adaptive - what are companies doing about gdpr...what are companies doing about gdpr? is your...
TRANSCRIPT
![Page 1: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/1.jpg)
WhatAreCompaniesDoingAboutGDPR?IsYourCompanyReady?
DAMADay-June21,2018
ConfidentialandRestricted.Adaptive,Inc.20181
![Page 2: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/2.jpg)
TopicsforDiscussion
Copyright©2018Adaptive,Inc.AllRightsReserved. 2
• HowareorganizationsmeetingGDPRrequirements?
• Whatarethechallenges?Whyisithardandexpensive?
• Applyinglessonslearned:ApracticalimplementationframeworkformeetingGDPRrequirements
![Page 3: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/3.jpg)
GDPRInaNutshell
Copyright©2018Adaptive,Inc.AllRightsReserved. 3
Allaboutprotectingcustomerdata,whichmeans:
• Knowingwhereprotectedclassesofcustomerdataarebeingstored
• Applyingdataprotectioncontrolsonthem
• Usingthemonlywhenneeded
• Keepingthemonlyasneeded
• Deletingthematrequest
• Sharingthematrequest
• Knowingwhentheyaremisused/lost
• Notifying/respondingwhentheyaremisused/lost
![Page 4: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/4.jpg)
ProtectedClassesofData
Copyright©2018Adaptive,Inc.AllRightsReserved. 4
• Basicidentityinformationsuchasname,addressandIDnumbers(PIIorpersonallyidentifiableinformation)
• Webdatasuchaslocation,IPaddress,cookiedataandRFIDtags
• Healthandgeneticdata
• Biometricdata
• Racialorethnicdata
• Politicalopinions
• Sexualorientation
![Page 5: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/5.jpg)
HowAreCompaniesAddressingGDPR
Copyright©2018Adaptive,Inc.AllRightsReserved. 5
ARiskandControlsFrameworkforGDPRReadiness
! HiringKeyCorporateOfficers! InventoryingDataProcessors! UpdatingPrivacyPolicies! RevisingDataProtectionContracts
withSuppliers
! UpgradingIncidentResponseProcedures
Policy&GovernanceControls
DataControls
! IdentifyingSourcesofProtectedData
! MappingSourcestoBusinessFunctions/UsesofData
! ImplementingTechnicalProtectionControlsatSourcesbasedonDataUsage/Function
![Page 6: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/6.jpg)
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 6
HiringtheRightOfficers1. HaveyouformalizedthetitlesforDataControllerandDataPrivacyOfficer?
2. Havetheybeenstaffed?
3. Aretheirresponsibilitiesandorganizationalstructuresclear?
InventoryingDataProcessors
1. AreallDataProcessorswithinacompanyidentified?o Impliesthatweknowwherecustomerdataisstoredthroughouttheenterprise,
andallBusinessandITowners(in-sourcedoroutsourced)areidentified
![Page 7: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/7.jpg)
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 7
UpdatingPrivacyPolicies1. DoesitprovidetheidentityandcontactinformationoftheDataPrivacyOfficer?
2. Doesitdescribethepurposeforstoringcustomerdata,andhowitwillbeused?
o CRITICAL:Purposesandusesneedtobelinkedtobusinessfunctionsandoperations
3. Doesitdescribewhatcategoriesofpersonaldataarebeingcollected?o CRITICAL:CategoriesneedtobelinkedtoBusinessGlossaries/DataDictionaries
4. Doesitdescribewhodataisbeingsharedwith?5. Doesitdescribehowlongdatawillbemaintained(andhowthiswasdetermined)?
6. Doesitlayoutthecustomer’srights(tobeforgotten,tolodgecomplaints)?
7. Doesitdescribewhathappensifthereisabreachandwhattheconsequencesofnon-complianceare?
![Page 8: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/8.jpg)
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 8
RevisingDataProtectionContractswithSuppliers1. RevisitingwhointheDataProcessors’orgcanaccesscustomerdata
2. Revisitingincidentnotificationresponsibilities
3. Revisitingliabilityclaimsandinsurancerequirementso Thisistypicallythemostchallengingarea
UpgradingIncidentResponseProcedures
1. Canyoumeetthe72-hourtimingwindowtonotifyclientsofbreachormisuseofdata?o Impliesstrongdataleakageandsecurityeventmonitoringtechnicalcontrolsforall
sourcesofprotecteddatawithinallDataProcessorso Impliescomprehensivecustomernotification/escalationcapabilities
![Page 9: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/9.jpg)
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 9
IdentifyingSourcesofProtectedData1. HaveyoudefinedProtectedDataintoCriticalDataElements(CDEs)inyour
DataDictionary?
2. HaveyouinventoriedallSourcesofCDEsfronttoback–mappingbusinessappstodataclasses(logicaltophysical)?
ProtectedDataClass CriticalDataElement(CDE)
IdentityInformation • FirstName• LastName• HomeorPhysicalmailingaddress• …
WebData • IPaddress• MACaddress• WebsiteURL• …
HealthandGeneticData • Prescription• MedicalID/recordnumber• AdmitDate• …
![Page 10: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/10.jpg)
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 10
MappingSourcestoBusinessFunctions/UsesofData1. HaveyoudefinedaFunctionalTaxonomy(functionmodel),whichmapsto
theusesofdata?
2. HaveyoumappedSourcesofdata(businessapps)tofunctions?
FunctionalCategory Function
SalesandMarketing • MarketResearch• AdvertisingandPromotion• NewCustomerAcquisition• …
CustomerLifecycleManagement
• OnboardingandKYC• CustomerRelationshipManagement• CustomerSupport• …
ProductManagement • ProductSelectionandPromotion• ProductStrategy• NewProductDevelopment• …
![Page 11: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/11.jpg)
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 11
ImplementingTechnicalProtectionControls1. Encryption(inflight,atrest)
2. Accesscontrol(authentication,authorization)
3. ArchivalandRetention(informationlifecyclemanagement)
4. Deletion(forindividualrecordsanddatabasevalues)
5. Distribution/Sharing
6. Monitoring/IncidentDetection(leakage,securityevent)
7. Escalation(notification,communication)
Goalistomapcontroltypestofunctions,dataandsystemsinordertomeasurecompliance
![Page 12: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/12.jpg)
WhataretheEmergingBestPractices?
Copyright©2018Adaptive,Inc.AllRightsReserved. 12
• Eitherinvestinmodelingcontrols,functionsanddatarelationships
• Or,investinKnowledgeGraphsorsemanticontologies(e.g.,FIBO,RDF,commercialmodels)
ReusableSimpleEnterpriseModels
AutomatedHarvesting
• Adaptorstobuildinventoriesofdataandmeta-dataacrossecosystemofbusinessapps
• Inferenceenginesandmachinelearningclassificationmodelsthatmapdatafrombusinessappstosemanticmodels
![Page 13: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/13.jpg)
HowMuchInvestmentisRequired?
Copyright©2018Adaptive,Inc.AllRightsReserved. 13
![Page 14: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/14.jpg)
HowMuchInvestmentisRequired?
Copyright©2018Adaptive,Inc.AllRightsReserved. 14
![Page 15: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/15.jpg)
WhatAretheKeyChallenges?
Copyright©2018Adaptive,Inc.AllRightsReserved. 15
1. IdentifyinglistofDataProcessors,andrenegotiatingliabilityandinsuranceclausesrelatedtomanagementofcustomerinformation
2. Modelingofbusinessfunctions,dataclassesandrequiredcontrols
3. Comprehensiveidentificationofin-scopesystems
4. Implementationofadequatetechnicaldataprotectioncontrolswithinin-scopesystems–especiallyforCustomerRighttoForget
![Page 16: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/16.jpg)
APathForward
Copyright©2018Adaptive,Inc.AllRightsReserved. 16
Data Governance Policy Management
Policy Requirements
Policy Controls
Required Evidence
Control Rating Self Assessment
Action / Remediation
Plan
Enterprise Data Management Model
Data Controls
Required Evidence
Control Rating Self Assessment
Action / Remediation
Plan
Enterprise Function Model
Business Information Model
Critical Data Elements
Business Rules
Identification of Golden Source
Data Quality Monitoring
Data Lineage Management
Data Issues Management
Mappings to Business
Applications
TheAdaptiveData“BankinaBox”Meta-Model
![Page 17: Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc](https://reader036.vdocuments.us/reader036/viewer/2022062604/5fc49c291c45f50c070ce2b2/html5/thumbnails/17.jpg)
Adaptive“BankinaBox”
Copyright©2018Adaptive,Inc.AllRightsReserved. 17
• DataGovernanceinaBox,fortheBankingindustry
• ComeswithDataManagementpoliciespre-definedforthemostsignificantregulations
• ComeswithdefinitionsofBankingbusinessfunctions,informationanddatamodels,andinsightandknowledgeofwhichfunctionscreateandconsumedata
• Comeswithpre-defineddescriptionsofCriticalDataElementsforregulatoryfunctions,aswellasthecorebusinessandtechnicalrulesrequiredtoattesttotheirquality