20170323 are you ready the new gdpr is here

B2B TECH MARKETINGB2B TECH MARKETING
Are you ready?
The New General Data
Protection Regulation
(GDPR) is Here
Activate Webinar Sponsored by:

B2B Tech Marketing :: activatems.com 2
Today’s presenters
Stan Gibson
Moderator
Activate
Gregory Campbell
Governance, Regulatory and Legal Consultant
IBM Analytics
Richard Hogg
Global GDPR & Governance Offerings Evangelist
IBM Analytics

© 2017 IBM Corporation 3
Biographies
Richard Hogg
Global GDPR & Governance
Offerings Evangelist
With 15+ years experience across RM & ECM, In the last 6
years he's consulted with Fortune 10 organizations to assess
information governance initiatives and their cost and risk,
developing business cases with focused recommendations on
quick wins to further the clients objectives, by engaging with
them on executing an IG Program.
Client benefits have covered defensible disposal, ediscovery,
records and retention management, privacy, legacy data
cleanup and archiving. In the last 2.5 years consulting with
global organizations progressing their GDPR readiness &
execution.
Frequent Speaker annually across AIIM, ARMA, MER,
LegalTech, Insight & IPBA.
rghogg@us.ibm.com
Gregory Campbell
Governance, Regulatory
and Legal Consultant
As a subject matter expert for IBM, Gregory has a specialism
in the detail and the practicalities of the GDPR. Aside from
multiple client engagements and workshops, has spoken at
20+ events and webinars on the topic. He has a BA Hons. in
Law and an MA, both from the University of Cambridge. In
respect of his career prior to IBM, he trained with a Silver
Circle London legal firm, and subsequently worked as a
litigation and dispute resolution focussed solicitor in London,
culminating in a client appointed role on a significant arbitration
matter at a top-10 London legal firm. He moved into the legal
technology sector as a legal counsel and consultant for an
eDiscovery consultancy, followed by a senior role within the
litigation support function of a Magic Circle London legal firm,
concentrating on eDiscovery and Information Governance.
gcampbell@uk.ibm.com
IBM Confidential

Poll Question 1
Does GDPR Apply to your Organisation?
1. Yes
2. No
3. Not sure
4. Don’t know what GDPR is
4

© 2017 IBM Corporation
GDPR
Background and Overview
Richard Hogg
rghogg@us.ibm.com

Notice
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the
European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of
competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may
affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may
have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that
its services or products will ensure that clients are in compliance with any law or regulation.
References to GDPR are references to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Are you Ready?

The General Data Protection Regulation (GDPR) – Applies from 25 May 2018
§ The General Data Protection Regulation (GDPR) was
published on 4 May 2016, and will be immediately
applicable after a 2 year transition period on 25 May 2018
to any organisation which operates in the EU market
§ Introduces cross-industry 72H breach reporting to
regulators and without undue delay to individuals with
associated risk of severe reputational harm
§ Non-compliance has the potential to lead to huge fines of
up to €20m or 4% of total annual worldwide turnover, so
now is the time to build on the foundations you already
have to ensure you Protect, Govern and Know Your Data

How Do You Rate Your Organisation’s Ability to Track Personal Data?
Hurwitz & Associates Survey Results 2017-3-2
https://securityintelligence.com/prepared-for-the-general-data-protection-regulation-gdpr-top-10-findings-from-hurwitz-associates-survey/

Why does the EU GDPR matter
outside the EU?
Gregory Campbell
Governance, Regulatory and Legal Consultant, IBM Analytics

The GDPR Envisages a Global Reach – Extra-Territoriality
GDPR Article 3

Data
Governance
Data
Privacy
Data
Security
EU Data
Protection
Data Protection in the EU – A Working Definition

Privacy Shield and GDPR – How do they Interrelate?

