1. GDPR and the Data Warehouse
John Thompson

2. General Data Protection Regulation (GDPR)
Company
Turnover
Max Fine
Paddy Power
€8600m
€344m
Ryanair
€6500m
€260m
Musgrave
€4400m
€176m
Dunne's
€2500m
€100m
Aer Lingus
€1600m
€64m
Eir
€1300m
€52m
Boylesports
€1200m
€48m
Irish Rail
Applegreen
€1100m
€44m
Vodafone
€983m
€39m
New EU Laws Controlling Personal Data (PD)
Enforced from May 2018
Severe Penalties
What is personal data?
Irish Companies have been breached before
Bord Gais Laptop Theft 2009
SuperValu/AIG LoyaltyBuild Hack 2013,
Civil Service Payroll Accidental 2017
Our focus is data, not legal. Readiness rather than compliance
Security and Obligations
Can Aer Lingus quickly give me a copy of all my data if I ask for it?
Can Vodafone exclude me from call-circle analysis if I withdraw consent?
Are these single efficient processes or is there an expensive ad hoc manual effort every time?
Fines up to 4% of global turnover
Aer Lingus parent IAG has turnover of €20bn
Vodafone Group has turnover of €50bn

3. GDPR Obligations Security Consent Access/Portability
Automated Decisions
Objection/Restriction
Privacy by Design
Erasure
PIAs
Transfers
Data Protection Officer
Informed Consent raises the bar considerably about what you can and can’t do with people’s data without their consent.
Itemised consent for processes.
New process not covered by existing consent will require new consent
Children cannot consent themselves
Principle of Minimisation means that data controllers should not collect or store more information than is necessary
Legally grey area –necessary to provide the service or necessary to make a profit?
The principle of transparency means that data subjects have the right to know how you are using their data to make decisions that affect them
IP loss?
Ability to explain (neural nets)
Right to request manual process

4. Compliance Motivators
Efficiency
Revenue
Risk
Risk
Prosecution and Fines
Reputational damage – share price
Legal Exposure – class action
Government contract pre-requisite
Efficiency
Reduce operational costs, less data, less systems
Reduce maintenance costs
Expedite due diligence
Revenue
Reputation enhancement, selling point
Customer comfort and satisfaction
New opportunities, e.g. Government contract pre-requisite

5. Goals Design Implement Assess Steps to Readiness
Assess – determine the ‘where are we now’ in respect of detailed GDPR compliance points
Goals – Identify & prioritise areas for action
Design – determine what needs to be to done to achieve compliance in each area, both technical and process (policy)
Implement the design and associated polices
Be wary of compliance

6. Architecture Tactical vs Strategic
Users love this – they get what they want really quickly, there is are no complex processes to go through, nobody looking over their shoulder and they get to use the tools they want.
Lots of problems though – multiple copies of data all over the place, very difficult to keep track of where PD is and what people are doing it it, very difficult to ensure correct access and other policies are being applied or enforced, frequently no record of who accesses, copies or extracts data from these systems.
Fragmented approach difficult to maintain, secure, document
Departmental / Data Mart Implementations discouraged
Spread Marts, Local instances of Access, QV, power BI etc.
Heavily discouraged.
Need to know who has accessed data, so SharePoint style file banks etc. will need upgrading
Difficult to prevent entirely, but policies, reinforcement, education, deterrent and sanctions must apply.
Movement towards centralised, managed/curated Enterprise BI likely

7. Architecture Tactical vs Strategic
Instantly obvious that strategic architecture is much easier to keep track of and secure.
Consistent security model: implement security policies in one place
Central, expert management: can devote more resources towards providing sound security.
Fewer points of attack: When data is spread among dozens of data marts, a malicious employee can choose the weakest system to attack.
Simpler security maintenance: Many breaches are down to patches not being universally applied. A single data warehouse is much simpler to administer.

8. Action Areas Security Policies Processes Artefacts Design
Individual User Access
Security Features DB/BI
Access / Query Logging
Audits/Alerts
Policies
DP Categories
Access Levels
Notifiable Processes
Retention
BAR
Processes
Consent Recording
Consent Integration
Rights Activation
Rights Implementation
Artefacts
PD Inventory
Training
Design Accountability
Ownership
Design
Surrogation
Snowflaking
Aggregation
Profiles
Role Views
Basic security is all of the stuff that should already be in place to prevent, limit, detect and investigate breaches or leaks of data
Interfaces should be encrypted and recipients should be vetted for GDPR compliance
Access restrictions at the DB level can be implemented at various levels down to row and column.
BI tool should be secured also.
Should be able to personalise access privileges and manage by role/group
Need policies in place to disallow downloading or inappropriate data, screenshots etc.
Physical security – i.e. USBs, CD-ROM drives locked off.
Need to devise and document organizational rules for GDPR compliance.
What data is deemed PD, and what protections should be afforded different types of data
Who should get what privileges
What kinds of process require the data subject to be notified?
What kinds of process require consent to be obtained?
How long should data be kept in an accessible/readable form?
What should be done with it afterwards?
How do obligations like Erasure apply to archives and backups?

9. Questions