GDPR is Coming, May 25 2018 brings a whole new order of EU Personal Data Privacy and Protection rights, duties and obligations. What changes, what's your risk and how can you start to prepare?
How can a Unified Governance strategy and capabilities transform both your information governance program, and provide a framework for personal data?
How that strategy can leverage metadata to support and accelerate meeting regulatory issues.
5. May 25,
2018
GDPR – What is it?
4%Or
€20M
Potential
Penalty
Per Incident
Global
Impact
5 Key General Data Protection Regulation Obligations
Rights of EU
Data Subjects
Security of
Personal Data
Consent Accountability of
Compliance
Data Protection by
Design and by Default
6. Concern Toxicity potential in unstructured data.
Need Approach to ID, tag and delete toxic data.
Solution
Storage management tool that
allows metadata tagging.
Result
53% of data identified as dormant for > 5
years with a big portion possibly toxic.
Next steps
Work with data owners to choose
to delete or otherwise address flagged data.
53%of unstructured data flagged
“any information relating to an identified or identifiable natural person” (Art. 2(a))
Direct identifier – E.g. name, passport number, phone number
Indirect identifier – E.g. IBM Global GDPR Evangelist
Personal Data?
*2016 survey of NA Financial Services
7. GDPR Client Observations
“We understand what
needs to be done and
we’ll make the
necessary incremental
changes.”
A European bank
“Where do we begin, the
regulations are so confusing,
what solutions does IBM
provide?”
Multinational transportation org
Multinational logistics org
“We have heard of GDPR, but
we are going to take a wait and
see approach until an
enforcement action.”
Multinational airline
Multinational pharma org
The Hare The Tortoise The Ostrich
8. GDPR Takes More Than Just Technology
There are five key areas that need to be addressed
Governance People &
Communication
Processes Data Security
9. • Conduct GDPR risk &
privacy assessments
across governance,
people, processes,
data, security
• Develop GDPR
Readiness Roadmap
• Identify & Map
personal data
Assess
Assessments and
roadmap
Identify GDPR impact
and plan Technical and
Organisational Measures
(TOM)
• Design governance,
training,
communication, and
process standards
• Design privacy, data
management and
security management
standards
Design
Defined
implementation
plan
Includes Data Protection
controls, processes and
solutions to be
implemented
• Develop and embed
procedures,
processes and tools
• Deliver GDPR training
• Develop & embed
standards & policies
using Privacy by
Design, Security by
Design
• Detailed Data
Discovery
Transform
Process
enhancements
completed
TOMs in place: Personal
Data discovery,
classification and
governance in place
• Execute all relevant
business processes
• Monitor security and
privacy using TOMs
• Manage Consent &
data subject access
rights
Operate
Operational
framework in
place
Begin the new GDPR
ready way of working
• Monitor, assess,
audit, report and
evaluate adherence
to GDPR standards
Conform
Ongoing
monitoring and
reporting
Monitor TOMs execution;
deliver compliance
evidence to internal and
external stakeholders
ActivityOutcomePhase
IBM’s Overall GDPR Framework: 5 Phases to Readiness
10. Program and Data Governance
goals • policies • rules • compliance • vendor management • terminology • people
Data Lifecycle
identification • classification • masking • archiving
Data Catalog
metadata mgmt. • IT objects • impact analysis
Data Subject Services
enquiry • correction • erasure • portability •
notification
Data Protection
privacy program design • risk assessment • access management
identity governance • monitoring & audit • incident response
Orchestration
Processes
Rules
Consent
Personal Data
structured
unstructured
physical info
assets
printed
documents
…
Data
Subjects
Data
Privacy
Officer
Data
Steward
InfoGov Capabilities Needed for GDPR
13. New IBM GDPR Accelerators
Improved insight with the ability to load contracts for
Watson to analyze & consider the key language, clauses
or paragraphs driving the need for further analysis or
change.
Compare & Comply
IBM Regulatory Compliance Analytics,
with IBM Watson Digest GDPR and identity
Controls & Obligations.
Cognitive Insights
Plug-in Extensive unstructured
personal data discovery rules using
Both RegEx and Machine Learning.
