier if you're in a bigger organization like us but it's still challenging and obviously while the GDPR doesn't really change these kind of principles there's an increased focus on that and of course I mean we talked about the possible regulatory leniency about some of the new GDPR requirements the ICO and other regulators will not be understanding that you're not complying with those because these are not new requirements but requirements that should have been placed for a long time and then the last one I mean and that's really a challenge I think for everyone to kind of stay abreast what's going on if you're purely UK based it's a bit easier because there's a really fantastic part of the UK information commissioner is doing a fantastic job of making sure there's information available that explains the simple steps what you need to do and also constantly updates the information about the GDPR requirement so I mean that if you're in UK based like I think most of you that should really be your first port of call because there's so much helpful information there so I stopped there quickly in terms of any questions I think Martin you have a chat going on but I don't think there's any questions for me so far so yeah I don't there were any questions so feel free to continue thank you Martin so in this next section I want to talk a little bit how we translated some of the GDPR requirements into practice because quite a lot of them are quite a high level and then it's really up to the organisation to break this down into manageable and actionable steps that you can actually accomplish the first one is around internal documentation so there's a GDPR requirement around having data protection policies in place and there's some coverage proportionate in relation to the processing activities but obviously if you process a lot of student data then you would likely be expected to have some internal policies as well around making sure that you define how you won't treat that data from a privacy perspective there should also be some standards around a record management we have quite detailed standards because obviously we have a lot of information that we treat on behalf of our clients we also have a really dedicated client data standard and we have standards around privacy by the sign approach how we deal with marketing, how we deal with individual rights, HR etc so we have those detailed standards but I think the important thing here is also that this really depends on your organisation a bit about what detail you need and how you actually phrase the related burden we have some really good templates from the external council that we're using but we also spend a lot of time to kind of break that down and be very very specific so I'll give you an example on our vendor standard I mean it was a really good vendor standard template that we received but it was very generic regarding requirements to obviously have a place to make sure that you do the diligence and we just took that and changed it quite dramatically just to kind of basically tie back to our vendor procurement process and just making sure that people follow the vendor procurement process and then we made sure that in the vendor procurement process we had all the necessary controls and documentation embedded so that as long as people follow the normal vendor process then almost automatically all the necessary privacy steps will be followed The privacy by the sign I think that's kind of my favourite area in kind of all the implementation activities that we implement because I think that's really where you can make sure that going forward the GDP implementation hasn't been a one-off but that actually all the new vendors that you are engaging with all the new systems that you're using any kind of new personal data that is reviewed and really make sure that it's done in a way that minimises the impact on the privacy of individuals and meets all the privacy requirements and we combined this with the data protection impact assessment because we really think that these two things fit together and kind of should work hand in hand so the process that we developed is that we made sure that in all our change processes and through we call them data privacy champions of the people on the ground that we can make sure that if there's a material change how we process personal information then there's a privacy by design checklist that needs to be completed if it's high risk we do the full data protection impact assessment of course as is required by the GDPR but even if it's not high risk we want to make sure that we can complete the checklist so that we have documented how we deal with it and how we minimise the risk and how we meet all the privacy requirements as our best practice and I mean this is something it's not completely new for us we've done this kind of legal review for a long time it's now much more formal and much better documented but in many areas it's also it's going to be a long work to get us that's fully embedded and automated and making sure this happens all the time like in many organisations so I think that's why I say that 25th of May is really the start of continuing to educate people that they need to do this and explain to them how to do it support them with all of that so that's going to be a lot of work I expect in the second half of this year for myself I mentioned that we obviously made changes to making changes to products that various products like we have like the one we're using now, Collaborate Ultra to make sure that we can help our clients being compliant themselves because obviously everyone needs to make sure that they can have sufficient guarantees that they're providing products and processing personal information that meet the GDPR requirements and we're making changes for example where we have products that user interfaces that clients can actually include their own privacy policy or statement linked to that we did a lot of work in reviewing our systems for data fields that we think could be unnecessary or that could be made optional or there's any opportunity to use rather than fully identify the information from pseudonymous to anonymous data and the key of it is also of course making sure that if a client like you or an institution that uses our products has a request from an individual regarding access to data, correcting it deleting it or data