Download - Findability Day 2016 - What is GDPR?
gregorycampbell
IBM
© IBM Corporation 2016
October 2016
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
General Data Protection RegulationFindability DayMaria Sunnefors – Findability Business Consultant, Findwise
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
© IBM Corporation 2016
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
Maria Sunnefors – Findability Business Consultant, Findwise
General Data Protection RegulationFindability Day
© IBM Corporation 2016
General Data Protection Regulation Background and Overview
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
© IBM Corporation 2016
The General Data Protection Regulation (GDPR) was published on 4 May 2016, and will be immediately applicable after a 2 year transition period on 25 May 2018 to any organisation which operates in the EU market
Introduces cross-industry 72H breach reporting to regulators and without undue delay to individuals with associated risk of severe reputational harm
Non-compliance has the potential to lead to huge fines of up to €20m or 4% of total annual worldwide turnover, so now is the time to build on the foundations you already have to ensure you Protect, Govern and Know Your Data
The General Data Protection Regulation (GDPR) Applies from 25 May 2018
© IBM Corporation 2016
General Data Protection Regulation Technical Preparedness
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
© IBM Corporation 2016
GDPR Technical PreparednessKey Duties, Obligations & Sanctions
Archiving
Legal
Curation Records & Retention
Administrative Finesfor Non
Compliance
Rights of EUData Subjects
Security of Personal Data
Lawfulnessand Consent
Accountabilityof Compliance
Designand Default
© IBM Corporation 2016
GDPR Technical PreparednessKey Duties, Obligations & Sanctions
Archiving
Legal
Curation Records & Retention
Administrative Finesfor Non
Compliance
Rights of EUData Subjects
Security of Personal Data
Lawfulnessand Consent
Accountabilityof Compliance
Designand Default
Rights of EU Data Subjects• Enhanced rights for data subjects in the EU
including erasure, access and portability Maintain data quality, amending, manipulating,
erasing and exporting it into usable formats in both structured and unstructured environments
Security of Personal Data Need to ensure a level of security appropriate to
the risk including 72H breach reporting Implement pervasive and intelligent internal and
external network defences and restrictions to reduce data risks, including data minimisation, pseudonymisation and encryption techniques
Lawfulness and Consent• Processing is only lawful if there is one of consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest Keep data subjects informed and manage requests in a transparent, efficient and effective manner, and consider appointing a DPO
Accountability of Compliance• Need to demonstrate compliance with the
principles relating to personal data processing pervades throughout the GDPR
Consider how compliance can be proven, including data protection impact assessments, codes of conduct and proactive certification
By Design and By Default• Data controllers must implement technical and
organisational measures which demonstrate compliance with GDPR core principles
Plan for this in the long term e.g. instrument and manage data syndication and data lineage
Administrative Fines for Non-Compliance Regulators can impose Administrative Fines of up to €20m or 4% of total annual worldwide turnover, whichever is higher Additional powers also/ alternatively available to regulators, including gaining access to data and premises, and to auditing
© IBM Corporation 2016
General Data Protection Regulation Architectural Preparedness
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
© IBM Corporation 2016
GDPR Architectural PreparednessBroad Requirements & Broad Capabilities
Lawfulness and Consent
Designand Default
Rights of EU Data Subjects
Lawfulness and Consent
Accountability of Compliance
Security of Personal Data
Administrative Finesfor Non
Compliance
Rights of EUData Subjects
Security of Personal Data
Lawfulnessand Consent
Accountabilityof Compliance
Designand Default
© IBM Corporation 2016
GDPR Architectural PreparednessSolution Framework
Dynamic Policy Management:
Define what, why, how long
Data Infrastructure:
Control use, align cost to
value
Implementation Services:
Distribute policies to data sources
Data Management
Email Servers
User Devices & File
SharesECM & Collaboration
ArchivePlatform
Master Data
Cloud & Social
Databases &Data Warehouse
HadoopPlatform
Lawfulness and Consent
Designand Default
Rights of EU Data Subjects
Lawfulness and Consent
Accountability of Compliance
Security of Personal Data
P o l i c i e s R u l e s A u d i tP r o c e s s e s An a l y s e s
Security &
Com
pliance Monitoring
© IBM Corporation 2016
IBM Case Manager
GDPR Architectural PreparednessSolution Framework – IBM Technology
Dynamic Policy Management:
Define what, why, how long
Data Infrastructure:
Control use, align cost to
value
Implementation Services:
Distribute policies to data sources
Data Management
Email Servers
User Devices & File
SharesECM & Collaboration
ArchivePlatform
Master Data
Cloud & Social
Databases &Data Warehouse
HadoopPlatform
Lawfulness and Consent
Designand Default
Rights of EU Data Subjects
Lawfulness and Consent
Accountability of Compliance
Security of Personal Data
P o l i c i e s R u l e s A u d i tP r o c e s s e s An a l y s e s
Security &
Com
pliance Monitoring
InfoSphereIBM Atlas
Optim
© IBM Corporation 2016
General Data Protection Regulation First Steps
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics
© IBM Corporation 2016
First StepsTowards GDPR Preparedness
Decide on your strategy and achieve board level endorsement
Identify and assess key areas of risk by means of an appropriate assessment
Data mapping
Data and Data Source Discovery including:
Identification of sensitive data
Assessment of information handling procedures
© IBM Corporation 2016
General Data Protection Regulation Content Inventory
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
Maria Sunnefors – Findability Business Consultant, Findwise
Content InventoryWhat is where?
Content InventoryWhat is where?
Phase 1: Scoping
Phase 2: Discovery
Phase 3: Analysis
Patterns and sources.
Explore.
Compliance?
Phase 1: ScopingWhere to look and what to look for?
Identify source and content
owners. Identify and prioritize sources.
1 2 3 Identify patterns to look
for.
Phase 1: ScopingWhere to look and what to look for?
Social security numberaaa-gg-ssss
NameAaaaa Aaaaaaa
Phone numbers0xx - xxxx xx xx, 0xxx xx xx xx
IP addressaaa-gg-ssss
Date of birthYYMMDD
E-mail [email protected]
Phase 2: DiscoveryWhat is where?
displaysearch
index
Phase 2: DiscoveryWhat is where?
Phase 3: Analysis
o Source by sourceo Explicit consent?o Processes and routineso Legal advice
Risk and compliance
We have to care and act!Create awareness
Know your data
Data protection is a good thing!
Allocate resources
Findwise Content Inventory
© IBM Corporation 2016
October 2016
These presentations are intended to provide friendly and helpful advice only, not a definitive statement of law
General Data Protection RegulationFindability Day – Thank You!Maria Sunnefors – Findability Business Consultant, Findwise
Gregory Campbell – Governance, Regulatory and Legal Consultant, IBM Analytics