GDPR Updates General Data Protectionn law

2 Title GDPR MBUK Domain Activity Number Activity Responsibility Center GDPR Assessment               GDPRA-1 Conduct interview(s) with key stakeholders to understand the organizational capability to comply with GDPR requirements Vendor GDPRA-2 MBUK's future state goals and options, Discuss the ideal state for each of the domains (outlined earlier). Take into consideration the company industry, products and services, organizational structure, strategic goals, and budget and resource availability Vendor GDPRA-3 Document the desired target state and associated characteristics. Collaboration GDPRA-4 GAP Identification between current and future state Vendor GDPRA-5 Determine the areas of the organization components that are non- compliant with the GDPR requirements ,Map the GAP to GDPR requirements Vendor GDPRA-6 Rank the GAP Using a risk ranking model that takes into consideration the complexity of the remediation, time to remediate, cost of remediation, and consequence of non-compliance Vendor GDPRA-7 Document the assessment results and validate findings with client , Draft the GDPR assessment report Vendor GDPRA-8 Compile Data Flow Maps, including but not limiting to Inventory personal data and assets,Discover additional personal data through scanning, Map data to business processes Vendor

3 Title GDPR MBUK Domain Activity Number Activity Responsibility Center GDPR Assessment   GDPRA-9 Development of Document the Record of Processing Activities ( RoPA ) Vendor GDPRA-10 Identify High Risk Data Flows, if Applicable Vendor Privacy Risk Governance         PRG-1 Develop the Cybersecurity Policy and Framework Specific to MBUK Location. Develop the Privacy Policy and Privacy Governance Framework for MBUK. Vendor PRG-2 Local review and approval of MBUK Privacy Policy and Framework, MBUK to Implement the policy locally. Client PRG-3 A Memo needs to be developed and communicated across Mashreq entities with the flags (Person is EU citizen ?, He/she resident in EU?) as a pre-requisite check for collecting the personal information of the Data Subject. If both the answer is “Yes” consensus needs to be sought from designated DPO. Vendor PRG-4 Data Privacy Officer needs to be appointed at MBUK. Client PRG-5 Develop a training module on "Data Privacy Awareness" for all Staffs, contractors and vendors. Training Presentation is developed and knowledge session conducted for MBUK. CBT development is in progress. Collaboration

4 Title GDPR MBUK Due 25 May 2018 Domain Activity Number Activity Responsibility Center Privacy Impact Assessments             PIA-1 Develop an inventory of the critical Assets and Procedures dealing with PII. Develop the Data Flow Diagrams (DFDs) for identified processes Vendor PIA-2 Develop the Privacy Impact Assessment Procedure and Templates for performing the Privacy Impact Assessments of the Identified critical processes of MBUK. Vendor PIA-3 Local adoption of the Privacy Impact assessments. A resource needs to be identified for conducting the Privacy Impact assessments. Vendor PIA-4 Conduct Privacy Assessment for 2 sample process in MBUK Vendor PIA-5 Engage key stakeholders to discuss roles & responsibility (RACI) for the Data Protection Impact Assessment (DPIA) and to identify who will be conducting the DPIA, who will review, and who will track the follow-up actions Vendor PIA-6 Discuss the best suited mechanism for executing the DPIA (i.e. manual or integrated/automated) Vendor PIA-7 Organize a series of questionnaires and sessions to discuss the following domains: •Data flows details / • Fair & lawful sharing of personal data •Purposes of sharing/processing personal data /• Adequacy of current control mechanisms /• Right of transparency to data subject /• Security of the data /• Compliance with privacy policy and regulatory requirements /• Retention of the data within reasonable time /• Vendors/third-party controls, if in scope of the data processing flow /• Transfer (cross border), if in scope of the data processing flow /• Other additional domains (e.g. profiling, incident management, data analytics, etc. )may be considered depending on the SOW Vendor

