20170323 are you ready the new gdpr is here

1. B2B TECH MARKETINGB2B TECH MARKETING Are you ready? The New General Data Protection Regulation (GDPR) is Here Activate Webinar Sponsored by:

2. B2B Tech Marketing :: activatems.com 2 Today’s presenters Stan Gibson Moderator Activate Gregory Campbell Governance, Regulatory and Legal Consultant IBM Analytics Richard Hogg Global GDPR & Governance Offerings Evangelist IBM Analytics

3. © 2017 IBM Corporation 3 Biographies Richard Hogg Global GDPR & Governance Offerings Evangelist With 15+ years experience across RM & ECM, In the last 6 years he's consulted with Fortune 10 organizations to assess information governance initiatives and their cost and risk, developing business cases with focused recommendations on quick wins to further the clients objectives, by engaging with them on executing an IG Program. Client benefits have covered defensible disposal, ediscovery, records and retention management, privacy, legacy data cleanup and archiving. In the last 2.5 years consulting with global organizations progressing their GDPR readiness & execution. Frequent Speaker annually across AIIM, ARMA, MER, LegalTech, Insight & IPBA. rghogg@us.ibm.com Gregory Campbell Governance, Regulatory and Legal Consultant As a subject matter expert for IBM, Gregory has a specialism in the detail and the practicalities of the GDPR. Aside from multiple client engagements and workshops, has spoken at 20+ events and webinars on the topic. He has a BA Hons. in Law and an MA, both from the University of Cambridge. In respect of his career prior to IBM, he trained with a Silver Circle London legal firm, and subsequently worked as a litigation and dispute resolution focussed solicitor in London, culminating in a client appointed role on a significant arbitration matter at a top-10 London legal firm. He moved into the legal technology sector as a legal counsel and consultant for an eDiscovery consultancy, followed by a senior role within the litigation support function of a Magic Circle London legal firm, concentrating on eDiscovery and Information Governance. gcampbell@uk.ibm.com IBM Confidential

6. © 2017 IBM Corporation 6 Notice Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. References to GDPR are references to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

8. © 2017 IBM Corporation 8 The General Data Protection Regulation (GDPR) – Applies from 25 May 2018 § The General Data Protection Regulation (GDPR) was published on 4 May 2016, and will be immediately applicable after a 2 year transition period on 25 May 2018 to any organisation which operates in the EU market § Introduces cross-industry 72H breach reporting to regulators and without undue delay to individuals with associated risk of severe reputational harm § Non-compliance has the potential to lead to huge fines of up to €20m or 4% of total annual worldwide turnover, so now is the time to build on the foundations you already have to ensure you Protect, Govern and Know Your Data

9. © 2017 IBM Corporation 9 How Do You Rate Your Organisation’s Ability to Track Personal Data? Hurwitz & Associates Survey Results 2017-3-2 https://securityintelligence.com/prepared-for-the-general-data-protection-regulation-gdpr-top-10-findings-from-hurwitz-associates-survey/

15. © 2017 IBM Corporation 15 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default

16. © 2017 IBM Corporation 16 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Rights of EU Data Subjects • Enhanced rights for data subjects in the EU including erasure, access and portability ü Maintain data quality, amending, manipulating, erasing and exporting it into usable formats in both structured and unstructured environments

17. © 2017 IBM Corporation 17 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Security of Personal Data § Need to ensure a level of security appropriate to the risk including 72H breach reporting ü Implement pervasive and intelligent internal and external network defences and restrictions to reduce data risks, including data minimisation, pseudonymisation and encryption techniques

18. © 2017 IBM Corporation 18 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Lawfulness and Consent • Processing is only lawful if there is one of consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest ü Keep data subjects informed and manage requests in a transparent, efficient and effective manner, and consider appointing a DPO

19. © 2017 IBM Corporation 19 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Accountability of Compliance • Need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR ü Consider how compliance can be proven, including data protection impact assessments, codes of conduct and proactive certification

20. © 2017 IBM Corporation 20 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default By Design and By Default • Data controllers must implement technical and organisational measures which demonstrate compliance with GDPR core principles ü Plan for this in the long term e.g. instrument and manage data syndication and data lineage

21. © 2017 IBM Corporation 21 GDPR Technical Preparedness – Key Duties, Obligations & Sanctions Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Administrative Fines for Non-Compliance § Regulators can impose Administrative Fines of up to €20m or 4% of total annual worldwide turnover, whichever is higher § Additional powers also/ alternatively available to regulators, including gaining access to data and premises, and to auditing

22. © 2017 IBM Corporation 22 Poll Question 2 Your main GPDR preparedness gaps are? 1. No risk readiness assessment done yet 2. No Personal Data Discovery/inventory yet 3. Know what and where our Personal Data is, but can’t yet address Rights to Access, Rectify, Erasure… 4. Consent - not yet considered how to 5. Security & Breach Reporting Management

24. © 2017 IBM Corporation 24 GDPR Architectural Preparedness Archiving Legal Curation Records & Retention Administrative Fines for Non Compliance Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default

