Anna Zeiter, Head of Data Protection, EMEA, eBay - CDO Europe 2017

IMPLEMENTING THE GDPR & LEVERAGING PRIVACY AS A COMPETITIVE ADVANTAGE

Dr. Anna Zeiter, LL.M., Head of Data Protection, EMEA CDO Europe – London, 23 February 2017

AGENDA

AGENDA

• Overview of eBay in EMEA

• Implementation of the GDPR at eBay

• Leveraging privacy as a (competitive) advantage

• Q&A session

3Implementation of the GDPR at eBay

OVERVIEW OFEBAY IN EMEA

OVERVIEW OF EBAY IN EMEA


IMPLEMENTATION OF THE GDPR AT EBAY

IMPLEMENTATION OF THE GDPR AT EBAY (1)

• Part I – Preparation (January 2016 – March 2016)• Part II – Gap Analysis (April 2016 – August 2016)• Part III – Budget/Resource Planning (September 2016)• Part IV – Implementation (October 2016 – December 2017)• Part V – Monitoring (October 2017 – June 2018)



• Part I – Preparation (January 2016 – March 2016)- Raise awareness, start internal communication- Inform stakeholders, e.g. Business Units, Marketing

Teams, PR, etc. - Choose project name

• Part II – Gap Analysis (April 2016 – August 2016)• Part III – Budget/Resource Planning (September 2016)• Part IV – Implementation (October 2016 – December 2017)• Part V – Monitoring (October 2017 – June 2018)



GIANT9Implementation of the GDPR at eBay


• Part I – Preparation (January 2016 – March 2016)• Part II – Gap Analysis (April 2016 – August 2016)

- Carry out gap analysis per data controller- Carry out interviews with Legal Teams and Business Units- Use assessment tools, e.g. TRUSTe Assessment Manager- Draft gap analysis report/use metrics- Compile list of action items

• Part III – Budget/Resource Planning (September 2016)• Part IV – Implementation (October 2016 – December 2017)• Part V – Monitoring (October 2017 – June 2018)



List of action items:• ...?





List of action items:• Data mapping • Process for new subject access rights • Privacy Impact Assessments (PIAs) • Privacy by design/by default• Review of consent based processing • Review of the DPO position • Privacy champion program • Data deletion/data retention • Data breach response plan • Privacy trainings



• Part I – Preparation (January 2016 – March 2016)• Part II – Gap Analysis (April 2016 – August 2016)• Part III – Budget/Resource Planning (September 2016)

- According to data controllers - According to list of action items

• Part IV – Implementation (October 2016 – December 2017)• Part V – Monitoring (October 2017 – June 2018)



• Part I – Preparation (January 2016 – March 2016)• Part II – Gap Analysis (April 2016 – August 2016)• Part III – Budget/Resource Planning (September 2016)• Part IV – Implementation (October 2016 – December 2017)

- Create sub-projects and create sub-project names- Assign project leads and sub-project leads- Involve stakeholders, e.g. Legal Teams, Business Units, etc. - Agree on timelines, define dependencies- Start with the implementation – now and globally

• Part V – Monitoring (October 2017 – June 2018)



List of sub projects:• Data mapping (Project Discovery)• Process for new subject access rights (Project Altlas)• Privacy Impact Assessments (PIAs) (Project Alexandria)• Privacy by Design/by Default (Project Prudentia)• Review of consent based processing (Project Zeus)• Review of the DPO position (Project Phoenix)• Privacy Champion Program (Project Concilium)• Data deletion/data retention (Project Hades)• Data breach response plan (Project Hermes)• Privacy Trainings (Project Athena)



• Part I – Preparation (January 2016 – March 2016)• Part II – Gap Analysis (April 2016 – August 2016)• Part III – Budget/Resource Planning (September 2016)• Part IV – Implementation (October 2016 – December 2017)• Part V – Monitoring (October 2017 – June 2018)

- Monitor the implementation closely, involve audit team- Change approach if needed- Follow the opinions of the EU Data Protection Board and

the Data Protection Authorites closely- Reach out to Data Protection Authorities if needed- Carry out internal communication and trainings



• Raise Awareness! • Start with internal communication!• Inform stakeholders!• Choose cool project names!• Do the things you already do – but better!• Start asap!• General Data Protection Regulation = Global Data

Protection Regulation!• Follow the opinions of the Art. 29 Working Party and the

Data Protection Authorities closely!• Change approach if needed!


LEVERAGING PRIVACY AS A (COMPETITIVE) ADVANTAGE

INTERNALLY & EXTERNALLY

20

INTERNAL ADVANTAGES OF THE GDPR (1)

Die Datenfrage - warum Unternehmen einen CPO brauchen

Implementation of the GDPR at eBay


• Privacy is in the spotlight – internally and externally!• High fines are threatening!• Privacy matters are discussed at C-level!• DPO position will be more poweful!• More budget and resources needed!• Opportunity to ask questions you never asked before!• Opportunity to challenge current processes!• Opportunity to enhance Privacy within your company!


22


Use the GDPR to implement a samrt and comprehensive data governance strategy:



EXTERNAL ADVANTAGES OF THE GDPR (1)

Use the GDPR to gain and strengthen customer trust and your company’s privacy brand:

Die Datenfrage - warum Unternehmen einen CPO brauchen 23


24

EXTERNAL ADVANTAGES OF THE GDPR (2)f

Use the GDPR to minimize the risk of data breaches:



Q&A SESSION

CONTACT DETAILS

CONTACT DETAILS

Dr. Anna Zeiter, LL.M.Director of Privacy & Data Protection Officer, EMEA

Helvetiastrasse 15/173005 BernSwitzerland

Tel.: +41 31 3590701Mobil: +41 79 5298425 Email: [email protected]


EXECUTIVE SUMMARY (2)
