Presentation is loading. Please wait.

Presentation is loading. Please wait.

GDPR Journey: Practical steps to compliance & business outcomes

Published byThomasina Fisher Modified over 7 years ago

Similar presentations

Presentation on theme: "GDPR Journey: Practical steps to compliance & business outcomes"— Presentation transcript:

1 GDPR Journey: Practical steps to compliance & business outcomes
Andrew Joss Head of Solutions & Data Governance – EMEA-LA

2 Disclaimer Compliance with the GDPR will be based on the specific facts of an organization’s business, operations and use of data. This presentation provides a set of discussion points that may be useful in the development of an organization’s GDPR compliance efforts, and is not intended to be legal advice, guidance or recommendations. An organization should consult with its own legal counsel about what obligations they may or may not need to meet

3 GDPR Background

4 What’s all the fuss about?
From 25th May 2018, the new EU General Data Protection Regulation (GDPR) will require all organisations, that hold data related to EU data subjects, to more effectively manage data on their customers, employees, contacts and any other relevant persons

5 GDPR & Why It’s Important
What is it? May 2018, the European Union General Data Protection Regulation (GDPR) comes into full force to enhance protection of personal data Why is it important? Significant impact for organisations and how they manage data with some potentially very large penalties for violations – 4% of global revenues Impacts the storage, processing, access, transfer, and disclosure of an individual’s data records Who is affected? These protections apply to any organisation (anywhere in the world) that processes the personal data of EU data subjects Show of hands. Who here is familiar with GDPR? Who is worried about GDPR and it’s implications on their business? The EU’s General data protection regulation. In service to enhancing the protection of personal information of EU residents that is in the hands of businesses (in the EU or globally) being used to market to these EU residents. This applies to any organization that markets to EU subjects. Whether based in the EU or not. And the penalties for non-compliance can be as large as 4% of annual global revenue. I know retail organizations that have profit margins of less than 4%! All of this taking effect in less than a year!!! What is the GDPR? Effective May 2018, the European Union General Data Protection Regulation (GDPR) enhances protection of personal data, and replaces the EU Data Protection Directive and its local implementing laws. This regulation could have significant impact for organizations and how they manage data pertaining to customers, consumers, partners, staff and other ‘data subjects’; where a ‘data subject’ is an individual. The GDPR impacts the storage, processing, access, transfer, and disclosure of an individual’s data records as well as having some potentially very large penalties for violations. Who is affected? These protections apply to any organization established in the EU and to any organization (anywhere in the world) that processes the personal data of EU data subjects when offering them goods or services or when monitoring or tracking their activities . How does this impact you? The GDPR imposes a range of additional requirements beyond what was formerly required under the EU Data Protection Directive. For example, the GDPR expands existing data subject rights and creates entirely new ones, such as the right to data portability. The GDPR will require organizations to fully understand how they utilize current and future information assets to incorporate these new data privacy requirements. For many, the associated changes to information management practices will require a thorough evaluation of current and future data capabilities.

6 What GDPR is not? It’s not just a Security issue
It’s not just a Legal issue It’s not just a Compliance issue It’s not just a Risk issue It’s not just a Data issue It’s ALL of these, and more…

7 GDPR – the potential for value
Organisations don’t have long to fully develop their approach Why? Fines & reputational damage could be significant Drives benefits when approached properly To-Be model: Tick-box compliance or Business value add & privacy as a differentiator Challenge: Many businesses haven’t done enough preparation and won’t be sufficiently compliant What is it? The GDPR is: Possibly, the once in a generation opportunity to transform the way organisations are compelled to manage data Benefit: Avoidance of fines & reputational damage Supports digital transformation outcomes The opportunity: It’s got budget and Board / Legal support It impacts most organisations

8 May 2018 isn’t far away, so it’s time to get practical…

9 Where do you from here? With around 7 months to go and a clock that won’t stop ticking… …organisations are looking at solutions to automate processing and cope with data at scale As it’s a principles-based regulation, organisations will have different views on what the problem is, so… …look for entry points into your requirements and help your business understand the upside

10 Break the data problem down…

11 … using some simple questions to understand the entry point(s)
Do you know what data you hold, who has access to it, and for what purpose? Do you know where all your in- scope data is? Do you know how will you manage consents and data rights? Do you know how you will protect your data and ensure it has the appropriate controls?

