eu gdpr 288 days to comply! - sas institute · a. ensure compliance within organization 4. data...

Copyright © 2017, SAS Institute Inc. All rights reserved.

EU GDPR – 288 days to comply!

A Personal Data Challenge

Presented by:

Casper Pedersen

SAS Global – Data Management

Copyright © SAS Inst itute Inc. A l l r ights reserved.

Why should we

care??

Copyright © SAS Inst itute Inc. A l l r ights reserved.Copyright © 2017, SAS Institute Inc. All rights reserved.

Ashley Madison – July 2015

• An infidelity website, got its 37

million users leaked to the public by

hackers


https://www.cnil.fr/en/data-protection-around-the-world

• Australia – APP• Brazilian Internet Act• Canada – PIPEDA• Chile’s Act on the Protection of PD• Colombia’s Regulatory Decree 1377• EU GDPR• Hong Kong’s Personal Data Ordinance • India – Information Technology Act• Japan – The Personal Information Protection Act• Malaysia – PDP Act 2010• Mexico – Federal Law for the Protection of PD

Possessed by Private Persons• Morocco’s Data Protection Act• New Zealand’s Privacy Act of 1993• Philippines – Republic Act No. 10173 • Singapore – PDP Act• South Africa – PoPI• South Korea – Act on Promotion of Information

and Communications Network Utilization and Data Protection

• Switzerland – Federal Act on Data Protection• Taiwan – Computer-Processed Personal Data

Protection Law• Turkey - KVKK• USA – HIPAA, COPPA, CalOPPA

A global initiative for a global use case

https://www.cnil.fr/en/data-protection-around-the-world


1. Responsibility and accountabilitya. Data Protection Impact Assessments (DPIA)

b. Privacy by Design and Privacy by Default

2. Consenta. Valid consent must be explicit for data collected

and purposes data used

b. Data controllers must be able to prove consent

(opt-in) and consent may be withdrawn

3. Data Protection Officera. Ensure compliance within organization

4. Data Breachesa. How will you react to a data security breach?

b. Legal obligation to notify the Supervisory

Authority without undue delay

5. Right to erasurea. Right to be forgotten / deleted

6. Data portabilitya. Transfer their personal data from one

electronic processing system to and into

another

b. Cross-border data transfers

Company Confidential - For Internal Use Only, Copyright © 2016, SAS Institute Inc. All rights reserved.

What’s it about?


Do we have an overview of all data sources?

What is the risk level for each data source?

Can we show a report where Personal data are located?

Can we show thatprocesses are in place?

What is Personal Data?

Do we control access rights?

Do we log user activity for each and every data store?

Does duplication and poor data quality make it difficult to “be erased and forgotten”?

And how do we identifyPersonal Data?

Do you have documentation and audit trails?

Internal ChallengesTowards Authorities

What are the challenges?


In the middle of difficulty

lies opportunityAlbert Einstein


Internal ChallengesTowards Authorities The Link

The changing organization


Data flow analysis• Identify, categorize and risk

assess data flows

• Recommend and describe

control measures

• Report measures based on

prioritized risks

Incident management• Standard automated process

• Identify, categorize and add

measures. Link to risk

assessment and policies

Policy management• Standard process

• Policy lifecycle

• Link together with incidents

and risk assessment from

the data flow analysis

Policy Management

Incident Management

Data Flow Analysis

Towards authorities


Identify data flow

Access data flow

Mitigate data flow

risksReports

ACCELERATOR FOR EU DATA PROTECTION


IDENTIFY GOVERNACCESS AUDIT

5-Step Approach for Sustainable Compliance

PROTECT


• Access to any kind of

Relational and Non-Relational

Sources

• Unstructured and Big Data

Integration

• Apply Enterprise-wide

Security Policies

• Simplify the Security &

Governance effort




PROTECT


What is


Personal Data Identification Analysis• Categorize the Information

?Casper Pedersen Individual

[email protected] E-mail

230376-5512 Social Security Number

?

?


Personal Data Extraction• Extract Information to Personal Data Attributes

casper pedersen, [email protected]

Individual

E-mail

Casper Pedersen

[email protected]

Dan Soceanu

919-677-8000

Individual

Phone

Dan Soceanu

+19196778000


Example: Extracting social security

numbers using the Quality Knowledge

Base for Personal Data.

The same technique applies for ALL

Personal Data Types …

Easily find Personal Data where data is

mixed and messy


Extract Personal Data from Unstructured Documents• Process

1Convert

Document into

Readable Flow

2Categorize &

Extract

Personal Data

3Aggregate &

Present

Results


Personal Data Extraction from Unstructured Documents




PROTECT


GDPR requires to leverage personal

data as a corporate asset through

the formal orchestration of

PeopleDPO, Processor,

Controller, Subject

TechnologyData Access

Data Quality

Data Governance

Risk Management

ProcessesData Acquisition, Transfer,

Analysis, Breach, Alteration,

Destruction, Retention,

Minimization, Consent

Management


Defining Enterprise-wide

personal data governance standards

• Document Personal Data and GRC terms definition and concepts between Business, Legal & IT

• Browser-based application to manage & document data standards

• Assign roles and responsibilities

• Collaboratively define business terms & data quality standards

- Term hierarchies

- Custom term attributes

- Search terms

- Security and authorizations

- Versioning & roll back

- Email notifications

- 3rd Party Software Integration

IP

Address

How do we define?

How do we collect?

Where is it stored?

Who can access?

Who is responsible?How do we use?

How do we secure?How do we control?


• Automated Personal Data glossary

• Define Business Terms in order to

align Business & IT

• Get a clear overview on roles &

responsibility!


• Link Systems, Processes and

Business Owners in data flows




PROTECT


• Anonymization (removing PD)

• Pseudonymization (replacing PD)

• Encryption (encoding PD)




PROTECT


• Log and monitor usage of

personal data.

• Audit usage of personal data to

demonstrate compliance with

privacy controls.

• Analyze and report to prove that

personal data is not at risk.


• Managing Data Quality to

ensure the effectiveness of

compliance measures and

processes.




PROTECT


Time & Cost

• Pre-built GDPR assets based on proven technology

• Quick Start Services & Partners

Open

• Connect to any source, anywhere, anytime

• Not a black box – the GDPR accelerator is expandable

Complete & Integrated

• Centralized security management

• Virtual user-based data access across many sources

Solid DQ Foundation

• Proven Quality Knowledge Base available in most languages

• Single view of individuals for effective consent management, right to be forgotten

Beyond compliance

• Building the foundation for sustainable data governance

• Supporting data-driven initiatives for new business benefits

Intuitive and user friendly applications

Why

choose

SAS?

SAS EGRC

SAS Data

Management

SAS Federation

Server

SAS for Personal Data Protection


What’s next?• Resources

• SAS for GDPR Solution Brief

• SAS 5-Step for GDPR Whitepaper

• Webinar

• Hands-on workshop

• Formalize needs

• Identify challenges & gaps

• Raise internal awareness

• Experiment with SAS solution

• Identify way forward

• PS Quick Start Offering

• Kick-Off Workshop

• Installation & basic configuration

• Implementation for 1 data source

• Coaching of your resources

http://www.sas.com/en_be/offers/eu-data-regulation-report/overview.html

https://attendee.gotowebinar.com/register/8589594120593311489