 Hi everyone, my name is Yura Benzodak and I am an in-house council in Evolvelm. We are from Slovakia and I'm really glad to be here with you today. Some notes at the beginning. We are Evolvelm. We are working on an identity management system, which is open source, which is obvious, because otherwise we probably wouldn't be here. But we truly are confessors of an open source approach and in the next few minutes I will show you why I consider an identity management system to be an appropriate solution for the GDPR. Disclaimer at the beginning. These are my own views and this is not to be considered as a legal advice. Let's look what this presentation is going to be about. First we will look whether the privacy is important or not. Then I will show you the reasons that led to the GDPR in my opinion. After we will look at steps you need to take to achieve compliance and finally I will show you how we deal with GDPR using our identity management system. Now we have that out of the way, so who here thinks the privacy is important? Well, I do too, but I don't have such feeling about the behavior and the activity of many people online these days. Especially the young people doesn't really seem to care. They tend to provide their personal data to service provider every time he requires it and with no real consideration. I have heard a really interesting view on the matter from an attorney of privacy, advocate of Edward Snowden, a journalist called Glenn Greenwald, who spoke about how people think about their privacy. He spoke about the former CEO of Google, Eric Schmidt, who said that if you have something you don't want other people to know, maybe you shouldn't be doing it in first place. And that is the opinion of people who say the privacy doesn't matter, but they don't actually believe it. And the way you know they don't believe it is that with their actions they take all kinds of steps to prevent and to safeguard their privacy. They put passwords on all their accounts and they lock themselves in bathrooms because everyone needs to protect his own realm. Maybe you have noticed when this CEO of Google, Eric Schmidt ordered Google employees not to talk to CNET Magazine interviewers after CNET published an article full of personal information about Eric Schmidt and his family, all of the information obtained through Google searches and using other Google products. This speaker, Glenn Greenwald, also did an interesting or rather ridiculous experiment, including all the people he met who claimed their privacy didn't matter to them because they had nothing to hide. Every time you heard it, he took out his pen, wrote down an email address, and wanted them to send him passwords to all their email accounts. Not just to official ones, but to all of them. He just wanted to troll through what they were doing online and if they were not that people, there was nothing to hide. You would expect there wasn't any email on this account and it was left a really disloyal place in the end. And the reason behind it is that we as human beings, even those of us who in words disclaim the importance of privacy, instinctively understand the profound importance of it. It is known that we human are social animals. It's been known for thousands of years. On the one hand, we need an attention of other people. This is why social media are so successful recently. But on the other hand, it is truly essential to fulfill our nature as human beings is to have a place where we can go and hide from judgmental eyes of other people because everyone has things to hide. And this is why I consider the privacy to be important. And by seeing the importance of privacy, we may understand the importance of the GDPR. Even though the GDPR looks like a bunch of onerous duties for the data controller, but how often do we hear about information leakage, compromising of confidential data and other data breaches? And still, the vast majority of people doesn't bear in mind the threats and what is more the consequences of data breaches. You risk not only losing money, you may lose respect, reputation, trust, and in the end, wall online identity. So what is the GDPR? I don't think there is anyone who hasn't heard about the GDPR in the last year, but just in case there was someone who hasn't heard about it, I will tell you what it is. Even though the GDPR was published more than two years ago, nobody really seemed to care at the beginning. And now I feel the GDPR mania is raging in the corporate area. I realized the seriousness of the situation when I heard an advertisement on GDPR solution at our regional eastern Slovakia radio. For better understanding and imagination why the GDPR is just inevitable and a natural outcome of current cyber environment, we must say it has its own history and it's been coming for years. The discussion started more than six years ago and Commission Council and Parliament took part in debate. All of them required to make many compromises to achieve results in the form of joint proposal of European regulation. GDPR, General Data Protection Regulation. GDPR being a regulation means it's direct obligatory nature to the member states. Before the GDPR there was a data protection directive, something like a framework for data protection, but it was mandatory for all member states to enact the specific law act. This old-fashioned fractured approach was causing many ambiguities for the companies operating in an international environment. The measures sufficient in one jurisdiction strictly were not enough in another country. Therefore the companies needed to make many alterations and modifications and it raised costs heavily. These costs definitely weren't effective so the harmonization was desperately needed. The GDPR deals with all layers of data protection. There are principles to be maintained and there are rights of data subjects to give effect to, but the tool for achieving compliance isn't strictly prescribed or defined. The solution is up to data controller to choose the right one for achieving compliance within his organization and this feature makes the GDPR a dynamic law. What is unusual because law by its nature is usually strict and rigorous and data protection by design and by default by virtue of the article 25 of the GDPR makes it a dynamic enactment. Main reasons why the GDPR had to be enacted sooner rather than later even though many fought to postpone its effective date are in my opinion these four. Advanced in technology, the rise of technology has never been at such level as it is nowadays and there are many use in which the personal data might be misused. There is business with personal data. Big data analysis companies and profiling companies. You know big data analysis is a process, ex-mining, large sets of data to uncover patterns, correlations and customer preferences with one main target to sell more. This company is trade with personal data and it means even more risk for personal data to be abused. Another reason is that data protection laws are archived in comparison to the technology. In fact it is one of the main features of law and it is needed for legal certainty but the GDPR makes a step forward to make it a dynamic enactment. And finally harmonization as I said there were different laws in all member states and it was causing problems with interpretation so the GDPR aims to resolve these problems and to harmonize this branch of law. So this is the background but the most important question is how to become compliant. This is the most difficult question and I may disappoint many of you but I doubt there already is a conclusive answer. I've been working with the GDPR regularly for more than half a year, studying it, writing vlog, attending conferences, supporting our technical team. I have even been on an individual session and our national DPA and with every answer I was looking for three new questions arose. A few days ago a good friend of mine called and asked me, hey dude have you heard about the QPR or something? I said do you mean the GDPR? Well maybe something with data protection. Well I may know a bit about it but I realized there might be a problem with explanation. He is an advocate with no technical background, a really good one but he hasn't read the whole GDPR and he just expected me to recommend him a complete solution which I unfortunately didn't have. The GDPR is so complex and has so many requirements that I can't think about one tool to overcome it all. For the small to mid-sized company it was enough to implement internal directive how the company protects personal data. In fact you didn't even respect its provision unless there was a data bridge nobody cared. And this is going to change with the GDPR. The data protection will have to be adopted into daily operations. This is the main change GDPR brings and it's an accountability. So far the DPA could come to your office and start auditing how you protect personal data. Actually he would be looking for your fault but now with the GDPR effective you will have to manifest the measures you use to protect personal data. If your company is big enough and process large amounts of personal data you will probably need a team to implement GDPR project. The compliance could be achieved only as a cooperation of all subjects who come in touch with personal data. First thing you need to do at the beginning you will have to realize support from key stakeholders within your organization and make the privacy the priority. Then you will need to assign the team. The team I would choose would consist of a lawyer to interpret the law, information security officer to design and implement measures into internal systems and also some people to help with data mapping. It would be probably HR specialist and some financial officers. For the person in charge of the GDPR project I would strongly recommend he ensures that he has three pillars to build on. People to implement solution and to put the data protection into daily operations. Then you will need the money. Actually the solutions are quite expensive but you may use, you may save some resourcing using open source products while I'm not saying it would be for free. And time one of the crucial assets because an average time for implementing GDPR solution in mid-sized solar company was approximately 10 months including both technical side and documentation. These are the steps you need to take to achieve compliance. First data mapping. You have to know where the personal data are being stored and processed within your organization to be able to protect it. Then you will need a good data governance because you must be able to do various operations with the data. Like handling subject access request or approving the accountability. You must also be able to identify the data, categorize it or in some cases to carry out the data protection impact assessment. The data safety will be usually understood as an encryption and it will be the choice of the most controllers. And you will have to take into account the state of the art and the nature of processing to ensure privacy by design. And you should choose the opt-in style for processing the data to ensure privacy by default. There are many rights of data subjects and you have to give effect to all of them. So I will give you some brief information, some important tips. What you should do and you should give the data subjects the information, all the information you have actually. You should keep it simple and don't use legalese, you know this archived language of old lawyers who are now facing the extinction. But you should make it really intelligible so the data subjects would be able to understand it. And you must also show all the data you are processing and you have to inform data subjects about their rights, about all the rights they have. Then you should give a control to data subjects over the data. You should be able to provide them access to the data and to show them what data you are processing, how, when and how you protect it. Then there is also a brand new data portability law, the data portability right. That should enable moving personal data between controllers at data subjects will. You should also be prepared to modify the data as the data subjects have a right for the rectification. And you should be able to stop processing the data whenever the data subject wants it because data subjects have a right to object to processing. And finally you should, there is data minimization principle. It is one of the most, it is one of the core principle of the GDPR. And so you should gather and keep only necessary information. You should choose local basis really carefully and you should choose the purpose for your processing really carefully. Because once it's run out you can't hold the data any longer. And you should also be prepared to delete completely the data when the data subject uses his right to be forgotten. So how about the solution? There will be enormous demand for solutions for sure. Leading software companies and law firms are in the race to present their solutions. As soon as we have read through the GDPR we realized that is what we can do, that is what identity management can do. You have to have a local basis to process personal data and you should be able to demonstrate this local basis. There are several kinds of local basis like consent, performance of a contract, complying with legal obligation or to protect vital interests of data subjects or of personal related to data subject. And you should be able to keep and manage the data. And identity management software are excellent record keepers. Identity data are being monitored and managed by the IDM systems. There is data and metadata. Therefore the IDM systems know what happened, when it happened and how it happened. For every existing account in IDM system there must be a reason why this account exists. And the reason for existence of the account would be the local basis for processing. Let's look at the technical side very briefly. Local basis for processing would be modeled as an assignment. The target of this assignment would be a data protection scope which will be modeled as a specific type of role. And all the legal details would be specified in this role, in this data protection scope. And local basis will be activated by creating an assignment to this specific role. So this could automatically trigger the provisioning of all accounts. And it works also in the other way. So if the local basis expires it means the account would be automatically deprovisioned. There are many things that the identity management solution could do. You can manage consent because there are strict requirements for consent. It must be granularly and you may manage it really granularly with using identity management. You can also solve requests for rectifications and requests for deletion. So dealing with the right to be forgotten. And it should be really good tool for the data protection officer for accountability because it has really good data mapping usage. And at the end I will show you the screens from the solutions. It's not really good readable but there is a card for data protection and all the information necessary to comply with legal obligation will be specified here. And you can manage all connected systems with identity management system. And there are local basis for... And you might be able to see all the local basis for every account in this tool. So that's all. Thank you. So let's open up the floor for questions. Yes? I don't hear you. Internet protocol? I'm not a technician so if the internet protocol is GDPR compliant, I can answer it. I'm not a technician. I don't know. Yes, both. For automated processing and for databases. For filing systems it is set. If it is for... If the GDPR is applicable for the paper. Yes, yes. For databases for every filing system. And it might be a paper database also. How could you deal... What's the... Yes? Tell me once more. How is that possible? For systems connected, okay. How could you be completely compliant with the GDPR? IBM covers. I said that the tool isn't strictly described or prescribed and that I can't even think about one tool to overcome it all. But this will handle some crucial situations with connected systems.