Secure Your Enterprise Data Now and Be Ready for CCPA in 2020

© 2019 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential.
Karun Bakshi | Delphix
Alex Redlich | Capgemini
Secure Your
Enterprise Data Now
and be Ready for CCPA in 2020

© 2019 Delphix. All Rights Reserved. Private and Confidential.
Introductions
Alex Redlich, Capgemini
Senior Director | Insights & Data
Karun Bakshi, Delphix
VP, Product Marketing

3© Capgemini 2019. All rights reserved |
California Consumer Privacy Act
California residents
Jan 1, 2020; 12 month lookback of certain rights
Annual gross revenues > $25m; Personal information of > 50,000
consumers, households, or devices; Sale of Personal information
accounts for > 50% of annual revenue
Rights: Information, Disclosure, Deletion, Opt-out / Opt-in, Equal
Service, Data portability
Up to $2,500 for each violation or up to $7,500 per each
intentional violation; Private Right of action and Class Action
General Data Protection Regulation
EU Residents
Adopted in April 2016, Effective May 25th, 2018
All EU and foreign companies processing data of EU citizens
Rights: Informed & Access, Rectification, Erasure (right to be
forgotten), Restrict processing, Data portability, Object
Fines of up to 20 million euros or 4% of world wide annual
turnover
Payment Cardholder Industry Data
Security Standards
Global Cardholders
PCI DSS 3.2.1 effective May 2018
All entities that store, process or transmit cardholder data
(Issuers, Acquirers, Merchants etc.)
Ranging from $5,000 to $100,000 per month world wide annual
turnover
Health Insurance Portability and
Accountability Act
All entities under US Health Care Industry
HIPAA law signed on Aug 21st, 1996; HIPAA Privacy Rule effective -
Apr 14th, 2003; HIPAA Security Rule effective - Apr 21st, 2005
Use and disclosure of PHI; Security safeguards (administrative, physical
& technical)
Covered Entities (Health Plans, Health Care Providers, Health Care
Clearinghouses), Business associates contracted by CE
Common themes across regulations and standards
Data
Protection
& Privacy
Data Subject Rights Data Protection Data Access Data Processor AccountabilityConsent Management Privacy NoticesData Minimization Legal Basis
Major regulations and standards that
impact your business…

It’s all about
individuals’
rights and their
data
Privacy for the individual,
accountability for enterprises,
power for regulators
Adopted in
Jun 2018
Comes into effect
1 Jan 2020
Who
Any organization with:
- Annual gross revenues >
$25m;
- Personal information of >
50,000 consumers,
households, or devices;
- Sale of Personal information
accounts for > 50% of annual
revenue
Why
Individuals regain
control over their
personal data
The CCPA

To get insight into what data
organizations hold of them
To limit how their data is used
To give and withdraw consent
To have their data deleted
To control how they are profiled
To opt-out of selling personal
information
Processing Record
Controlling and monitoring
Responding to Requests
Opt-out / Opt-in
Data Retention
Technical & organizational
measures
Privacy by design
Privacy Impact Assessment
Data breach notification
Extraterritoriality
On one side data
subjects have been
given Rights… and on the other, there are
business implications

What’s in the minds of
best CIOs / CDOs?
RISK,
BREACH,
FINES
Non-compliance may harm our reputation. The fines are huge.
3 Will our framework allow us to respond to data subject requests
5 Enable minimum viability before the regulation is effective
2
Our application and data landscape need a lot of work in order to get
compliant
6
Enable remediation and achieve overall data and application
compliance
7
Build a roadmap for a comprehensive global data privacy and risk
management framework
Are we able to handle data breaches in line with the Regulation4
1
Security
privacy
Chief
Data
Officers
Business
line
Leaders
Data Security Remediation

Delivers holistic compliance..
Enhance
Privacy
notices and
Incident
response
Remediate
apps &
data
Review your
Data
Processor
Accountabi
lity
Optimize
your
operations
Opt-out / Opt-in
Applications & Data
Privacy by Design
Request for Access,
Deletion, Portability
Enhance
Data
Security &
Life Cycle
Management
Data
Privacy &
Compliance
Manage
Data
Subject
Rights
Breach Notification
Awareness & Training
Consent Management
Privacy Notice
Third Party Contracts
Risk Management
Policies & Processes
Encryption /
Pseudonymization
Data Retention
7
© Capgemini 2018. All
How?
Record of Processing