portability request that actually we can help with that if it pertains to data that's on our product and again we did this based on some really good guidance that we had from external counsel but again which was quite legal so we worked a lot of time we had various workshops with our product development management team to make sure we break this down into good product requirements across the board and then we kind of took these general product requirements and really look at each product and implement the specific actions for each product to make sure that they can meet those requirements. One of the key requirements on the GDPR is that you as a data controller, your institution needs to have data processing agreement or contract in place with your vendors as data processes to make sure that some of the requirements are documented specifically and then detailed in a contract. The requirement of a contract in place is not new and to be honest, lots of these requirements that you see listed here on the slide we're not going to go through all of them are really requirements that we've had in the past as best practice for example that staff of your vendor needs to sign confidentiality agreement that has been standard practice for a long time that need to have appropriate security measures but some of the elements that you may have seen in the past as much was that basically helping with with breach notification which is a new requirement with kind of things like data protection impact assessment and these kind of things. So we have already last July updated the data processing then done to make sure that this is fully ready for GDPR and we have been using that for standard contracts and obviously in some cases we also have specifically negotiated contracts with our vendors and that's important that obviously with your vendors you have to write contract in place that's quite an easy fix. I think that difficult is more to understand who all your vendors are, that's sometimes a bit of a challenge but the good news for you it will be that to have such an agreement in place is not just your requirement as a data controller it's also the requirement of your data processes but they will have an interest in helping you making sure that you have a contract in place with all these points between you and them. Talking about vendors I think vendors what I've seen in the process that quite often the kind of the relationship with vendors is mainly focused on contracts and that's obviously an important aspect of it but particularly with average GDPR it's quite clear that there needs to be more than just a contract in place so you need to be comfortable that your vendor is meeting all the requirements that are promised in the contract and to do some kind of vendor due diligence and we have received as mentioned quite a few vendor questionnaires from our clients continue to do so. I may do the same with our vendors, we kind of send them any new vendors need to kind of complete a vendor security assessment questionnaire with some privacy questions we also start kind of a 2D product send to existing vendors questions around how their systems meet the GDPR requirements and I think that's important that you get comfort around that your vendors can meet all these requirements and that you also understand that they can't meet them and can make the right decisions if that's something that the vendor can maybe address in the future or if that's something that's important to you that you may have to look for an alternative. So we have these vendor security assessment questionnaires, we have a defined vendor risk management program and I think that's this is something that we have only really formalized in more detail recently and I think from my experience I know this is very very difficult in many organizations because there may not always be a central procurement and vendor process but I think it's really key to understand who your vendors are so you can have the right contact in place so while this may not be a specific GDPR requirement I think this is one of the aspects that you will really struggle to meet the GDPR requirement if you don't have a good vendor and procurement in place where all of this information is kind of managed and handled centrally. I think this is the last slide I want to talk about and again this is just to mention that in terms of the new mandatory breach notification it's really important that you have a process in place and this shouldn't just be a document that you have come up with and kind of written down, it really should be something that you have already tested or that you start testing with some tabletop exercises and kind of fictitious examples I think it's important that we do this on a regular basis that you have these kind of tabletop exercises where you can understand how would we get that information if we needed who would we need to engage if for example someone hacked database X or system X how would we react and engage with any other parties that we need to engage, how would we inform the UK information commissioner, if you have come through that and do that regular basis then you have to come for that should something really happen you're well prepared because if something happens then you're not going to have time to think about and develop your approach so you really have to have this approach ready for that worst case scenario so yeah as mentioned I have the more resources and appendix and I'm happy to share those slides afterwards by you Martin and you can put those on the website and obviously I'm very happy to take any questions one thing I just want to quickly mention and you have the links on the slide is we have produced a gdb white paper which provides a bit more information on many of these things I've talked about we also have and that's really for you if you're kind of using blackboard we have a data provision security group where we provide regular updates and we also have a blackboard data provision newsletter that's not exclusively to our client we use that to kind of provide updates generally in terms of what's up and legal and regulatory wise but also obviously what we are doing in terms of GDP on all the data privacy efforts if you're interested just send me an email on the email address that you see on the screen and I'll add you to the distribution list of that so I'll stop here if there are any questions that you have based on all the slides that I went through thanks for that said that was a fascinating overview gdpr and I think some very useful guidance and tips for people if anyone has a question please raise your hand and you can use the microphone or you can enter something into the chat well people are perhaps thinking of oh Patrice is saying nice to have an international review so I agree one of the questions I had was you mentioned consent is one of the areas of gdpr I was wondering how recording consent is that integrated differently within different blackboard products or is it very much reliant on the institution to gain consent at enrollment or registration how is that working out that's a great question I've maybe taken a step back that very much at the core of the whole data control and data process a relationship I should have maybe explained a bit more detail for those who are absolutely familiar with that data control is basically the organisation that determines how person information is used and then the data processor is the organisation that just follows the instruction and really uses and processes that person information on behalf of the data controller that's obviously a very black and white concept there's lots of grays in between but generally for all products to be the data processor we provide that to our clients and follow the instruction how exactly they want to set it up and they decide what kind of personal information students to provide through that so the consent requirement is really one for our clients and universities to obtain we have in our not focused a lot on consent because we think the universities actually use our systems it will very very rarely be on a voluntary basis where again we have that free choice but it will be something that students will have to use so we obviously they leave it to the clients they can still get the consent but we didn't build in as kind of a systematic capability into our products because we think many institutions will come to the termination that content is probably not the best thing how we can legitimately process information if we use a vendor like Blackboard and systems like Collaborate or Learn or Moodle Foom stuff you're providing so as part of that do you end up producing a standard statement that your clients could use or was it very much up to them to decide how they would implement that? Yes so what we're doing is for our products is that we're providing them the ability to include the privacy policy as part of the login as well as in the system where there's a user interface we are very happy to help any clients but obviously I think it's quite difficult for us to kind of provide we were actually thinking about if we kind of provide some kind of standard guides and all of this but I think the difficulty here is that it really depends client by client from our experience how exactly they use systems and kind of what kind of systems they use so it's very hard to kind of provide some of their clients that would really meet client expectations be meaningful and also helpful so we decided to not provide something but obviously we're very keen to support our clients and be helping lots of clients with not just kind of contrastive media from place but also the questions they may have that we can help with our privacy experience Thanks for it um are there any questions from our participants so I suppose another question perhaps is from your position Steffen do you see as we are less than a month away from me and I do I know you mentioned the fact that the ICOs perhaps going to be reading in certain aspects of GDPR institutions have started working on this area but what's your sense of how prepared the sector is for GDPR I know some of the participants in the webinar have already had local training in their institutions what's kind of your view perhaps a ability to look across the sector yeah so that's a bit of a tricky question I'm just going to explain kind of based on my experience in discussions with the various clients that we have is that I think a lot in the kind of education sector struggle with kind of being fully prepared by 25th of May I know we had lots of interactions with our clients in terms of contracts in place but obviously that's only one aspect but I think it's not just education sector I think I mean if you look at all the studies that come out I mean most I think it's almost half of kind of the small and medium-sized enterprises that are not aware of GDPR I mean just ask your kind of local dentist or GP what they're doing about GDPR I mean this is enormous challenge for these kind of small organizations and some of them have very very sensitive data I think a lot of sectors struggle because you get that in place and to be honest even what I hear from my colleagues like really really big organization the challenges are slightly different because the sheer number of vendors that need to be engaged it's just the scope and kind of the scale that makes it very very challenging I think there's going to be and I mean what do you hear when you go to this privacy event there are many law firm partners next but say that there will be very very few companies that are fully 100% compliant and what's fair to that so I think there's general that's a general trend across the various sectors and I think while most of kind of responsible vendors like us are really working hard to kind of get everything done by 25th of May I think there will also be a lot of particularly the kind of the smaller organizations and companies that will find it very very hard to meet that target date Well hopefully we've set up some people along the way to be being a lot more prepared for the 25th of May I'm conscious of time so like us all to thank for taking the time to share his experience and insight into GDPR so then if you could show some applause or happy faces Thanks very much Martin and thanks for the opportunity to speak here to everyone for attending I'm always happy to do that and good luck with your GDPR implementation if you working on those I know how hard it is for everyone so you have all my sympathy and empathy all I said about obviously regulatory leniency I mean we are not lenient and no one should be lenient I mean everyone should work very hard to get everything in place by the 25th of May so good luck everyone Thanks for that