practical steps to gdpr compliance
TRANSCRIPT
1©2017 Talend
16 Practical Steps to GDPR ComplianceSunil Soares (Information Asset) and Jean-Michel Franco (Talend)
2
https://info.talend.com/en_tld_outlining_practicalsteps_gdpr_compliance.html
Watch the replay of this presentation
3©2017 Talend
16 Practical Steps to GDPR ComplianceSunil Soares (Information Asset) and Jean-Michel Franco (Talend)
4
About us
Sunil Soares, Information Asset, @sunilsoares1
• Founder & Managing Partner
• Thought leader in the Data Governance industry
• Authored eight books on Data Management, Data Governance, and Data Sovereignty
• Information Asset is a boutique consulting firm focused on delivering Data Governance to diverse clients in multiple industries
Jean-Michel Franco, Talend, @jmichel_franco
• Sr Product Marketing Director, Data governance
• 25 years of experience in Data Management and BI
• Authored 4 books, and regular publications and blogs on data governance
• Talend is a next-generation leader in cloud and big data integration software that helps companies make data a strategic asset.
5
• The EU published the General Data Protection Regulation (GDPR) in May 2016
• After a two-year transition period, the GDPR will go into effect on May 25, 2018
• The GDPR applies to the processing of personal data of all data subjects, including customers, employees, and prospects
• Non-compliance with the GDPR may result in huge fines, which can be the higher of €20M or four percent of the organization’s worldwide revenues
About the EU General Data Protection Regulation
6
• Multiple subject areas • Customer, Employee, Citizen, Vendor…
• Emerging data types
• Internet of Things, Biometrics…
• Multiple jurisdictions
• EU, Canada, Australia, U.S….
• Rapidly changing regulations
• GDPR, CASL, HIPAA…
Global Data Privacy is Multi-Dimensional
7
Poll #1 : How Far Along Are You with GDPR?
Not started48%
Conducting risk assessment
32%
Doing data mappings18%
Further along2%
8
A 16 Step Data Governance Plan for GDPR Compliance
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
9
Operationalizing the 16 steps plan with Talend
Goal Talend solution(s)
Map the critical data elements across your datasets Metadata Manager
Track and trace data with audit trails and data linage Metadata ManagerMaster Data Management
Anonymize data for controlled privacy protectionData Quality (incl. Data masking and shuffling)
Establish a data lake for trusted data & consent mgmt.Big DataMaster Data Management
Foster accountability for governance and stewardshipData Preparation Data Stewardship
Share data with your data subjectsData IntegrationData Services
10
• Collaborate with data architecture to classify data into categories and sub-categories• Customer, employee, prospect, vendor, franchisee
• Example for employees:
Step 2: Create Data Taxonomy
Employee
Salary & Benefits
Identity ContactsHealth infor-
mation
Social media
Employee Perfor-mance
11
Have you agreed on a consistent definition of 'personal data' for GDPR purposes?
Poll #2
No53%
Yes47%
12
• GDPR Article 4 defines ‘personal data’ as any information relating to an identified or identifiable natural person… by reference to an identifier such as name, identification number, location data, an online identifier…
• GDPR Article 9 restricts the processing of data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership…
• Data Governance must work with Legal and Privacy to define ‘personal data’ for the GDPR
• Example: an item code ‘Halal’ may be covered by Article 9 because it may point to a data subject’s religion
Step 4: Identify Critical Datasets & Critical Data Elements
13
• GDPR Article 6 – Lawfulness of Processing
• GDPR Article 7 – Conditions for Consent
• Data Governance must establish controls so that Legal and Privacy sign off on data collection for any new project during the design phase
• Example: creating an Enterprise Consent Repository with MDM
Step 5 & 6: Data Collection & Acceptable Use Standards
14
• GDPR Recital 26 & Article 11 state that the principles of data protection should not apply to anonymous information
• GDPR Article 32 deals with the security of personal data
• Example: anonymizing salary benefits data for data science and analytics
Step 7: Establish Data Masking Standards
15
• GDPR Article 30 requires organizations to maintain a record of processing activities
• This record must include • a description of the categories and the categories of
recipients of personal data, including those in third countries or international organizations;
• transfers of personal data to a third country or an international organization
• The recordkeeping requirements also extend to so-called processors who process data on behalf of an organization
• Critical Step Mapping of personal data elements to applications
Step 11: Stitch Data Lineage
16
• GDPR Article 22 deals with Automated individual decision-making
• Under many privacy laws, Automated Processing is required to be disclosed and results are subject to data subject access
• “Disparate Treatment” versus “Disparate Impact”
• Example :
• predictive models may highlight that employees who live closer to work may stay longer in their jobs but the models may discriminate against minority candidates in certain zip codes
Step 12: Govern Analytical Models
17
• User Computing (EUC) applications are outside the control of the IT department
• EUCs include Microsoft Excel spreadsheets, Microsoft Access databases and SharePoint repositories
• EUCs may contain personal data that is still subject to GDPR compliance including data masking requirements
• Example: reclaiming control over user managed personal data with self –service tools
Step 13: Manage End User Computing
18
• GDPR Article 17 deals with Right to Erasure or the ‘Right to be Forgotten’
• Manage information throughout its lifecycle (ILM), from creation through disposal, including compliance with legal, regulatory, and privacy requirements
• Manage retention schedules
• Example: How do you forget a data subject if you do not know where their information resides in the first place?
Step 14: Govern the Lifecycle of Information
19
Step 16: Enforce Compliance with GDPR Controls
GDPR Article(Sample)
GDPR Description GDPR Controls Talend Tooling
Article 6 Lawfulness of processing • Sign-offs by legal and compliance during the design phase of any new project that requires the processing of personal data
• Talend Metadata Manager
• Talend MDM
Article 7 Conditions for consent • Obtain informed consent of data subjects • Talend MDM• Talend Big Data• Talend Data Quality
Article 9 Processing of special categories of personal data, such as race and ethnic origin
• Identification of special data categories as CDEs• Sign-off by legal and compliance on usage of special
categories of data during the design phase of a project
• Talend Metadata Manager
• Talend MDM
Article 11 Processing which does not require identification
• Data masking • Talend Data Quality• Talend Data Preparation
Article 30 Records of processing activities
• Data lineage for sensitive data within the enterprise and extending to processors and sub-processors
• Talend Metadata Manager
20
Poll #3 : Considering Tools for GDPR Compliance?
0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00%
Data Governance
Data Masking
Data Quality & integration
Data Stewardship
Metadata Management
21
Suggested next steps towards GDPR Compliance
• Read our White paper: 16 Practical Steps towards GDPR Compliance
• Evaluate Talend tools at www.talend.com
• Define ‘personal data’ for GDPR with respect to your organization
• Map personal data elements to applications
• Above all, drive alignment between Legal, Compliance, Privacy and Enterprise Data Management to re-use existing data governance program to support GDPR compliance
22©2017 Talend
Thank You!
White Paper Available Soon : www.talend.com16 Practical Steps to GDPR Compliance
Sunil Soares (Information Asset)and Jean-Michel Franco (Talend)