drawing a map: where are you now? where do you need … · drawing a map: where are you now? where...

12/1/2016

1

Drawing a Map: Where Are You Now?

Where Do You Need to Go?

Dana Simberkoff, CIPP/US, Chief Compliance and Risk Officer, AvePoint

Christina Peters, CIPP/US, CPO, IBM

Practical Privacy Series 2016

9:30 a.m. – 10:15 a.m.

Presenter

Dana Louise Simberkoff, JD, CIPPChief Compliance and Risk Officer, AvePoint

[email protected]

Blog: www.DocAve.com

https://www.linkedin.com/in/danalouisesimberkoff

@danalouise

• @danalouise

https://iapp.org/about/person/0011a00000DlLmqAAF

https://iapp.org/about/person/0011a00000DlGZpAAN

12/1/2016

2

3 © 2016 IBM CorporationIBM internal use only

Global Sales Leadership Academy

Christina Peters, IBM Chief Privacy Officer

[email protected]

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.

• Introductions (some questions to get us started)

• The IBM Perspective

• Benchmarking Global Readiness-AvePoint and CIPL Survey

• Questions

mailto:[email protected]

12/1/2016

3



© 2016 IBM Corporation

IBM at a glance

5

400,000+ employees 170+ countries Well-established privacy program

Services

Key Business Segments

Software Hardware

Research FinancingCognitiveCloud




Diverse businesses, diverse challenges

6

CloudAnalytics Cognitive

Security

EducationCommerce Digital Business

WatsonMobile Social Watson HealthIT Infrastructure

IoT Industry SolutionsGBS GTS

ControllersProcessors IBM dataClient data

12/1/2016

4




Cross Company GDPR Project. . . Established GDPR project to help business units take ownership of various

challenges, provide and promote common approaches, and share solutions

7

GDPR Public Community GDPR Implementation Project Internal Community




IBM as a Controller. . . using existing GPA to help internal business owners prepare for GDPR in

the course of 2017

8

Global Privacy Assessment

12/1/2016

5




Partnership with Chief Data Office. . . privacy in sync with data strategy

9




Successful implementation of data strategy

10

Streams

Spark, SQL, DataStageSearch Indices

FEATURES• Analysis across data sets• Expanded access• Ongoing integration of new data• Improved data quality• Timely access

• Data stewardship• Metadata management• Data curation• Data catalog

EXIS

TIN

G D

ATA

A

SSET

S

Governance drives value

from ingestion to access

• Rationalization of data purchases• Scalable & secure role/access

authorization• Privacy and security

• Reporting• Auditing• Feedback &resolution process

. . . depends upon a sophisticated approach to governance from beginning to end

Security, Provenance, Privacy/Policy Enforcement

12/1/2016

6




Established framework for managing data end-to-end

11

Policies,

Audits & Controls

Stewardship &

Data Governance

Organizational Support

(BUDO, FUDO)

Data Integration

Data Acquisition

Meta Data Management

Data Quality

Information Storage Management

Data Security, Privacy and Regulatory Compliance

CDO Data Strategy

Data Governance

Disciplines

---

each with detail

Data Governance

processes

Data

Management

Components

---

Providing integrated

Management of

DG Practices

Data Strategy

---

Integrating

DG Disciplines

&

Data Management

Components

Data Ingestion

Data Access




Key goals for GDPR implementation. . . go beyond compliance

12

GDPR strategy

measurementtechnical automationeducationpolicies

. . .

Innovate

with

Confidence!

12/1/2016

7

AvePoint & CIPL's first global survey to benchmark

organisations’ readiness for the GDPR

©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,

stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.

BRIDGING REGIONSBRIDGING INDUSTRY & REGULATORSBRIDGING PRIVACY & DATA DRIVEN INNOVATION

A GLOBAL PRIVACY AND SECURITY THINK TANK

45+Member

companies

5+Active projects

& initiatives

20+Conferences,

workshops &

events annually

15+Principals

& advisors

We INFORM through

publications and events

We NETWORK with global

industry and government leaders

We SHAPE privacy policy,

law and practice

We CREATE and

implement best practices

ABOUT US

The Centre for Information Policy Leadership (CIPL) is a global privacy and security

think tank.

