gdpr: is your organization ready for the general data protection regulation?
TRANSCRIPT
1 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Learning Lab
Is Your Organiza.on Ready for the General Data Protec.on Regula.on? Jonathan Adams, Research Director
GDPR
2 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Peter Steiner; New Yorker Magazine; July 1993
3 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
GDPR 3 Reasons to Care
4 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
1. Reduce Costs Fines up to 4% of Global Revenue
*2016 Annual Revenues
5 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
2. Increase Margins GDPR Capabili)es support digital transforma)on goals and drive new business models:
• Consumer Centric PLM
• Supply Chain & Channel OpAmizaAon
• Customer 360 programs
6 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
3. Grow Revenue
Data MoneAzaAon & New Revenue Streams • Sports “Wearables” • Self Iden)fica)on at POI • Cloud Based Services
“Trust” with Partners & Customers
8 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Defining GDPR GDPR is a comprehensive set of privacy regula)ons designed to protect data for individuals within the European Union.
ObjecAve:
• Give individuals control of their personal data
• Regulatory consistency across the EU
Impact: • Covers personal data collected in EU regardless of where the data
collector is located
• All US based mul) na)onals doing business with people in Europe will be impacted
9 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
GDPR’s Impact on Companies
Any business (foreign or domes)c) engaged with individuals within the EU
The no)on of Personally Iden)fiable Informa)on (PII) is broadly defined: data that has the poten&al to iden)fy a person living in Europe falls under the GDPR
GDPR applies “horizontally” across the organiza)on’s business components, and “ver)cally” at all decision making levels.
GDPR applies across the complete value chain. Organiza)ons are obligated to verify the compliance of par)es with which they do business.
10 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
11 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
GDPR Requires InterpretaAon General Data
Protec.on Regula.on
12 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
GDPR Requires InterpretaAon It’s Comprehensive & Tightly WriVen • All personal informa)on regardless of where it came from and how it is used is governed
It’s Principle Based • Requires companies to adopt privacy principles at the cultural level
It’s Compromise LegislaAon • GDPR is a piece of what legal scholars call compromise legisla)on: a legisla)ve text that tries to
sa)sfy two starkly opposed sides of the data protec)on debate
When InterpretaAon is Required, Best PracAces are CriAcal
13 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
The Governance Challenge
Crea)ng transparent & defensible best prac)ces that address “principles”
14 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Risk Management Accountability
Org Design
Data Lineage
Process Alignment
PII Cataloging Interna)onal
Partner Management
Metadata
Data Governance
Data Architecture
Data Opera)ons
Data Discovery
Best Prac)ces
Security
Data Management
Privacy
Cloud Services
IoT
The Governance Challenge Mapping the best prac)ces to observable & measurable ac)vi)es across many func)onal areas
15 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
The 4 Core CapabiliAes GDPR requirements can be simplified by organizing around four core capability areas:
Consulta)on & Repor)ng
• Cer)fica)on • Risk Management
• Organiza)onal Alignment
• Data by Design • Risk Management
• Communica)on • Remedia)on
• People
• Partners
• Regulators
• OrganizaAon
16 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
1
2
3
4
Forget Art. 17
Quaran)ne Art. 18
Package Art. 20
Fix Art. 16
Cer)fica)on Art. 42
Risk Management
Art. 32
Processor Compliance
Art. 28
Data Management
Art. 6,7,9,14
Interna)onal Art. 27, 44,45,46,47,48,49
Best Prac)ces Art. 25,40,42,41,43
Risk Management
Art. 32,35,36
Accountability Art. 37,38,39
Consulta)on Art 36
Best Prac)ces Art 40
Consent Art. 6,7,8,9,10
No)fica)on Art. 12
Mapping to the RegulaAon
17 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Datum's Advisory Services group leverages our proprietary data governance model Capture Key governance components and structure the governance opera)ng model to transparently and defensibly achieve GDPR compliance
DATUM’s InformaAon Value Management®
How DATUM Can Help
DATUM’s GDPR Readiness Assessment & Roadmap
DATUM’s Informa)on Value Management® sojware plakorm allows you to implement this governance opera)ng model throughout the organiza)on by discovering, understanding and connec)ng the cri)cal data to important business value drivers. Informa)on Value Management® also comes with a library of resources that help jump start customers’ GDPR ini)a)ves.
18 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Where to Start: 3 QuesAons
3
2
Can I catalog my GDPR related data?
Do I know where and how it is used?
Do I have a governance process with observable and measurable controls?
1
19 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
1. Can I Catalog my GDPR Related Data?
20 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Knowing what PII you have and how it is organized is founda)onal
Can I catalog my GDPR related data?
• If asked what is GDPR PII, can a data dic)onary be produced?
• Is it detailed enough to apply governance?
If the Answer is No…
• If I you don’t know where it is, you I can’t apply any sort of governance
1. Can I Catalog my GDPR Related Data?
21 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Who is in charge? Why is this informaAon valuable? And what is the impact of a privacy breach?
2. Where Is It and How Is It Used
22 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
2
Do I know where, how and who uses it?
• What business processes use GDPR PII?
• Why do they need PII?
• How cri)cal is the PII?
Accountability is Key
• I cannot fix things if no one is accountable!
• Understanding value and impact priori)zes resources
2. Where Is It and How Is It Used
23 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
3. Do I have a Governance Process?
2
Do I have a governance process with observable and measurable controls?
Demonstrable due diligence
Governance from policy to data mi)gates risk
How do I make engaging with regulators a posi)ve experience?
24 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
The IVM demonstraAon drills down on these three foundaAonal uses cases
Can I catalog my GDPR related data?
• If asked what is GDPR PII, can a data dic)onary be produced?
• Is it detailed enough to apply governance?
Do I know where, how and by whom it is used?
• What business processes use GDPR PII?
• Why do they need PII? • How cri)cal is the PII?
Do I have a governance process with observable and measurable controls?
It all starts here…
If I do not know where it is I cannot apply any sort of governance
Accountability is key
• I cannot fix things if no one is accountable!
• Understanding value and impact priori)zes resources
Demonstrable due diligence
Governance from policy to data mi)gates risk
3
2
1
25 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Datum's Advisory Services group leverages our proprietary data governance model Capture Key governance components and structure the governance opera)ng model to transparently and defensibly achieve GDPR compliance
DATUM’s InformaAon Value Management®
How DATUM Can Help
DATUM’s GDPR Readiness Assessment & Roadmap
DATUM’s Informa)on Value Management® sojware plakorm allows you to implement this governance opera)ng model throughout the organiza)on by discovering, understanding and connec)ng the cri)cal data to important business value drivers. Informa)on Value Management® also comes with a library of resources that help jump start customers’ GDPR ini)a)ves.
26 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC
Right Data. Right Decisions. Right Now.
• Discover and understand the data available to your company • Connect that data to the most important business value drivers -‐ opera)ons, analy)cs
and compliance
• Clearly measure the impact data has on corporate ini)a)ves
27 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC