GDPR is Coming, May 25 2018 brings a whole new order of EU Personal Data Privacy and Protection rights, duties and obligations. What changes, what's your risk and how can you start to prepare? How can a Unified Governance strategy and capabilities transform both your information governance program, and provide a framework for personal data? How that strategy can leverage metadata to support and accelerate meeting regulatory issues.

2. Dennis Waldron

3. rghogg@us.ibm.com
Richard Hogg , CITP ERMp

4. Are you Ready?

5. May 25,
2018
GDPR – What is it?
4%Or
€20M
Potential
Penalty
Per Incident
Global
Impact
5 Key General Data Protection Regulation Obligations
Rights of EU
Data Subjects
Security of
Personal Data
Consent Accountability of
Compliance
Data Protection by
Design and by Default

6. Concern Toxicity potential in unstructured data.
Need Approach to ID, tag and delete toxic data.
Solution
Storage management tool that
allows metadata tagging.
Result
53% of data identified as dormant for > 5
years with a big portion possibly toxic.
Next steps
Work with data owners to choose
to delete or otherwise address flagged data.
53%of unstructured data flagged
“any information relating to an identified or identifiable natural person” (Art. 2(a))
Direct identifier – E.g. name, passport number, phone number
Indirect identifier – E.g. IBM Global GDPR Evangelist
Personal Data?
*2016 survey of NA Financial Services

7. GDPR Client Observations
“We understand what
needs to be done and
we’ll make the
necessary incremental
changes.”
A European bank
“Where do we begin, the
regulations are so confusing,
what solutions does IBM
provide?”
Multinational transportation org
Multinational logistics org
“We have heard of GDPR, but
we are going to take a wait and
see approach until an
enforcement action.”
Multinational airline
Multinational pharma org
The Hare The Tortoise The Ostrich

8. GDPR Takes More Than Just Technology
There are five key areas that need to be addressed
Governance People &
Communication
Processes Data Security

9. • Conduct GDPR risk &
privacy assessments
across governance,
people, processes,
data, security
• Develop GDPR
Readiness Roadmap
• Identify & Map
personal data
Assess
Assessments and
roadmap
Identify GDPR impact
and plan Technical and
Organisational Measures
(TOM)
• Design governance,
training,
communication, and
process standards
• Design privacy, data
management and
security management
standards
Design
Defined
implementation
plan
Includes Data Protection
controls, processes and
solutions to be
implemented
• Develop and embed
procedures,
processes and tools
• Deliver GDPR training
• Develop & embed
standards & policies
using Privacy by
Design, Security by
Design
• Detailed Data
Discovery
Transform
Process
enhancements
completed
TOMs in place: Personal
Data discovery,
classification and
governance in place
• Execute all relevant
business processes
• Monitor security and
privacy using TOMs
• Manage Consent &
data subject access
rights
Operate
Operational
framework in
place
Begin the new GDPR
ready way of working
• Monitor, assess,
audit, report and
evaluate adherence
to GDPR standards
Conform
Ongoing
monitoring and
reporting
Monitor TOMs execution;
deliver compliance
evidence to internal and
external stakeholders
ActivityOutcomePhase
IBM’s Overall GDPR Framework: 5 Phases to Readiness

10. Program and Data Governance
goals • policies • rules • compliance • vendor management • terminology • people
Data Lifecycle
identification • classification • masking • archiving
Data Catalog
metadata mgmt. • IT objects • impact analysis
Data Subject Services
enquiry • correction • erasure • portability •
notification
Data Protection
privacy program design • risk assessment • access management
identity governance • monitoring & audit • incident response
Orchestration
Processes
Rules
Consent
Personal Data
structured
unstructured
physical info
assets
printed
documents
…
Data
Subjects
Data
Privacy
Officer
Data
Steward
InfoGov Capabilities Needed for GDPR

