eu gdpr 288 days to comply! - sas institute · a. ensure compliance within organization 4. data...
TRANSCRIPT
Copyright © 2017, SAS Institute Inc. All rights reserved.
EU GDPR – 288 days to comply!
A Personal Data Challenge
Presented by:
Casper Pedersen
SAS Global – Data Management
Copyright © SAS Inst itute Inc. A l l r ights reserved.
Why should we
care??
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Ashley Madison – July 2015
• An infidelity website, got its 37
million users leaked to the public by
hackers
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Copyright © SAS Inst itute Inc. A l l r ights reserved.
https://www.cnil.fr/en/data-protection-around-the-world
• Australia – APP• Brazilian Internet Act• Canada – PIPEDA• Chile’s Act on the Protection of PD• Colombia’s Regulatory Decree 1377• EU GDPR• Hong Kong’s Personal Data Ordinance • India – Information Technology Act• Japan – The Personal Information Protection Act• Malaysia – PDP Act 2010• Mexico – Federal Law for the Protection of PD
Possessed by Private Persons• Morocco’s Data Protection Act• New Zealand’s Privacy Act of 1993• Philippines – Republic Act No. 10173 • Singapore – PDP Act• South Africa – PoPI• South Korea – Act on Promotion of Information
and Communications Network Utilization and Data Protection
• Switzerland – Federal Act on Data Protection• Taiwan – Computer-Processed Personal Data
Protection Law• Turkey - KVKK• USA – HIPAA, COPPA, CalOPPA
A global initiative for a global use case
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
1. Responsibility and accountabilitya. Data Protection Impact Assessments (DPIA)
b. Privacy by Design and Privacy by Default
2. Consenta. Valid consent must be explicit for data collected
and purposes data used
b. Data controllers must be able to prove consent
(opt-in) and consent may be withdrawn
3. Data Protection Officera. Ensure compliance within organization
4. Data Breachesa. How will you react to a data security breach?
b. Legal obligation to notify the Supervisory
Authority without undue delay
5. Right to erasurea. Right to be forgotten / deleted
6. Data portabilitya. Transfer their personal data from one
electronic processing system to and into
another
b. Cross-border data transfers
Company Confidential - For Internal Use Only, Copyright © 2016, SAS Institute Inc. All rights reserved.
What’s it about?
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Do we have an overview of all data sources?
What is the risk level for each data source?
Can we show a report where Personal data are located?
Can we show thatprocesses are in place?
What is Personal Data?
Do we control access rights?
Do we log user activity for each and every data store?
Does duplication and poor data quality make it difficult to “be erased and forgotten”?
And how do we identifyPersonal Data?
Do you have documentation and audit trails?
Internal ChallengesTowards Authorities
What are the challenges?
Copyright © SAS Inst itute Inc. A l l r ights reserved.
In the middle of difficulty
lies opportunityAlbert Einstein
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Internal ChallengesTowards Authorities The Link
The changing organization
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Data flow analysis• Identify, categorize and risk
assess data flows
• Recommend and describe
control measures
• Report measures based on
prioritized risks
Incident management• Standard automated process
• Identify, categorize and add
measures. Link to risk
assessment and policies
Policy management• Standard process
• Policy lifecycle
• Link together with incidents
and risk assessment from
the data flow analysis
Policy Management
Incident Management
Data Flow Analysis
Towards authorities
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Identify data flow
Access data flow
Mitigate data flow
risksReports
ACCELERATOR FOR EU DATA PROTECTION
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Access to any kind of
Relational and Non-Relational
Sources
• Unstructured and Big Data
Integration
• Apply Enterprise-wide
Security Policies
• Simplify the Security &
Governance effort
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.
What is
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Personal Data Identification Analysis• Categorize the Information
?Casper Pedersen Individual
[email protected] E-mail
230376-5512 Social Security Number
?
?
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Personal Data Extraction• Extract Information to Personal Data Attributes
casper pedersen, [email protected]
Individual
Casper Pedersen
Dan Soceanu
919-677-8000
Individual
Phone
Dan Soceanu
+19196778000
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Example: Extracting social security
numbers using the Quality Knowledge
Base for Personal Data.
The same technique applies for ALL
Personal Data Types …
Easily find Personal Data where data is
mixed and messy
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Extract Personal Data from Unstructured Documents• Process
1Convert
Document into
Readable Flow
2Categorize &
Extract
Personal Data
3Aggregate &
Present
Results
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Personal Data Extraction from Unstructured Documents
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
GDPR requires to leverage personal
data as a corporate asset through
the formal orchestration of
PeopleDPO, Processor,
Controller, Subject
TechnologyData Access
Data Quality
Data Governance
Risk Management
ProcessesData Acquisition, Transfer,
Analysis, Breach, Alteration,
Destruction, Retention,
Minimization, Consent
Management
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Defining Enterprise-wide
personal data governance standards
• Document Personal Data and GRC terms definition and concepts between Business, Legal & IT
• Browser-based application to manage & document data standards
• Assign roles and responsibilities
• Collaboratively define business terms & data quality standards
- Term hierarchies
- Custom term attributes
- Search terms
- Security and authorizations
- Versioning & roll back
- Email notifications
- 3rd Party Software Integration
IP
Address
How do we define?
How do we collect?
Where is it stored?
Who can access?
Who is responsible?How do we use?
How do we secure?How do we control?
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Automated Personal Data glossary
• Define Business Terms in order to
align Business & IT
• Get a clear overview on roles &
responsibility!
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Link Systems, Processes and
Business Owners in data flows
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Anonymization (removing PD)
• Pseudonymization (replacing PD)
• Encryption (encoding PD)
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Log and monitor usage of
personal data.
• Audit usage of personal data to
demonstrate compliance with
privacy controls.
• Analyze and report to prove that
personal data is not at risk.
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
• Managing Data Quality to
ensure the effectiveness of
compliance measures and
processes.
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
IDENTIFY GOVERNACCESS AUDIT
5-Step Approach for Sustainable Compliance
PROTECT
Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.
Time & Cost
• Pre-built GDPR assets based on proven technology
• Quick Start Services & Partners
Open
• Connect to any source, anywhere, anytime
• Not a black box – the GDPR accelerator is expandable
Complete & Integrated
• Centralized security management
• Virtual user-based data access across many sources
Solid DQ Foundation
• Proven Quality Knowledge Base available in most languages
• Single view of individuals for effective consent management, right to be forgotten
Beyond compliance
• Building the foundation for sustainable data governance
• Supporting data-driven initiatives for new business benefits
Intuitive and user friendly applications
Why
choose
SAS?
SAS EGRC
SAS Data
Management
SAS Federation
Server
SAS for Personal Data Protection
Copyright © SAS Inst itute Inc. A l l r ights reserved.
What’s next?• Resources
• SAS for GDPR Solution Brief
• SAS 5-Step for GDPR Whitepaper
• Webinar
• Hands-on workshop
• Formalize needs
• Identify challenges & gaps
• Raise internal awareness
• Experiment with SAS solution
• Identify way forward
• PS Quick Start Offering
• Kick-Off Workshop
• Installation & basic configuration
• Implementation for 1 data source
• Coaching of your resources
Copyright © 2017, SAS Institute Inc. All rights reserved.
Thank you for your time..
Presented by:
Casper Pedersen