12 Informatica for GDPR Compliance Efforts
Capability: Data Governance Lead Solution: Informatica Axon™ Capability: Consent Mastering & Enacting Rights Lead Solution: Informatica Master Data Management Capability: Archiving & Anonymisation Lead Solutions: Informatica Data Masking & Archiving Capability: Sensitive Data Discovery & Risk Lead Solution: Informatica ®

13 Data Governance Need: to understand what all the in-scope data is used for, why and by whom Why: so you understand how you’re aligning to the principles Common current approach: questionnaires, interviews and static documentation development – mostly done manually Approach drawback: inaccurate, time & resource consuming & often out-of-date

14 Data Governance Potential Stakeholders:
Capability: Data Governance Lead Solution: Informatica Axon Capability: Consent Mastering & Enacting Rights Lead Solution: Informatica Master Data Management Capability: Archiving & Anonymisation Lead Solutions: Informatica Data Masking & Archiving Capability: Sensitive Data Discovery & Risk Lead Solution: Informatica Collaborative Definition of Policies Definitions of Processes, Terms etc. Approval process within stakeholder group Publishing to entire organisation Link Policies to implementation artefacts & data Solutions for Intelligent Data Governance Lead solution: Informatica Axon Potential Stakeholders: Chief Data Officer Chief Information Officer Chief Risk/Compliance Officer

15 Sensitive Data Discovery and Analysis
Need: to understand where all the in-scope data is Why: so you understand the size & shape of the data problem Common current approach: review existing sources and send questionnaires Approach drawback: time & resource consuming, inaccurate & very often out-of-date

16 Sensitive Data Discovery & Risk Analysis
Capability: Data Governance Lead Solution: Informatica Axon Capability: Consent Mastering & Enacting Rights Lead Solution: Informatica Master Data Management Capability: Archiving & Anonymisation Lead Solutions: Informatica Data Masking & Archiving Capability: Sensitive Data Discovery & Risk Lead Solution: Informatica e Enterprise-wide data discovery & risk analytics In-scope Data discovery In-scope Data classification Proliferation analysis Multi-factor risk scoring Solutions for automated Sensitive Data Discovery and Risk scoring Lead solution: Informatica Potential Stakeholders: Chief Legal Officer Chief Information Security Officer Chief Privacy Officer

17 Consent Mastering and Enacting Rights
Need: to capture, manage and distribute consent Why: so you have captured the lawfulness of processing Common current approach: extend preferences capabilities Approach drawback: Functionally inadequate Need: to match and link data about each individual data subject Why: so you can easily respond to SARs, erasure etc. Common current approach: manually match data or basic rules Approach drawback: low match rate, false positive / negatives, slow

18 Consent Mastering and Enacting Rights
Capability: Data Governance Lead Solution: Informatica Axon Capability: Consent Mastering & Enacting Rights Lead Solution: Informatica Master Data Management Capability: Archiving & Anonymisation Lead Solutions: Informatica Data Masking & Archiving Capability: Sensitive Data Discovery & Risk Lead Solution: Informatica e Enterprise-wide Single View of a Data Subject Data Subject data discovery Multi-Domain (Customer, Employee, etc.) Data record matching and linking Home for Consent Data Services Solutions to associate Consents with Mastered Data Subjects Lead solution: Informatica Master Data Management Potential Stakeholders: Chief Marketing Officer Chief Data Officer Chief Privacy Officer

19 Archiving and Anonymisation
Need: to put protections and controls around identified in-scope data Why: so you are demonstrating control over relevant data Common current approach: apply masking, deletion and archiving solutions as required Approach drawback: lack of targeted implementation, siloes of tools and implementations provides no holistic view