11. IBM Commitment to GDPR Readiness Statement
Trust in Data
Data and its protec9on are becoming increasingly important to individuals and society. Enterprises must earn the public’s
trust in their ability to steward informa9on. As IBM’s long history of security and privacy leadership demonstrates, IBM
understands that protec9ng privacy is essen9al to gaining trust. IBM was one of the first companies to appoint a
Chief Privacy Officer, to develop and publish a gene9cs privacy policy, to be cer9fied under
the APEC Cross Borders Privacy Rules system, and to sign the
EU Data Protec9on Code of Conduct for Cloud Service Providers. Now, IBM is con9nuing its long-standing leadership in the
area of data privacy by responding proac9vely to the General Data Protec9on Regula9on (GDPR).
IBM Commits to GDPR Readiness
IBM currently complies with privacy laws around the world. IBM is also preparing to comply with the European Union’s new
General Data Protec9on Regula9on (GDPR) which will go into effect in May 2018. IBM has established a global project to
prepare for GDPR, both for our internal processes and for our commercial offerings. IBM recognises that our customers will
rely on IBM’s offerings and technical assistance to achieve GDPR compliance within their own organisa9ons and IBM is well-
posi9oned to meet this cri9cal need.
As part of its GDPR project, IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data
protec9on principles even more deeply into its business processes, with the objec9ve that technical and organisa9onal
security measures limit, by default, the amount and use of personal data to what is specifically required. This work will also
strengthen controls already in place to limit access to personal data, including with respect to mobile applica9ons that rely
on sensible default seWngs to prevent personal data from being inadvertently shared with others.
IBM is committed to providing our clients and partners with innova9ve data privacy, security and governance solu9ons to
assist them on their journey to GDPR compliance.
Learn more about IBM's own GDPR readiness journey and our GDPR capabili9es and offerings to support your compliance
journey here.

12. Most Personal Data not
discoverable via Patterns

13. New IBM GDPR Accelerators
Improved insight with the ability to load contracts for
Watson to analyze & consider the key language, clauses
or paragraphs driving the need for further analysis or
change.
Compare & Comply
IBM Regulatory Compliance Analytics,
with IBM Watson Digest GDPR and identity
Controls & Obligations.
Cognitive Insights
Plug-in Extensive unstructured
personal data discovery rules using
Both RegEx and Machine Learning.
GDPR CartridgesStructured personal data discovery
& classification. Personal data
access & data subject rights audit
trails; GDPR reports; GDPR data
risk dashboard.
Data Protection
GDPR Supportive Content taxonomy
with Predefined terms, data model
elements, Against each Article.
GDPR Industry Model
GDPR program preparatory guide,
GDPR incident simulation,&
GDPR-enhanced Privacy module.
Incident Response
Discover and register data sources and the Personal
Data they contain. Golden record identification with
Workflows for all citizen SAR requests.
Subject 360 Access
Consent Service available enterprise wide, linking
Data to usage and specific per-citizen consent.
Purposeful Consent By Design
Security
Regulations
& Contracts
Personal
Data
Find
Personal
Data
Unified
Catalog

14. 9 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$4M
Average cost of a data
breach in 2016 2
Likelihood of an organiza9on
having a data breach in the
next 24 months 1
26% “It’s no longer
a matter of if,
but when …”
Health Insurance
Portability and
Accountability
Act (HIPAA)
European Union General
Data Protec9on
Regula9on (GDPR)
Payment Card Industry Data
Security Standard (PCI-DSS)
1, 2 Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/
Data protection and compliance are
business imperatives
100 Days Over
On average to discover
the breach

15. What does information governance mean and
why is it critical
Informa(on Governance is the process by which an organiza>on will behave or act to ensure the
appropriate execu>on of its mandate, and typically, protect and maximize the benefits inherent in
its data assets
83% of organiza>ons suffer problems
caused by poor master data, with the top
three problems being inaccurate repor9ng
(81%), arguments over which data is
appropriate (78%), and bad decisions based
on incorrect defini9ons (54%)
$3 Trillion is the total annual impact
of poor data quality
Informa9on Governance Organiza9on
ensures sustainable business value of data
over 9me. Standalone cleanups no macer
how heroic have diminished values over
9me.
A Strong DG Func(on Is Essen(al To Delivering Reliable And
Usable Business Informa(on
35% of customer informa>on in
enterprise systems may be inaccurate, and
up to 30% duplicated due to lack of proper
data governance policies and procedures
Source: IBM Institute for Business Value 2015 Analytics research survey. Administered by
the Economist Intelligence Unit.
© 2015 IBM Institute for Business Value. www.ibm.biz/2015analytics
• Uniform communica9ons
• Common understanding
• Rapid cross business
Implementa9on
• Single defini9on
• Quality data
• Cross business data usage
• Efficient Investments
Process
People
Policies
Tools
With Data Governance
• Complex
• Silo driven
• Slow to market
• Inconsistent defini9on
• Poor data accuracy
• LOB focused data
• Re-solve problems for each
LOB
Without Data Governance
30-40% of the IT budget is allocated to execu9on of data transforma9on
programs within IT led Financial Services companies
GSIBs will increase spend on new data and analy9cs ini9a9ves by 10% in 2017