25. © 2017 IBM Corporation 25 GDPR Architectural Preparedness – Broad Requirements & Broad Capabilities Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data

26. © 2017 IBM Corporation 26 GDPR Architectural Preparedness – Dynamic Policy Management Dynamic Policy Management: Define what, why, how long Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s

27. © 2017 IBM Corporation 27 GDPR Architectural Preparedness – Implementation Services/ Data Management Dynamic Policy Management: Define what, why, how long Implementation Services: Distribute policies to data sources Data Management Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s

28. © 2017 IBM Corporation 28 GDPR Architectural Preparedness – Data Infrastructure Dynamic Policy Management: Define what, why, how long Data Infrastructure: Control use, align cost to value Implementation Services: Distribute policies to data sources Data Management Email Servers User Devices & File SharesECM & Collaboration Archive Platform Master Data Cloud & Social Databases & Data Warehouse Hadoop Platform Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s

29. © 2017 IBM Corporation 29 GDPR Architectural Preparedness – Security & Compliance Monitoring Dynamic Policy Management: Define what, why, how long Data Infrastructure: Control use, align cost to value Implementation Services: Distribute policies to data sources Data Management Email Servers User Devices & File SharesECM & Collaboration Archive Platform Master Data Cloud & Social Databases & Data Warehouse Hadoop Platform Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s Security&ComplianceMonitoring

30. © 2017 IBM Corporation 30 GDPR Architectural Preparedness – Solution Framework Dynamic Policy Management: Define what, why, how long Data Infrastructure: Control use, align cost to value Implementation Services: Distribute policies to data sources Data Management Email Servers User Devices & File SharesECM & Collaboration Archive Platform Master Data Cloud & Social Databases & Data Warehouse Hadoop Platform Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s Security&ComplianceMonitoring

31. © 2017 IBM Corporation 31 GDPR Architectural Preparedness – Solution Framework – IBM Technology IBM Case Manager Dynamic Policy Management: Define what, why, how long Data Infrastructure: Control use, align cost to value Implementation Services: Distribute policies to data sources Data Management Email Servers User Devices & File SharesECM & Collaboration Archive Platform Master Data Cloud & Social Databases & Data Warehouse Hadoop Platform Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s Security&ComplianceMonitoring InfoSphereIBM Atlas Optim

33. © 2017 IBM Corporation 33 Sensitive data Common On-Ramps Governance Layer • Metadata & Policy Mgmt • Compliance Mgmt Data Management Layer • Info Lifecycle Mgmt Compliance & Security Layer • Security & Privacy • Info Gov Utility Services • Subject Rights Mgmt Users Activity Identity & Access Mgmt Incidents correlation & identification CISO, DPO, CPO Group Compliance Legal Security Incidents Mgmt & Reporting DBA DB & File Activity Monitoring Data & Policy Governance Retention & Disposal Data Discovery & Classification Masking & Encryption Vunerabilities Databases, Apps, Infrastructure Dynamic blocking

34. © 2017 IBM Corporation 34 GDPR On-Ramp Capabilities Data Assessment (main products: Information Analyzer, Information Governance Catalog, StoredIQ) Data Security (main products: StoredIQ, Guardium) Information Governance (main products: IBM Information Governance Catalog, Atlas) Consent Management (main products: IBM Master Data Management, Consent asset from IBM Research) Right to Erasure ( main products: IBM Case Manager, Atlas, StoredIQ, Optim) Data Pseudonymization (main product: IBM Optim Data Privacy)

35. © 2017 IBM Corporation 35 Data Assessment – Overview of GDPR QuickStart Purpose Approach Outcome • IBM’s GDPR Quick Start is a fast and effective engagement to help clients identify and assess specific data and processes potentially impacted by the GDPR and start the client’s journey towards GDPR readiness • Time-boxed, 8 to 10 week effort, led by senior IBM analytics consultants • Applying IBM Analytics tools and methodology for structured and unstructured data, we provide a repeatable process for determining where sensitive data is stored, how it is protected and processed. • We shall present the results of executing this process against a selection of the client's systems, and a proposal of next steps. • From this, clients can assess the risk of GDPR to their organisation's specific landscape and agree on a roadmap towards GDPR readiness, based on an extrapolation to the full exercise. • Identification of sensitive data • Assessment of information handling procedures • Development of a roadmap to address GDPR gaps • Data inventory report, presentation of assessment results and roadmap • Prioritised roadmap of existing and required client initiatives

36. © 2017 IBM Corporation 36 Data Discovery & Mapping In order to meet GDPR requirements, many organisations will need to improve their understanding of the Personal Data they hold through a mapping exercise. IBM’s Data Mapping approach is targeted and efficient. There are 4 key stages: 3 Step 1 Define objectives and outputs Step 2 Bottom-up identification Step 3 Top-down identification Clarify scope of mapping exercise, purpose and format of outputs. Prepare and agree templates for each stage. Define appropriate IT and business teams to cover scope. Secure access to SMEs. Establish client approach to defining personal data. Establish catalogue of Operational and MI data stores with IT SME’s. Define their owners, purpose and content as much as possible. Validate IT understanding with business. Work with business SME’s to identify further stores related to their processes. Define purpose, owner and content. Iterate back any outstanding questions to IT Step 4 Personal data identification Work with business SME’s to help establish which data is directly or indirectly personal data, taking account of likelihood of joins across data sets, given organisational and technical measures. Capture findings in information catalogue aligned to Art 30 Record of Processing Activities IBM can accelerate and enhance the data mapping activity through the use of data discovery tools StoredIQ and InfoSphere Information Analyser, with IBM Atlas providing an enterprise-class Information Catalogue.

37. © 2017 IBM Corporation 37 Information Governance – Overview of Atlas to help with Article 30 Readiness Purpose Approach Outcome • GDPR Article 30 lists a set of requirements which have been loosely described by the GDPR consulting community as “data mapping” • Atlas includes a set of capabilities that can help enable organisations to map their data across the enterprise • Supports creation and management of an inventory of all data sources (data oriented entities - processes, applications, repositories, etc.) • Extensible entity attributes (owners, stewards, location, etc.) • Applicable to all data forms (structured, unstructured, electronic and physical) • Information types (e.g. client account records) listed for each data source • Each information type cross-referenced to relevant legislation and regulation • IBM Atlas can help enable the organisational and technical measures taken by a Organization as part of demonstrable efforts towards satisfying the requirements of Article 30 as well as providing additional value by supporting data subject rights (Articles 12-22) and the pervading principles (Article 5) Data sources map policies (such as retention rules) to all information types associated with the data source

38. © 2017 IBM Corporation 38 Data Security – Overview of StoredIQ and Guardium for Data Security Purpose Approach Outcome • GDPR compliance requires that organizations take adequate measures to ensure that personally identifiable information is secure • Solution for Protection for GDPR Personal Data, Encryption of Personal Data and Assessment of Personal Data processors and controllers • Identify personally identifiable information across unstructured data sources utilizing StoredIQ • Once files have been identified utilize Guardium to encrypt files for enhanced security • Sensitive information is encrypted or access is limited to only those that require it

39. © 2017 IBM Corporation 39 Consent Management – Overview of IBM Research Consent Mgmt Capabilities Purpose Approach Outcome • Consent is an important factor in lawfulness of personal data processing under GDPR • Current approaches may not provide linkage between consent, data usage policies & sensitive data • IBM’s approach provides linkage between the user’s data and the related consent • Management of consent templates and user consent contracts • Infrastructure level enforcement • Helps automate proof of compliance reporting • Enterprise tools for modelling and managing data governance and privacy policies • Purpose based data access • Increased transparency and consumer control over what data is collected and for what it is used

40. © 2017 IBM Corporation 40 Right to Erasure – Overview of IBM Right To Erasure Capabilities Purpose Approach Outcome • EU Data Subjects are granted certain rights, including the right to data access, rectification and erasure • Workflow Routing, Handling of Request incl. Review, Approval, Rejection • 360 view of data • What data is where • What are the data retention rules & other legal/regulatory requirements • Provide justification for disposal/retention & full auditing • Handling of Client requests, process and fulfilment • Client data erased or exceptions fully documented • Privacy By Design

41. © 2017 IBM Corporation 41 Data Pseudonymization – Overview of IBM Optim Solution Purpose Approach Outcome • De-identify confidential data on-demand throughout the enterprise to help protect customer information yet retain ability to provide personal data analysis • Mask confidential data dynamically in data environments and in the cloud. • Apply a range of masking techniques to transform personally-identifying information and other confidential corporate data. • Apply predefined actionable data privacy classifications and rules which help speed the time to implementation and provide a method to report on compliance. • Take advantage of pre-packaged data masking routines to transform complex data elements, such as credit card numbers, email addresses and national identifiers, while retaining their contextual meaning. • Helps protect sensitive data from misuse and fraud • Provides a technical measure to help reduce the potential for personal data being breached BankCard BankCard

42. B2B Tech Marketing :: activatems.com 42 Q&A Please submit your questions now! Stan Gibson Moderator Activate Gregory Campbell Governance, Regulatory and Legal Consultant IBM Analytics Richard Hogg Global GDPR & Governance Offerings Evangelist IBM Analytics

43. © 2017 IBM Corporation 43 Poll Question 3 Your GDPR Next Steps are? 1. Decide on strategy & achieve board endorsement 2. Complete a risk readiness assessment 3. Complete a personal data discovery & inventory 4. Determine which of the on-ramps to prioritize 43

46. B2B Tech Marketing :: activatems.com 46 Thank You for Attending! www.ibm.com/gdpr www.activatems.com

20170323 are you ready the new gdpr is here

Richard Hogg,Global GDPR Offerings Evangelist

20170323 are you ready the new gdpr is here