5 Title GDPR MBUK Due 25 May 2018 Domain Activity Number Activity Responsibility Center   Privacy Impact Assessments             PIA-8 Evaluate responses to questionnaire and capture impact statements Vendor PIA-9 Documenting the impact statements at the domain level: •Personal independence •Possibility of stigmatization •Breach of equality •Freedom to move •Need to remain free of manipulation •Personal integrity •Autonomy •Self-esteem •Possibility of identity fraud Vendor PIA-10 Assign a risk impact level (high, medium, low) to each of the assessed domains Vendor PIA-11 Identify potential actions that can be taken to address gaps in the assessed domains. Collaboration PIA-12 Document the results of the assessment in a user friendly report, Validate findings , Update the findings report, as needed, Define a remediation plan/resolution for the findings, as required Vendor PIA-13 Identify individuals who will be responsible for validating resolution before conducting the envisioned privacy operation. Vendor

6 Title GDPR MBUK Domain Activity Number Activity Responsibility Center Polices and Procedures         PP-1 All the MBUK policies needs to be reviewed for compliance with GDPR Collaboration PP-2 Standard procedures and protocols are to be defined at the start of the project to improve the operational efficiency of the project team. Some examples are: procedures for administrative activities, work product approval, status reporting, scope management, tracking issues, risk management, security, travel and expense approval, use of standard software tools, and naming standards and conventions for project information management. Collaboration PP-3 Standards and protocols should be clearly outlined and documented prior to project kickoff to provide guidance on items such as the following: •Status Reporting (frequency, audience, topic area, etc.) •Charge Code for specific project •Team Structure Collaboration PP-4 Identify the different types of changes likely to be encountered and set any threshholds for each type along with their associated workflow and allowable states. Include any limitations on types or number of changes along with identifying who can submit changes requests. Collaboration PP-5 I dentify excellence standards for the project and its deliverables and document how the project will demonstrate compliance with quality requirements. Collaboration

7 Title GDPR MBUK Domain Activity Number Activity Responsibility Center   Polices and Procedures     PP-6 Determine future events which may adversely affect the project and document their characteristics . Agreement upon criteria for assessing risk probability and impact with the client before managing risks. Collaboration PP-7 Determine matters that are affecting project progress and that require formal resolution. Collaboration PP-8 Monitor and Control the Risk, Issues, Consents, Approvals Collaboration Conditions and Authorisation for Processing   CAP-1 Develop the consent form for taking the consents from the data subjects at the time of data collection. Vendor CAP-2 Implement the Consent form across all channels at MBUK Vendor Personal Data Management     PDM-1 Develop Data Management Policy and Data Classification Policy for MBUK. Vendor PDM-2 Local Review and adoption of the Data management and data classification policy. Vendor PDM-3 Conduct an evaluation of the IT controls implemented at MBUK and MBUAE for safeguarding the Personal Data. Vendor

8 Title GDPR MBUK Domain Activity Number Activity Responsibility Center Personal Data Security   PDS-1 Develop and implement a procedure to serve Data Subjects Request and Complaints with respect to the handling of their Personal Data at MBUK. Collaboration PDS-2 Inventorize and review all the Third Party Contracts for MBUK to accommodate privacy clauses. Collaboration Third party oversight   TPO-1 Develop Data Privacy clauses which required to be included in the contract with Third-Party Data Processing vendor. Collaboration TPO-2 Develop and implement a formal Legal Agreement between MBUAE and MBUK for Data Processing in accordance with GDPR regulations. Collaboration Incident reporting and management IRM-1 MBUK should be trained to adopt and implement the Incident Management and Notification procedures of the MBUAE (HO) for dealing with privacy breaches. Required support would be given by HO. Collaboration

9 Title GDPR MBUK Domain Activity Number Activity Responsibility Center Audit           A-1 Audit logs should be enabled and maintained for all the systems that retain PII data within the GDPR scope. Vendor A-2 Perform regular audits to ensure the effectiveness of the GDPR Privacy Controls at MBUK. Collaboration A-3 M onitor the status of the operations and product scope and manage changes to the scope baseline. Vendor A-4 Track identified risks, monitor residual risks and evaluate risk process effectiveness throughout the project. Vendor A-5 T rack identified issues and evaluate issue management process effectiveness throughout the project. Vendor A-6 Request a change follow the established change management procedures. Vendor

THANK YOU 8