..through an integrated privacy framework foundation
 Develop, validate and execute the plan of mobilization
and communication to create awareness amongst all
employees
 Create training material , plan and track the progress and
embed the training in the procedure for new employees
Awareness
& Training
Governance
& Data
Classification
Policies
Processes
 BCR and privacy policies will be translated into IT requirements
and processes
 Overview of systems where personal data is stored
 Take measures to ensure compliance and integrate privacy in the
information life cycle (PIA’s)
 Implement Privacy by design
 Plan, validate and implement privacy governance, risk
controls and reports
 Plan, conduct and manage data privacy assessments
and embed them in the organization
 Identification of « Crown Jewels »
 Create and validate clear privacy requirements for e.g.
processes, governance planning, IT and data security
 Align the current privacy policies with the privacy
mission and vision of the organization
 Conduct a privacy impact assessment on relevant
processes
 Create and adapt processes, develop and validate
improvements and take measures
 Create procedure for easy adaption of future
amendments in privacy regulations and policies
 Implement Privacy by design
IT security & Technology
Data Classification

We help you answer the key Privacy questions
What should my Privacy roadmap cover, and what should I prioritize?
What’s your strategy to manage process and cultural change?
Where is all your employee and consumer
/ citizen data held?
How do consumers give you consent to
use their data?
How will you pseudonymize consumer
data so it’s still usable?
How do you deal with the data lifecycle
from retention to final disposal?
Can you ensure only the right people
have access to the right data?
How exactly will you report a data breach?
What is your on-going compliance monitoring strategy?
1
2
3
4
5 6
7
8
9

With a menu of comprehensive services…
Assessment services
Delivers a view on your processing compliance, strategic vision, Privacy awareness, and integrates all internal and external teams.
Program services
Designs the program to get you moving towards Privacy compliance and allows you to adapt and customize Privacy principles
to your specific challenges, context, processes, and culture.
Data Discovery services
Allows you to understand and document where personal data exists
throughout your organization and is the starting point for many
aspects of the Privacy program, such as responding to access
requests.
Consent and Consumers' rights management
services
Analysis where consent is needed and how it
can be (re)obtained.
Implements processes and systems, which allow consumers to
invoke their rights, such as the right to access their data, right to
erasure, right to Opt-out of sharing to third parties.
Pseudonymizing services
Provides role-based access, anonymized data for marketing and
analytics, and allows you to share with external and internal
audiences.
Data lifecycle services
Privacy regulations requires organizations to only use as much data
as is required to successfully complete a given task. It cannot be
reused for another task without further consent. Consumers’ have the
right to request that their data erased after a specific task, and our
lifecycle services ensure that care is taken during the creation,
processing and disposal of data.
Data protection services
Defines and implements controls and solutions to ensure the proper
protection of structured and unstructured data, and so reduce risk.
Controls include access, encryption, key management and database
access monitoring.
Breach management and reporting services
Security-operations-center-as-a-Service for monitoring external threats and vulnerabilities, plus Data-leak-prevention-as-a-Service for monitoring
personal data repositories and flows.
Assurance services
Once you are compliant, our Assurance Services ensure you remain so by monitoring, maintaining, and updating your systems, processes, and policies.
Pick and
choose… we
customize for
your security
needs
1
2
3
4
5 6
7
8
9

Strategy & Governance
Develop strategy and establish governance
for coordination and execution of
assessment and implementation of CCPA
Privacy Compliance
Control Gaps Remediation
Define enterprise controls for Privacy
compliance and conduct Control Gap
Assessments. Plan and remediate gaps
(Applications, Processes & Procedures) to
be compliant with all Privacy regulations
Lawfulness of Processing
Design and develop a centralized,
enterprise repository / inventory for
mapping of privacy data. Capture data
flows, reasons for data collection, how data
is processed
Data Subject Rights
Develop capabilities to intake (portal, mail,
phone), manage (tools & services, workflow
process) and respond (pdf, zip file, print) to
Data Subject Rights Requests including
right to access data, right to deletion, right
to opt-out
Data Life Cycle Management
Review and enhance existing policies and
processes for Data Retention, Data
Encryption, Data Pseudonymization to
incorporate CCPA requirements
Consent Management & Privacy Notice
Enhance consent management process for
capturing, storing and propagating consent
choices to various business processes and
applications. Update Privacy notices as required
by the law
Breach Management & Incident Response
Develop / enhance Breach Management and
Reporting policies / processes to adhere to
CCPA requirements
Policy and Process Updates
Embed Privacy requirements into Information
Security and IT Policies & Processes (SDLC,
ALM)
Training and Awareness
Communicate and train employees on the
policy and process changes due CCPA and
other Privacy regulations
Data Processor Accountability
Amend vendor contracts to comply with Third
Party (internal & external) requirements
A 360°
end-to-end compliance
through a core set of
privacy components
1
2
3
4
5
6
7
8
9
10
We partner with you to implement