Based in Washington, DC, Brussels and London.

Founded in 2001 by leading companies and Hunton & Williams LLP.

CIPL works with industry leaders, regulators and policy makers to develop global

solutions and best practices for privacy and responsible use of data to enable the

modern information age.

twitter.com/the_cipl

linkedin.com/company/centre-for-information-policy-leadership

www.informationpolicycentre.com

Bojana Bellamy

President

[email protected]

Markus Heyder

Vice President & Senior Policy Counselor

[email protected]

Michelle Marcoot

Director, Business Development

[email protected]

2200 Pennsylvania Avenue

Washington, DC 20037

Park Atrium, Rue des Colonies 11

1000 Brussels, Belgium

30 St Mary Axe

London EC3A 8EP

BRIDGING REGIONS

BRIDGING INDUSTRY & REGULATORS

BRIDGING PRIVACY & DATA DRIVEN INNOVATION

http://www.informationpolicycentre.com/




12/1/2016

8



Deloitte

Technology Fast 500

Inc. Magazine

Hire Power Award

Ernst & Young

Entrepreneur of the Year

Windows IT Pro

Best SharePoint Product

Founded in 2001, AvePoint helps more than 15,000 organizations accelerate the migration, management, and protection of their data no matter where it lives – including IT systems on premises, in the cloud, and in hybrid environments.

GDPR Survey

CIPL and AvePoint launched a

global GDPR readiness survey to:

• Assess current state of readiness for

the GDPR

• Benchmark and evaluate readiness in

relation to industry peers on an

ongoing basis

• Understand key changes and

compliance obligations under the

GDPR

• Help determine a best

implementation path forward and

make appropriate resources and

budgetary requests to meet their

goals

The survey focuses on the key change areas in GDPR

including:

• Consent and consent for children

• Legitimate interest

• Profiling

• Data portability

• Privacy impact assessments

• Data protection by design

• DPOs and resources

• Data breach reporting

• Transfers to third countries

• Accountability and privacy management programme



12/1/2016

9

Survey Participants Snapshot – 232 responses

Job Titles

• Chief Privacy Officer/Data Protection Officer

• Senior Director Global Privacy

• Legal Counsel/Attorney

• Information Security Officer

Company Revenues

Less than $1 Million to Greater than $100 Billion

Survey Participants Location

• 70% Europe

• 27% Americas

• 2% Asia

• 1% Africa

• 93% operate in Europe

• More than half operate in US

• Under half in Latin America

• Under half in Asia Pacific

25%

20%

15%

10%

5%

0%

21%

16%

13%

11%

8%

5%4%

3% 3% 3%2% 2% 2% 2% 2% 1%



• Manager

• Consultant

• Vice President

Key Insights

• Consent and Legitimate Interest

• DPIA and Privacy by Design

• Security Breach Notification

• Controller-Processor Agreement

• Data Transfers outside EU – HR, Customer and Data Transfers to Vendors

• Organisational Readiness and Resources for GDPR Implementation



12/1/2016

10

GDPR: Organisational Readiness

Have committed additional

headcount, budget or external

counsel spend

No additional resources

Have started internal

discussions

SENIOR MANAGEMENT KEY CONCERNS

Enhances sanctions Data Breach reporting

Stricter rules on consent & reuseIndividual rightsChanges to internal privacy program

1

212/31%1 in 5

Readiness

Leve

l of

Imp

act

GDPR Requirements: Where do you stand?