GDPR CartridgesStructured personal data discovery
& classification. Personal data
access & data subject rights audit
trails; GDPR reports; GDPR data
risk dashboard.
Data Protection
GDPR Supportive Content taxonomy
with Predefined terms, data model
elements, Against each Article.
GDPR Industry Model
GDPR program preparatory guide,
GDPR incident simulation,&
GDPR-enhanced Privacy module.
Incident Response
Discover and register data sources and the Personal
Data they contain. Golden record identification with
Workflows for all citizen SAR requests.
Subject 360 Access
Consent Service available enterprise wide, linking
Data to usage and specific per-citizen consent.
Purposeful Consent By Design
Security
Regulations
& Contracts
Personal
Data
Find
Personal
Data
Unified
Catalog
16. § How to easily find relevant
information ~ books, authors ?
§ How to go about archiving
important content – Micro Film?
§ How to go about Life Cycle
Management of books ?
§ How to restrict access to
important content (Policy Mgmt.) ?
CATALOGARCHIVEDISPOSEACCESS
Library Analogy
17. GOVERNANCE FOR
COMPLIANCE
Discover, classify and manage
information in ways that meet the
obligations enforced by both regulatory
and corporate mandates
Regulations (e.g. GDPR)
Privacy & Protection
eDiscovery
Records & Retention
Archiving
Audit Readiness
GOVERNANCE FOR INSIGHTS
Provide safe access to trusted, high
quality, fit-for-purpose data while
facilitating effective collaboration
among team members
Self-Service Access to Data &
Analytics
Governed Enterprise Information
Repositories (such as Data Lakes)
Use Cases Driving a Unified
Governance Strategy
18. High Quality, Timely information for All
Empowered Data Scientists
Uncovering Unique Insights
Empowered Organization
Better Business Outcomes
• Leverage the value of your data unlocking insight
driving competitive advantage every single time you
access data.
• Capitalize on the data and derive revenue based on
solid information governance foundation making
data simplified and actionable.
Make Data Make Money
19. GOVERNANCE FOR COMPLIANCE
Helps
ensure data privacy and
facilitate compliance with
regulations such as the
GDPR
50%
faster creation of test
datasets helps to accelerate
development cycles
Cuts
storage costs by
significantly reducing the
size of test datasets
View case study: Link
Eases
compliance with data-
retention regulations
94.2%
reduction in amount of data
unnecessarily stored cuts
costs and risk
Takes
the headache out of audits
by providing a clear track
record and reporting
View case study: Link
GOVERNANCE FOR INSIGHTS
Enables
a smoother user
experience for shoppers
across channels and
brands
10 times
faster response times for
the 1-800-Flowers.com
mobile app
Improves
the quality of customer data
and enables deeper insight
View case study: Link
Empowers
IT and business users to
collaborate in establishing
and using common
terminology
Supports
business intelligence and
confident decision-making
Accelerates
analytics for faster insight
View video: Link
What our customers are saying
20. Strategic vision for metadata to support regulatory issues
• NT Metadata Registry
• Benefits
• Approach
• Timeline
• Metadata Strategy
• Data Models, Standards, & Policies
• NT ISO Initiative
EXECUTIVE SUMMARY
21. NT METADATA REGISTRY BENEFITS
What’s in it for me?
• Increased understanding of NT’s data.
• Create a searchable catalog of Northern Trust’s data assets.
• Provide transparency into the location, definition and usage of
NT’s data assets.
• Promote the standardization of NT’s data designs, shared
definition and asset reuse.
Why do we care?
• Increase collaboration.
• Expose data lineage through all layers (e.g. CCAR, EDP,AML)
• Reduce project delivery time and scope creep.
• Reduce Risk
• Reduce Development Time
What I need your help on?
• Granting connections to system catalog(s) and to reverse engineer
physical schema for IIS lineage
• We are not looking at the transactional data
• SME help for SOR, BPM, inflow and outflows
24. NT METADATA REGISTRY
Metadata Registry
o Central location in an organization where metadata definitions are
stored.
Metadata Management
o End to end process and governance framework for the creation,
controlling, enhancing, attributing, defining and management of
structured and unstructured data.
Design Metadata
o Information about the structure, description, relationship and
administration of assets.