GDPR
Technical
Preparedness Overview
Gregory Campbell
Governance, Regulatory and Legal Consultant, IBM Analytics

GDPR Technical Preparedness – Key Duties, Obligations & Sanctions
Archiving
Legal
Curation
Records &
Retention
Administrative Fines
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
Rights of EU Data Subjects
• Enhanced rights for data subjects in the EU
including erasure, access and portability
ü Maintain data quality, amending, manipulating,
erasing and exporting it into usable formats in
both structured and unstructured environments

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
Security of Personal Data
§ Need to ensure a level of security appropriate to
the risk including 72H breach reporting
ü Implement pervasive and intelligent internal and
external network defences and restrictions to
reduce data risks, including data minimisation,
pseudonymisation and encryption techniques

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
Lawfulness and Consent
• Processing is only lawful if there is one of consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest
ü Keep data subjects informed and manage requests in a transparent, efficient and effective manner, and consider appointing a DPO

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
Accountability of Compliance
• Need to demonstrate compliance with the
principles relating to personal data processing
pervades throughout the GDPR
ü Consider how compliance can be proven,
including data protection impact assessments,
codes of conduct and proactive certification

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
By Design and By Default
• Data controllers must implement technical and
organisational measures which demonstrate
compliance with GDPR core principles
ü Plan for this in the long term e.g. instrument and
manage data syndication and data lineage

Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default
Administrative Fines for Non-Compliance
§ Regulators can impose Administrative Fines of up to €20m or 4% of total annual worldwide turnover, whichever is higher
§ Additional powers also/ alternatively available to regulators, including gaining access to data and premises, and to auditing

Poll Question 2
Your main GPDR preparedness gaps are?
1. No risk readiness assessment done yet
2. No Personal Data Discovery/inventory yet
3. Know what and where our Personal Data is, but can’t
yet address Rights to Access, Rectify, Erasure…
4. Consent - not yet considered how to
5. Security & Breach Reporting Management

GDPR
Architectural
Preparedness Overview
Richard Hogg
rghogg@us.ibm.com

GDPR Architectural Preparedness
Archiving
Legal
Curation
Records &
Retention
for Non
Compliance
Rights of EU
Data Subjects
Security of
Personal Data
Lawfulness
and Consent
Accountability
of Compliance
Design
and Default

GDPR Architectural Preparedness – Broad Requirements & Broad Capabilities
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data

GDPR Architectural Preparedness – Dynamic Policy Management
Dynamic Policy
Management:
Define what, why,
how long
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data
P o l i c i e s R u l e s A u d i t
P r o c e s s e s An a l y s e s

GDPR Architectural Preparedness – Implementation Services/ Data Management
Dynamic Policy
Management:
Define what, why,
how long
Implementation
Services:
Distribute policies
to data sources
Data Management
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data

GDPR Architectural Preparedness – Data Infrastructure
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email
Servers
User
Devices
& File
SharesECM &
Collaboration
Archive
Platform
Master
Data
Cloud &
Social
Databases &
Data Warehouse
Hadoop
Platform
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data

GDPR Architectural Preparedness – Security & Compliance Monitoring
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email
Servers
User
Devices
& File
SharesECM &
Collaboration
Archive
Platform
Master
Data
Cloud &
Social
Databases &
Data Warehouse
Hadoop
Platform
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data
Security&ComplianceMonitoring

GDPR Architectural Preparedness – Solution Framework
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email
Servers
User
Devices
& File
SharesECM &
Collaboration
Archive
Platform
Master
Data
Cloud &
Social
Databases &
Data Warehouse
Hadoop
Platform
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data

GDPR Architectural Preparedness – Solution Framework – IBM Technology
IBM Case Manager
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email
Servers
User
Devices
& File
SharesECM &
Collaboration
Archive
Platform
Master
Data
Cloud &
Social
Databases &
Data Warehouse
Hadoop
Platform
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data
InfoSphereIBM Atlas
Optim

GDPR
On-Ramps - Where To Start?
Richard Hogg
rghogg@us.ibm.com

Sensitive
data
Common On-Ramps
Governance Layer
• Metadata & Policy Mgmt
• Compliance Mgmt
Data Management Layer
• Info Lifecycle Mgmt
Compliance & Security Layer
• Security & Privacy
• Info Gov Utility Services
• Subject Rights Mgmt
Users
Activity
Identity & Access
Mgmt
Incidents
correlation &
identification
CISO, DPO, CPO
Group Compliance
Legal
Security Incidents
Mgmt &
Reporting
DBA
DB & File Activity
Monitoring
Data & Policy
Governance
Retention &
Disposal
Data
Discovery &
Classification
Masking &
Encryption
Vunerabilities
Databases, Apps,
Infrastructure
Dynamic
blocking

GDPR On-Ramp Capabilities
Data Assessment
(main products: Information Analyzer, Information Governance Catalog, StoredIQ)
Data Security
(main products: StoredIQ, Guardium)
Information Governance
(main products: IBM Information Governance Catalog, Atlas)
Consent Management
(main products: IBM Master Data Management, Consent asset from IBM Research)
Right to Erasure
( main products: IBM Case Manager, Atlas, StoredIQ, Optim)
Data Pseudonymization
(main product: IBM Optim Data Privacy)

Data Assessment – Overview of GDPR QuickStart
Purpose
Approach
Outcome
• IBM’s GDPR Quick Start is a fast and effective engagement to help clients identify and assess specific data
and processes potentially impacted by the GDPR and start the client’s journey towards GDPR readiness
• Time-boxed, 8 to 10 week effort, led by senior IBM analytics consultants
• Applying IBM Analytics tools and methodology for structured and unstructured data, we provide a repeatable
process for determining where sensitive data is stored, how it is protected and processed.
• We shall present the results of executing this process against a selection of the client's systems, and a
proposal of next steps.
• From this, clients can assess the risk of GDPR to their organisation's specific landscape and agree on a
roadmap towards GDPR readiness, based on an extrapolation to the full exercise.
• Identification of sensitive data
• Assessment of information handling procedures
• Development of a roadmap to address GDPR gaps
• Data inventory report, presentation of assessment results and roadmap
• Prioritised roadmap of existing and required client initiatives

Data Discovery & Mapping
In order to meet GDPR requirements, many organisations will need to improve
their understanding of the Personal Data they hold through a mapping exercise.
IBM’s Data Mapping approach is targeted and efficient. There are 4 key stages:
3
Step 1
Define objectives and
outputs
Step 2
Bottom-up
identification
Step 3
Top-down
identification
Clarify scope of mapping
exercise, purpose and format
of outputs.
Prepare and agree templates
for each stage.
Define appropriate IT and
business teams to cover
scope. Secure access to
SMEs.
Establish client approach to
defining personal data.
Establish catalogue of
Operational and MI data stores
with IT SME’s.
Define their owners, purpose
and content as much as
possible.
Validate IT understanding with
business.
Work with business SME’s to
identify further stores related
to their processes.
Define purpose, owner and
content.
Iterate back any
outstanding questions to IT
Step 4
Personal
data
identification
Work with business SME’s to
help establish which data is
directly or indirectly personal
data, taking account of
likelihood of joins across data
sets, given organisational and
technical measures.
Capture findings in
information catalogue
aligned to Art 30 Record of
Processing Activities
IBM can accelerate and
enhance the data mapping
activity through the use of
data discovery tools StoredIQ
and InfoSphere Information
Analyser, with IBM Atlas
providing an enterprise-class
Information Catalogue.

Information Governance – Overview of Atlas to help with Article 30 Readiness
Purpose
Approach
Outcome
• GDPR Article 30 lists a set of requirements which have been loosely described by the GDPR consulting
community as “data mapping”
• Atlas includes a set of capabilities that can help enable organisations to map their data across the enterprise
• Supports creation and management of an inventory of all data sources (data oriented entities - processes,
applications, repositories, etc.)
• Extensible entity attributes (owners, stewards, location, etc.)
• Applicable to all data forms (structured, unstructured, electronic and physical)
• Information types (e.g. client account records) listed for each data source
• Each information type cross-referenced to relevant legislation and regulation
• IBM Atlas can help enable the organisational and technical measures
taken by a Organization as part of demonstrable efforts towards
satisfying the requirements of Article 30 as well as providing additional
value by supporting data subject rights (Articles 12-22) and the pervading
principles (Article 5)
Data sources map policies
(such as retention rules) to all
information types associated
with the data source

Data Security – Overview of StoredIQ and Guardium for Data Security
Purpose
Approach
Outcome
• GDPR compliance requires that organizations take adequate measures to ensure that personally identifiable
information is secure
• Solution for Protection for GDPR Personal Data, Encryption of Personal Data and Assessment of Personal
Data processors and controllers
• Identify personally identifiable information across unstructured data sources utilizing StoredIQ
• Once files have been identified utilize Guardium to encrypt files for enhanced security
• Sensitive information is encrypted or access is limited to only those that
require it

Consent Management – Overview of IBM Research Consent Mgmt Capabilities
Purpose
Approach
Outcome
• Consent is an important factor in lawfulness of personal data processing under GDPR
• Current approaches may not provide linkage between consent, data usage policies & sensitive data
• IBM’s approach provides linkage between the user’s data and the related consent
• Management of consent templates and user consent contracts
• Infrastructure level enforcement
• Helps automate proof of compliance reporting
• Enterprise tools for modelling and managing data governance and privacy policies
• Purpose based data access
• Increased transparency and consumer control over what data is
collected and for what it is used

Right to Erasure – Overview of IBM Right To Erasure Capabilities
Purpose
Approach
Outcome
• EU Data Subjects are granted certain rights, including the right to data access, rectification and erasure
• Workflow Routing, Handling of Request incl. Review, Approval, Rejection
• 360 view of data
• What data is where
• What are the data retention rules & other legal/regulatory requirements
• Provide justification for disposal/retention & full auditing
• Handling of Client requests, process and fulfilment
• Client data erased or exceptions fully documented
• Privacy By Design

Data Pseudonymization – Overview of IBM Optim Solution
Purpose
Approach
Outcome
• De-identify confidential data on-demand throughout the enterprise to help protect customer information yet
retain ability to provide personal data analysis
• Mask confidential data dynamically in data environments and in the cloud.
• Apply a range of masking techniques to transform personally-identifying information and other confidential
corporate data.
• Apply predefined actionable data privacy classifications and rules which help speed the time to
implementation and provide a method to report on compliance.
• Take advantage of pre-packaged data masking routines to transform complex data elements, such as credit
card numbers, email addresses and national identifiers, while retaining their contextual meaning.
• Helps protect sensitive data from misuse and fraud
• Provides a technical measure to help reduce the
potential for personal data being breached
BankCard BankCard

Q&A
Please submit your questions now!
Stan Gibson
Moderator
Activate
Gregory Campbell
Governance, Regulatory and Legal Consultant
IBM Analytics
Richard Hogg
IBM Analytics

Poll Question 3
Your GDPR Next Steps are?
1. Decide on strategy & achieve board endorsement
2. Complete a risk readiness assessment
3. Complete a personal data discovery & inventory
4. Determine which of the on-ramps to prioritize
43

Q&A
For further information
www.ibm.com/gdpr

Are you Ready?

Thank You for Attending!
www.ibm.com/gdpr
www.activatems.com

20170323 are you ready the new gdpr is here

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 20170323 are you ready the new gdpr is here

Similar to 20170323 are you ready the new gdpr is here (20)

Recently uploaded

Recently uploaded (20)

20170323 are you ready the new gdpr is here