• Individual rights

• Data breach notification

• Privacy Management Programme

• Use/Contracting with processors

Legitimate interests,

Privacy By Design, DPIA

and risk are the areas

requiring most

clarification

Equally Processors are not ready for new obligations imposed by GDPR

12/1/2016

11

Consent & Legitimate Interest

78%90%

Use consentfor majority or some data processing today

78%

Do not consistently obtain separate consent for different

processing operations

83%

Currently using legitimate interest or will be post GDPR

Will be relying more on the legitimate interest processing legal basis under the GDPR than they currently do

33%

• Heavy reliance on consent today - over a third of organisations use it for the majority of their processing (38%) and over a half

(53%) for limited processing

• Only a third or a quarter of organisations currently comply with new GDPR consent requirements - only 22% gather consent

for separate processing operations, 34% are able to demonstrate consent in all instances, 3/4 require consent as a condition of

product/service.

Privacy B

y Design

?Im

pac

t A

sses

smen

t C

apab

iliti

es?

Data Protection Impact Assessments

(DPIAs)

50% +conduct DPIAs in

circumstances required by GDPR

have a framework and procedures to identify & classify risk

use in-house or commercial automated system for DPIAs

40% already

incorporate Privacy by Design for all new

projects

13/

of current DPIAs are

carried out in Word/Excel format

/14

2/3

42% already

incorporate Privacy by Design in some instances

12/1/2016

12

Security Design Assessments

41%

Conduct Security Design Assessments on NEW IT systems

Only conduct Security Design Assessments on EXISTING IT systems

43/

Run assessments

manually

59%

Do

yo

u k

no

w w

hat

yo

u

hav

e an

d h

ow

to

tre

at it

?

Data Classification & Lifecycle Management

of organisations currently

tag sensitive content

do not know how data is treated or processed

throughout its lifespan

/3

1 40%

12/1/2016

13

Data Inventories

have internal data inventory/record of

processing

have no data inventory or internal records of

processing with information required by GDPR

21/

76%

/12

have inventories of international data

transfers

60%

1/2

Breach Notification

What measures and procedures do you currently have in place to respond to data breaches?

75.6%

77.6%

63.5%

33.3%

31.4%

32.7%

28.2%

7.1%

10.9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Internal reporting procedures / hotlines

Incident response plan

Incident response team

Conduct dry-run/data breach scenarios

Cyber insurance coverage

PR and media consultant retained

Forensic experts retained

None

Other

77% are subject to a data breach

reporting obligation, or voluntary

reporting – under US, E-Privacy,

national EU or other law.

Great majority (64-78%) have breach

notification reporting, response

plan and team.

But just under a third have PR,

media and forensic teams in place,

conduct dry-run and have cyber

insurance.



12/1/2016

14

Controller – Processor Relationship & Agreements

Are in progress

Have not yet started

31/

40%

Are Controllers reviewing and negotiating current agreements?

/12

Only a half have contracts that address individual rights and require processor to provide information

Majority of organisations’ standard processing agreements already reflect some of the new GDPR requirements76%

Controller Processor Agreement

Do your standard data processing terms include additional terms required by the GDPR?

0% 20% 40% 60% 80% 100%

N/A

Contract requires processor to make information about the

processing it carries out available to the controller

Contract requires the processor to provide assistance in respect

of regulatory queries

Contract requires processor to notify data breaches

Contract addresses data subject rights

Contract prevents sub-processing without consent

Contract imposes duty of confidentiality on

relevant staff

12.7%

52.1%

68.3%

73.2%

56.3%

70.4%

76.8%

• A great majority of standard terms already include new requirements of the GDPR.

• Just over a half of organisations address individual rights in contracts and require processor to provide information about processing.



12/1/2016

15

Questions?

Resources

12/1/2016

16

Some Tools to Help Organisations



GDPR Benchmark ReportDownload full report

White PaperThe Operational Impact of the European Union General Data Protection

Regulation (GDPR) on IT

GDPR Blog Series More ways to learn

AvePoint’s GDPR SolutionsTools for GDPR compliance

www.avepoint.com/GDPR

DOAvePoint Privacy Impact Assessment SystemOur free privacy impact assessment tool exclusively distributed by the

International Association of Privacy Professionals (IAPP)

https://iapp.org/resources/apia/

LEARN

http://www.avepoint.com/GDPR

https://iapp.org/resources/apia/

drawing a map: where are you now? where do you need … · drawing a map: where are you now? where...

Documents