16. § How to easily find relevant
information ~ books, authors ?
§ How to go about archiving
important content – Micro Film?
§ How to go about Life Cycle
Management of books ?
§ How to restrict access to
important content (Policy Mgmt.) ?
CATALOGARCHIVEDISPOSEACCESS
Library Analogy

17. GOVERNANCE FOR
COMPLIANCE
Discover, classify and manage
information in ways that meet the
obligations enforced by both regulatory
and corporate mandates
Regulations (e.g. GDPR)
Privacy & Protection
eDiscovery
Records & Retention
Archiving
Audit Readiness
GOVERNANCE FOR INSIGHTS
Provide safe access to trusted, high
quality, fit-for-purpose data while
facilitating effective collaboration
among team members
Self-Service Access to Data &
Analytics
Governed Enterprise Information
Repositories (such as Data Lakes)
Use Cases Driving a Unified
Governance Strategy

18. High Quality, Timely information for All
Empowered Data Scientists
Uncovering Unique Insights
Empowered Organization
Better Business Outcomes
• Leverage the value of your data unlocking insight
driving competitive advantage every single time you
access data.
• Capitalize on the data and derive revenue based on
solid information governance foundation making
data simplified and actionable.
Make Data Make Money

19. GOVERNANCE FOR COMPLIANCE
Helps
ensure data privacy and
facilitate compliance with
regulations such as the
GDPR
50%
faster creation of test
datasets helps to accelerate
development cycles
Cuts
storage costs by
significantly reducing the
size of test datasets
View case study: Link
Eases
compliance with data-
retention regulations
94.2%
reduction in amount of data
unnecessarily stored cuts
costs and risk
Takes
the headache out of audits
by providing a clear track
record and reporting
View case study: Link
GOVERNANCE FOR INSIGHTS
Enables
a smoother user
experience for shoppers
across channels and
brands
10 times
faster response times for
the 1-800-Flowers.com
mobile app
Improves
the quality of customer data
and enables deeper insight
View case study: Link
Empowers
IT and business users to
collaborate in establishing
and using common
terminology
Supports
business intelligence and
confident decision-making
Accelerates
analytics for faster insight
View video: Link
What our customers are saying

20. Strategic vision for metadata to support regulatory issues
• NT Metadata Registry
• Benefits
• Approach
• Timeline
• Metadata Strategy
• Data Models, Standards, & Policies
• NT ISO Initiative
EXECUTIVE SUMMARY

21. NT METADATA REGISTRY BENEFITS
What’s in it for me?
• Increased understanding of NT’s data.
• Create a searchable catalog of Northern Trust’s data assets.
• Provide transparency into the location, definition and usage of
NT’s data assets.
• Promote the standardization of NT’s data designs, shared
definition and asset reuse.
Why do we care?
• Increase collaboration.
• Expose data lineage through all layers (e.g. CCAR, EDP,AML)
• Reduce project delivery time and scope creep.
• Reduce Risk
• Reduce Development Time
What I need your help on?
• Granting connections to system catalog(s) and to reverse engineer
physical schema for IIS lineage
• We are not looking at the transactional data
• SME help for SOR, BPM, inflow and outflows

22. High Level Design
NT METADATA REGISTRY - APPROACH

23. NT METADATA FOUNDATION & STRATEGY

24. NT METADATA REGISTRY
Metadata Registry
o Central location in an organization where metadata definitions are
stored.
Metadata Management
o End to end process and governance framework for the creation,
controlling, enhancing, attributing, defining and management of
structured and unstructured data.
Design Metadata
o Information about the structure, description, relationship and
administration of assets.
Operational Metadata
o Point of view metadata on runtime variables, statistical processes,
matrix operations that explain how data was created and/or
transformed.