20 Archiving and Anonymisation
Capability: Data Governance Lead Solution: Informatica Axon Capability: Consent Mastering & Enacting Rights Lead Solution: Informatica Master Data Management Capability: Archiving & Anonymisation Lead Solutions: Informatica Data Masking & Archiving Capability: Sensitive Data Discovery & Risk Lead Solution: Informatica e Enterprise-wide Protection and Controls over data Data deletion & retention Data masking Data archiving Solutions to automate Controls and the Protection of data Lead solution: Informatica Data Masking and Archiving Potential Stakeholders: Chief Information Officer Chief Data Officer Chief Legal Officer

21 Informatica for GDPR Compliance Efforts
DATA GOVERNANCE: AXON Policy definitions. Role assignments. Approval workflows for tasks and definitions. CONSENT MASTERING & ENACTING RIGHTS Single view of the subject Store consents and sensitive data Provide purpose-based perspectives to the consuming applications Enacting rights: Access, rectify, objection, portability, right to be forgotten MASTER DATA MANAGEMENT PURGE DATA WITH ARCHIVING & ANONYMIZATION Persistent and dynamic sensitive data masking, in production and non-production environments Archive sensitive data in a secure, easily accessible data store DATA MASKING & ARCHIVING SENSITIVE DATA DISCOVERY & ANALYSIS Discover & classify sensitive data Data map and data proliferation Heat maps to detect high-risk areas to setup a protection plan User access and activity Risk monitoring & management Here are the different goals in service to GDPR. You need to define what your organizations policies are and who are the stakeholders that are accountable for GDPR compliance. You need to assess where you are today and how through implementation of your policies you are tracking. Again, documentation is not enough. You need to implement them and track progress to make it real. You need a clear understanding of where is your sensitive data, how far it propagates and just how vulnerable you are, your risk score, as a result of all of this. You need to ensure that sensitive data is protected and access is controlled for only authorized personnel and use cases. You need to manage the data subjects. The in-scope data for the EU residents and track whether they’ve given you consent to use their data, market to them, etc. And if they’ve taken consent away, you need to purge the data you have for them.

22 What business value add is there?
Faster compliance reporting, faster data science, optimised data risk, drives data as an asset Faster data discovery for other policies, supports breach prevention initiatives Faster delivery of customer centricity and digital transformation programmes, data superset for Market purposes Faster and more secure application testing, reduce costs through data minimisation

23 Reuse GDPR data capabilities as a platform for other requirements

24 Informatica Intelligent Data Platform
CLOUD REAL TIME/ STREAMING BIG DATA TRADITIONAL DATA INTEGRATION BIG DATA MANAGEMENT MASTER DATA MANAGEMENT DATA QUALITY DATA SECURITY CLOUD DATA MANAGEMENT Products Solutions MONITOR AND MANAGE CONNECTIVITY COMPUTE Enterprise Cloud Data Management CUSTOMER 360 DATA GOVERNANCE REFERENCE 360 INTELLIGENT DATA LAKE PRODUCT 360 ENTERPRISE INFORMATION CATALOG SUPPLIER 360 (ENTERPRISE UNIFIED METADATA INTELLIGENCE) The Informatica Intelligent Data Platform is the industry’s most complete and modular solution, built on a microservices architecture, to help companies unleash the power and value of all data across the hybrid enterprise. The AI-driven platform spans on-premises, cloud and big data anywhere – ensuring data is trusted, secure, governed, accessible, timely, relevant and actionable (pick 3 of these). This enables the worlds most progressive companies to deliver data-driven digital transformation outcomes. Examples include: Better and faster decisions, deeper customer engagement, better patient healthcare outcomes, more efficient business processes, etc. The IDP makes possible what never existed before. The IDP enables the management of new types of data, new use cases, new business models, that work with new technologies. What makes IDP a platform? Everything on the platform shares in the following platform services Connectivity to data sources and targets (cloud, on-premises, big data anywhere) Compute engines: It can automatically select the optimal compute engine for big data jobs based on the requirement of the job (from among MapReduce, Spark, Tez, Blaze…) Monitoring and Management – Operational Insights provides a single console across cloud, big data, on premises CLAIRE – the metadata-driven intelligence across the platform

25 GDPR Journey: Practical steps to compliance & business outcomes
Thank you for your time Any questions?

26 A Data Security viewpoint on GDPR
Detect and Protect: A Data Security viewpoint on GDPR Steve Holyer Data Security Domain Expert Informatica Data Security Group

27 Disclaimer Compliance with the GDPR will be based on the specific facts of an organization’s business, operations and use of data. This presentation provides a set of discussion points that may be useful in the development of an organization’s GDPR compliance efforts, and is not intended to be legal advice, guidance or recommendations. An organization should consult with its own legal counsel about what obligations they may or may not need to meet.

28 Escalating Data Risk Breaches Laws and Regulations Proliferation
That Bypass Legacy Security Laws and Regulations New Challenges and Severe Penalties Proliferation Data Growth and Use, Across Cloud, Big Data and Mobile Analytics Create High Value Data Targets and Privacy Concerns

29 Here are the different goals in service to GDPR
Here are the different goals in service to GDPR. You need to define what your organizations policies are and who are the stakeholders that are accountable for GDPR compliance. You need to assess where you are today and how through implementation of your policies you are tracking. Again, documentation is not enough. You need to implement them and track progress to make it real. You need a clear understanding of where is your sensitive data, how far it propagates and just how vulnerable you are, your risk score, as a result of all of this. You need to ensure that sensitive data is protected and access is controlled for only authorized personnel and use cases. You need to manage the data subjects. The in-scope data for the EU residents and track whether they’ve given you consent to use their data, market to them, etc. And if they’ve taken consent away, you need to purge the data you have for them.

30 Finding Your In-Scope Data
Steve Holyer Informatica Data Security Group

31 Sensitive Data Discovery and Risk Analysis
Need: to understand where all the in-scope data is and the RISK associated with it Why: so we understand the size & shape of the data problem Common approach: review existing sources and send questionnaires Approach drawback: time & resource consuming, inaccurate & very often out-of-date

32 Why Manual Sensitive Data Discovery is not a viable option
RISK TIME Manual sensitive data discovery Documentation analysis Specialist/SME activity Difficult to scale Automated discovery scanning Reusable assets Initial SME confirmation, then autonomous Highly Scalable COMPLEXITY Case study for a PoC at a customer in Europe using Started to do discovery manually but stopped because “it took way too long and the results were not trustworthy” Installed Executed scanning across 2.5 days for 5 Data Sources 6744 Tables / 1118 Sensitive elements found VOLAITILITY SCALE Manual Discovery is extremely labour heavy – often using the most valuable resource It is not viable on more than single sources, and is only a one time view on the data In real terms to satisfy GDPR you would need to re-run the exercise on a regular basis Tool based discovery scanning provides many advantages Once configured, the scanning can be re-run on a daily, weekly or monthly basis Some investment is required to calibrate the patterns and thresholds No theoretical limit to it’s ability to scale

33 Getting Started with Discovery & Classification
Establish a Data Glossary Define the Data Landscape Acquire Discovery Tooling Map which systems contain GDPR Data Identify “High Risk” Data Stores Map the movement of GDPR Data Maintain a “Validation and Certification” view 85 15 50 Act Investigate Monitor I didn’t edit, but only comments would be to use the terms “Validation and Certification” in place of “near real time” or just use “Monitoring”.