Operational Metadata
o Point of view metadata on runtime variables, statistical processes,
matrix operations that explain how data was created and/or
transformed.
26. DATA MODELS, STANDARDS, & POLICIES
Rolled out in Q1- 2017
NT ISO Model Management Process
The process for creating, maintaining, and publish a complete and
consistent “single version of the truth” for the NT ISO data model
Standards & Policies Library
A repository for data policies and standards across all pillars of
enterprise data services
Enterprise Data Services VISA
An EPMO vehicle to govern and provide clear requirements to
project teams to achieve data standards and existing processes
27.
28.
29. • Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union
General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the
identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the
clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein
are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing
advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a
purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code
or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput
or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of
multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no
assurance can be given that an individual user will achieve results similar to those stated here.
None of the statements contained herein constitutes legal advice – it is process advice only.
Disclaimer
31. WHAT IS ENTERPRISE DATAARCHITECTURE
AND WHAT IS THE VALUE?
The purpose of Enterprise Data Architecture is to define data tools strategy, modeling
standards, and conceptual/logical models for Northern Trust enterprise data.
ü U9lizes enterprise tools that support trusted, relevant, and governed
informa9on
ü Enables Northern Trust to meet or exceed client and regulator expecta>ons
and obliga>ons through data lineage visualiza9on from source to
consump9on
ü Reuses architectural design paQerns and u9lizes a centralized metadata
repository and informa9on governance catalogue to reduce development
>me
ü Provides standard informa>on models that enhance messaging formats and
drive down risk
ü Builds a culture within the organiza9on to treat data as a Northern Trust
asset
ü Capitalizes on current design pacerns to speed development and data
consump9on
What it is
The value
The processes and prac9ces
that leverage informa9on
assets, rules, policies,
standards, models, and tools to
support metadata
management and informa9on
architecture, for successful
integra9on and with enterprise
programs.
32. DATA TOOLS REFERENCE ARCHITECTUREData Tools Reference Architecture
Operational
Data Sources
Services Tier
Flat Files
Oracle
Client Tier
Web
Clients
Desktop
Clients
Engine Tier
XML
DB2
DataStage
Quality Stage
Connectors
Packs
Service Agents
Quality Stage
Services
Information Analyzer
Services
Information Services
Director Services
DataStage Services
Workbench Services
Connector Access
Services
Common Services
Metadata Exchange
Metadata Services
Data ManagementDesign
ER StudioData Architect
Rational
Architect
Repository Tier
IA Repository
Metadata Repository
Engine Tier
DataStage
Quality StageInformation Analyzer
Information Services
Director
Metadata
Workbench
Repository Tier
MDM AE Repository
MDM AE
MDM Services
MDM CE
MDM Services
MDM RDM
MDM Services
MDM CE Repository
MDM RDM
Repository
MSSQL
NoSQL
Hadoop
Blueprint Blueworks
ER Studio
Repository
Data Architect
Repository
RA Repository
Blueprint
Repository
Blueworks
Repository
Composite
Hive
NTRS Application
SQL,TSQL, BTEQ, JCL
Load Utilities, Stored
Procedures,
Functions
Iteraplan
Iteraplan
Repository
Composite
Messages
Sybase
33. DATA TOOLS CONCEPTUAL ARCHITECTUREData Tools Conceptual Architecture
Data Modeling
Logical/Physical
Modeling Tool
Operational
Repository
Data Integration
Data Governance
Data Profiling
Data Rules
Reference
Repository
Data Lineage
Business
Glossary
Information
Modeling
Information
Modeling Tool
Operational
Repository
Asset
Management
Asset
Management
Tool
Operational
Repository
SDLC
Version Control
Repository
Discovery
Analysis
Repository
Data
Management
Semi Relational
Non-Relational
Relational
BusinessProcess
Modeling
BPM Tool
Operational
Repository
BI
Analytics Tool
Operational
Repository
Knowledge Center
Thin Clients
Thick Clients
ETL/ELT
Data Replication
Data Services
Operational
Repository
Virtualization/
Federation
Publish
Exchange
Store
Browse
Implemented
Capable
2017
Implementation