25. METADATA LIFECYCLE

26. DATA MODELS, STANDARDS, & POLICIES
Rolled out in Q1- 2017
NT ISO Model Management Process
The process for creating, maintaining, and publish a complete and
consistent “single version of the truth” for the NT ISO data model
Standards & Policies Library
A repository for data policies and standards across all pillars of
enterprise data services
Enterprise Data Services VISA
An EPMO vehicle to govern and provide clear requirements to
project teams to achieve data standards and existing processes

29. • Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union
General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the
identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the
clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein
are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing
advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a
purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code
or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput
or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of
multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve results similar to those stated here.
None of the statements contained herein constitutes legal advice – it is process advice only.
Disclaimer

30. Appendix

31. WHAT IS ENTERPRISE DATAARCHITECTURE
AND WHAT IS THE VALUE?
The purpose of Enterprise Data Architecture is to define data tools strategy, modeling
standards, and conceptual/logical models for Northern Trust enterprise data.
ü U9lizes enterprise tools that support trusted, relevant, and governed
informa9on
ü Enables Northern Trust to meet or exceed client and regulator expecta>ons
and obliga>ons through data lineage visualiza9on from source to
consump9on
ü Reuses architectural design paQerns and u9lizes a centralized metadata
repository and informa9on governance catalogue to reduce development
>me
ü Provides standard informa>on models that enhance messaging formats and
drive down risk
ü Builds a culture within the organiza9on to treat data as a Northern Trust
asset
ü Capitalizes on current design pacerns to speed development and data
consump9on
What it is
The value
The processes and prac9ces
that leverage informa9on
assets, rules, policies,
standards, models, and tools to
support metadata
management and informa9on
architecture, for successful
integra9on and with enterprise
programs.

32. DATA TOOLS REFERENCE ARCHITECTUREData Tools Reference Architecture
Operational
Data Sources
Services Tier
Flat Files
Oracle
Client Tier
Web
Clients
Desktop
Clients
Engine Tier
XML
DB2
DataStage
Quality Stage
Connectors
Packs
Service Agents
Quality Stage
Services
Information Analyzer
Services
Information Services
Director Services
DataStage Services
Workbench Services
Connector Access
Services
Common Services
Metadata Exchange
Metadata Services
Data ManagementDesign
ER StudioData Architect
Rational
Architect
Repository Tier
IA Repository
Metadata Repository
Engine Tier
DataStage
Quality StageInformation Analyzer
Information Services
Director
Metadata
Workbench
Repository Tier
MDM AE Repository
MDM AE
MDM Services
MDM CE
MDM Services
MDM RDM
MDM Services
MDM CE Repository
MDM RDM
Repository
MSSQL
NoSQL
Hadoop
Blueprint Blueworks
ER Studio
Repository
Data Architect
Repository
RA Repository
Blueprint
Repository
Blueworks
Repository
Composite
Hive
NTRS Application
SQL,TSQL, BTEQ, JCL
Load Utilities, Stored
Procedures,
Functions
Iteraplan
Iteraplan
Repository
Composite
Messages
Sybase

33. DATA TOOLS CONCEPTUAL ARCHITECTUREData Tools Conceptual Architecture
Data Modeling
Logical/Physical
Modeling Tool
Operational
Repository
Data Integration
Data Governance
Data Profiling
Data Rules
Reference
Repository
Data Lineage
Business
Glossary
Information
Modeling
Information
Modeling Tool
Operational
Repository
Asset
Management
Asset
Management
Tool
Operational
Repository
SDLC
Version Control
Repository
Discovery
Analysis
Repository
Data
Management
Semi Relational
Non-Relational
Relational
BusinessProcess
Modeling
BPM Tool
Operational
Repository
BI
Analytics Tool
Operational
Repository
Knowledge Center
Thin Clients
Thick Clients
ETL/ELT
Data Replication
Data Services
Operational
Repository
Virtualization/
Federation
Publish
Exchange
Store
Browse
Implemented
Capable
2017
Implementation