34 Continuous Risk Assessment
Number of sensitive data records. Data Volume Movement of data across departments, data stores and geographies. Proliferation Value of data loss to the organization. Liability Cost Geographic location of sensitive data. Location Controls to secure and protect data. Protection Frequency and volume of user activity. User Access and Activity

35 Acceleration & Automation
Classification & Discovery of GDPR Data Identification of highest risk data stores Sensitive Data Proliferation Mapping Which business users have access to sensitive data User activity on sensitive data Policy-based alerting Multi-factor risk scoring Integrates data security information from 3rd parties: Data stores, owner, classification Protection status User access info (LDAP, IAM) and activity logs (DB, Hadoop, Salesforce, DAM)

36 Demonstration

37 Sensitive Data Visibility
Detect Define Policies and Scan data stores Protection status from Infa masking solutions Ingest protection status from 3rd Party Protect Persistent Masking 3rd party integrations: Sentry, Ranger, SFDC Shield Scripting Communicate Top Data Stores Top Data Domains Top Departments

38 User Activity & Data Movement
Detect Out-of-the-box discovery from PowerCenter and Microsoft SSIS Ingest proliferation from 3rd Party Ingest user activity from 3rd Party Action Alerting on events Orchestrate User management Scripting Communicate Top Users Movement of unprotected data Re-prioritization

39 Anomaly Detection Detect Action Communicate
Abnormal user behavior through machine learning and artificial intelligence Action Alert LDAP integration Scripting Communicate Highest risk users Top anomalies Top data store

40 User Access & Data Movement Orchestration and Automation
Detect Sensitive Data Risk Databases Big Data Cloud Files Sensitive Data Visibility User Access & Data Movement Anomaly Detection Intelligently discover sensitive data risk across the organization Understand user access to sensitive data and how it moves through the enterprise Continuously identify high risk usage of sensitive data Orchestration and Automation Protect – Alert – Communicate

41 Action GDPR: Webinar Series
Understand Your Data Identify Sensitive Data Protect Sensitive Data Execute on Data Rights

42 Helpful starting points for next steps
Visit our YouTube : Informatica GDPR : Previous Webinar Understanding your Data Discovering your sensitive Data Protecting sensitive data and enacting on consent Execute on Data Rights Visit our Data Security Web Page GDPR Thought Leadership GDPR – The Next Major Data Privacy Challenge GDPR – Where to start? The rise of the GDPR Data Lake Contact me:

43 Questions?

Download ppt "GDPR Journey: Practical steps to compliance & business outcomes"

Similar presentations

SecureAware Building an Information Security Management System.

SecureAware Building an Information Security Management System.
Delivering business value through Context Driven Content Management Karsten Fogh Ho-Lanng, CTO.

Delivering business value through Context Driven Content Management Karsten Fogh Ho-Lanng, CTO.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
SAM Baseline Review Engagement

SAM Baseline Review Engagement
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
Rapid Launch Workshop ©CC BY-SA.

Rapid Launch Workshop ©CC BY-SA.
MICROSOFT AZURE ISV PROFILE: BMC SOFTWARE

MICROSOFT AZURE ISV PROFILE: BMC SOFTWARE
TOPdesk Service Management Software on Azure

TOPdesk Service Management Software on Azure
CIM Modeling for E&U - (Short Version)

CIM Modeling for E&U - (Short Version)
Running a Privacy Impact Assessment (PIA)

Running a Privacy Impact Assessment (PIA)
Digital Workplace.

Digital Workplace.
Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.

Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
of our Partners and Customers

of our Partners and Customers
GDPR – What’s it all about???

GDPR – What’s it all about???
Microsoft SAM for Hosting (SPLA)

Microsoft SAM for Hosting (SPLA)
General Data Protection Regulation

General Data Protection Regulation
Stylelabs Develops the Marketing Content Hub to Offer Enterprises a High-End Marketing Content Management Platform Based on Microsoft Azure MICROSOFT AZURE.

Stylelabs Develops the Marketing Content Hub to Offer Enterprises a High-End Marketing Content Management Platform Based on Microsoft Azure MICROSOFT AZURE.
Integrated for simplicity

Integrated for simplicity
Sell Global, Feel Local by Leveraging eShopWorld

Sell Global, Feel Local by Leveraging eShopWorld

Similar presentations

Ads by Google