eu gdpr 288 days to comply! - sas institute · a. ensure compliance within organization 4. data...

Copyright © 2017, SAS Institute Inc. All rights reserved.

EU GDPR – 288 days to comply!

A Personal Data Challenge

Presented by:

Casper Pedersen

SAS Global – Data Management

Copyright © SAS Inst itute Inc. A l l r ights reserved.

Why should we

care??

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Ashley Madison – July 2015

• An infidelity website, got its 37

million users leaked to the public by

hackers

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Copyright © SAS Inst itute Inc. A l l r ights reserved.

https://www.cnil.fr/en/data-protection-around-the-world

• Australia – APP• Brazilian Internet Act• Canada – PIPEDA• Chile’s Act on the Protection of PD• Colombia’s Regulatory Decree 1377• EU GDPR• Hong Kong’s Personal Data Ordinance • India – Information Technology Act• Japan – The Personal Information Protection Act• Malaysia – PDP Act 2010• Mexico – Federal Law for the Protection of PD

Possessed by Private Persons• Morocco’s Data Protection Act• New Zealand’s Privacy Act of 1993• Philippines – Republic Act No. 10173 • Singapore – PDP Act• South Africa – PoPI• South Korea – Act on Promotion of Information

and Communications Network Utilization and Data Protection

• Switzerland – Federal Act on Data Protection• Taiwan – Computer-Processed Personal Data

Protection Law• Turkey - KVKK• USA – HIPAA, COPPA, CalOPPA

A global initiative for a global use case

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

1. Responsibility and accountabilitya. Data Protection Impact Assessments (DPIA)

b. Privacy by Design and Privacy by Default

2. Consenta. Valid consent must be explicit for data collected

and purposes data used

b. Data controllers must be able to prove consent

(opt-in) and consent may be withdrawn

3. Data Protection Officera. Ensure compliance within organization

4. Data Breachesa. How will you react to a data security breach?

b. Legal obligation to notify the Supervisory

Authority without undue delay

5. Right to erasurea. Right to be forgotten / deleted

6. Data portabilitya. Transfer their personal data from one

electronic processing system to and into

another

b. Cross-border data transfers

Company Confidential - For Internal Use Only, Copyright © 2016, SAS Institute Inc. All rights reserved.

What’s it about?

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Do we have an overview of all data sources?

What is the risk level for each data source?

Can we show a report where Personal data are located?

Can we show thatprocesses are in place?

What is Personal Data?

Do we control access rights?

Do we log user activity for each and every data store?

Does duplication and poor data quality make it difficult to “be erased and forgotten”?

And how do we identifyPersonal Data?

Do you have documentation and audit trails?

Internal ChallengesTowards Authorities

What are the challenges?

Copyright © SAS Inst itute Inc. A l l r ights reserved.

In the middle of difficulty

lies opportunityAlbert Einstein

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Internal ChallengesTowards Authorities The Link

The changing organization

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Data flow analysis• Identify, categorize and risk

assess data flows

• Recommend and describe

control measures

• Report measures based on

prioritized risks

Incident management• Standard automated process

• Identify, categorize and add

measures. Link to risk

assessment and policies

Policy management• Standard process

• Policy lifecycle

• Link together with incidents

and risk assessment from

the data flow analysis

Policy Management

Incident Management

Data Flow Analysis

Towards authorities

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Identify data flow

Access data flow

Mitigate data flow

risksReports

ACCELERATOR FOR EU DATA PROTECTION

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Access to any kind of

Relational and Non-Relational

Sources

• Unstructured and Big Data

Integration

• Apply Enterprise-wide

Security Policies

• Simplify the Security &

Governance effort

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.

What is

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Personal Data Identification Analysis• Categorize the Information

?Casper Pedersen Individual

casper.pedersen@sas.com E-mail

230376-5512 Social Security Number

?

?

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Personal Data Extraction• Extract Information to Personal Data Attributes

casper pedersen, Casper.Pedersen@SAS.com

Individual

E-mail

Casper Pedersen

casper.pedersen@sas.com

Dan Soceanu

919-677-8000

Individual

Phone

Dan Soceanu

+19196778000

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Example: Extracting social security

numbers using the Quality Knowledge

Base for Personal Data.

The same technique applies for ALL

Personal Data Types …

Easily find Personal Data where data is

mixed and messy

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Extract Personal Data from Unstructured Documents• Process

1Convert

Document into

Readable Flow

2Categorize &

Extract

Personal Data

3Aggregate &

Present

Results

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Personal Data Extraction from Unstructured Documents

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

GDPR requires to leverage personal

data as a corporate asset through

the formal orchestration of

PeopleDPO, Processor,

Controller, Subject

TechnologyData Access

Data Quality

Data Governance

Risk Management

ProcessesData Acquisition, Transfer,

Analysis, Breach, Alteration,

Destruction, Retention,

Minimization, Consent

Management

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Defining Enterprise-wide

personal data governance standards

• Document Personal Data and GRC terms definition and concepts between Business, Legal & IT

• Browser-based application to manage & document data standards

• Assign roles and responsibilities

• Collaboratively define business terms & data quality standards

- Term hierarchies

- Custom term attributes

- Search terms

- Security and authorizations

- Versioning & roll back

- Email notifications

- 3rd Party Software Integration

IP

Address

How do we define?

How do we collect?

Where is it stored?

Who can access?

Who is responsible?How do we use?

How do we secure?How do we control?

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Automated Personal Data glossary

• Define Business Terms in order to

align Business & IT

• Get a clear overview on roles &

responsibility!

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Link Systems, Processes and

Business Owners in data flows

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Anonymization (removing PD)

• Pseudonymization (replacing PD)

• Encryption (encoding PD)

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Log and monitor usage of

personal data.

• Audit usage of personal data to

demonstrate compliance with

privacy controls.

• Analyze and report to prove that

personal data is not at risk.

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

• Managing Data Quality to

ensure the effectiveness of

compliance measures and

processes.

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Time & Cost

• Pre-built GDPR assets based on proven technology

• Quick Start Services & Partners

Open

• Connect to any source, anywhere, anytime

• Not a black box – the GDPR accelerator is expandable

Complete & Integrated

• Centralized security management

• Virtual user-based data access across many sources

Solid DQ Foundation

• Proven Quality Knowledge Base available in most languages

• Single view of individuals for effective consent management, right to be forgotten

Beyond compliance

• Building the foundation for sustainable data governance

• Supporting data-driven initiatives for new business benefits

Intuitive and user friendly applications

Why

choose

SAS?

SAS EGRC

SAS Data

Management

SAS Federation

Server

SAS for Personal Data Protection

Copyright © SAS Inst itute Inc. A l l r ights reserved.

What’s next?• Resources

• SAS for GDPR Solution Brief

• SAS 5-Step for GDPR Whitepaper

• Webinar

• Hands-on workshop

• Formalize needs

• Identify challenges & gaps

• Raise internal awareness

• Experiment with SAS solution

• Identify way forward

• PS Quick Start Offering

• Kick-Off Workshop

• Installation & basic configuration

• Implementation for 1 data source

• Coaching of your resources

Copyright © 2017, SAS Institute Inc. All rights reserved.

Thank you for your time..

Presented by:

Casper Pedersen