Privacy Impact Assessment
Initiation Analysis
Expert
Guidance
Understand current state
Minimum Viable Product
Core Team
Setup
Identify
Workable
Solutions
Execute
Projects
Enterprise Privacy Compliance
Steady State
Privacy Compliance Maturity Assessment using Capgemini’s Privacy
Impact Assessment Tool
Complexity and Compliance needs
Organization needs
 Complete Remediation of all applications and data
 Review ongoing Initiatives and incorporate remediations within these
initiatives
 Evaluate and enhance MVP - Individual Rights Processing, Consent
Management and Privacy Notice
 Enhance policies and processes to incorporate Privacy requirements
 Develop risk dashboards and metrics for measuring privacy and risk
framework
 Complete needed changes to all 3rd party contracts and agreements
 Create a centralized registry to measure the impact and plan for new Data
Privacy Regulations
 Constant monitoring and enhancement of Privacy and Risk processes
 Periodical training and awareness among employees on the new laws and
regulations
 Conduct periodic assessments and audits to policies, processes and assets
 Define and monitor enterprise metrics and take corrective actions
Baseline Compliance Document Compliance Maturity
Strategic Roadmap
Executive
Reporting
 Conduct stakeholder analysis
 Conduct Enterprise policies and processes gap-analysis
 Evaluate Privacy tools and solutions (Data protection, discovery,
lineage)
 Personal and Sensitive data discovery. Identify, Scope & Prioritize the
applications/systems that hold PII
 Build PII lineage to depict PII information flow
 Define operating model, program structure and planning for next
phases. Finalize RACI
 Define Requirements for managing and responding to Individual
Rights requests
 Define Minimum Viable Product for meeting the January 1, 2020
target date - Identify work streams and define milestones
 Create Roadmap, enterprise privacy framework target picture
 Socialize and get approval / agreement from key stakeholders
 Establish the Governance structure for Privacy framework
 Onboard key teams and resources – Data Management, Digital
Channels, Technology, Legal, Audit
 Implement Individual Rights Management tools, processes &
operations
 Develop Privacy Portal,
 Implement Work flow Management / Tool
 Setup Operations team, Call center
 Define risk rating criteria. Conduct application control gap analysis &
define corrective action plans.
 PII gap assessment and remediation including data
pseudonymization / masking, data protection
 Complete training and awareness – front line teams, call centers,
technology, data management etc.
 Evaluate 3rd party impact /updates to contracts/agreements
Program Governance
Launch
MVP
Discover PII Data and Lineage
Application Assessment & Gap
analysis
Individual Rights Management
Third Party Contracts
Remediation
Privacy Processes & Operations
Risk
Complete
Remediation
Global rollout
Execute
Projects
Execute
Projects
Phase IIIPhase IIPhase I
Operational
Execution
Track SLA/
Metrics
Monitor Risk
Continuous
Improvement
1 2 3
4
An end to end approach to achieve CCPA compliance
January 1, 2020

Delphix for CCPA

Key CCPA Challenges
Sensitive Data
Protection
Management of
Data Copies
Compliance
Auditing
“How do you deal with the data lifecycle
from retention to disposal?”
“Can you ensure only the
right people have access
to the right data?”
“How will you pseudonymize consumer
data so it’s still usable?”
“What is your ongoing compliance
monitoring strategy”
“Where is all your personal data
held?”
Identification
and
Assessment
“What environments do
you prioritize?”

Key CCPA Challenges
Sensitive Data
Protection
Identification
and
Assessment
Management of
Data Copies
Data Virtualization Profiling
Compliance
Auditing
Scalable Flexible Deployment Configurations Any Data Source
Masking Auditing
• Sensitive data identification
• Pre-built templates for
industries, apps, regulations
• Provision / de-provision
environments
• Centralized management
• Preconfigured or customized
algorithms
• Referential integrity
• Comprehensive logging
• Report generation

Key CCPA Challenges
Identification and
Assessment
Management of
Data Copies
Sensitive Data
Protection
Compliance
Auditing

Non-Production Data Represents a Major Hidden CCPA Risk
NON-PRODUCTION (80%)
PRODUCTION DATA (20%)
» Names, Email, Phone Numbers, Property Records
» Products purchased, biometrics, internet activity,
geolocated data
» Employment info, educational background, consumer
preferences
Non-prod environments contains most
sensitive data subject to CCPA:
82% of enterprises maintain at
least 10 copies for every
production DB

Delphix Dynamic Data Platform
Control Who Has Access to What Data, When, and Where
Applications
Files
Databases
Secure,
Personal Data
Environments
On-
Prem
Any
Server
Private
Cloud
Public
Cloud
Sync
Compress
Provision
Compliance
Policy
Masking
Distribute
Audit &
Report
Manage
VIRTUALIZE SECURE MANAGE
DBA
18

Continuously Identify Risk
20
Pinpoint sensitive data
• Scan metadata and values to identify
sensitive data subject to the CCPA
• Determine where and how much risk exists
• Profile data on an ongoing basis, by policy
Positions businesses
to continuously detect, triage, and
respond to sensitive data risk

Delphix Masking Protects Sensitive Data
“DATA AT
RISK” IS IN
DATABASES
Claimant Table
ID First_Name
1 George
2 Mary
3 John
Employee Table
ID First_Name
5 John
6 George
7 Mary
Claimant Table
ID First_Name
1 Romanth
2 Clara
3 Damien
Employee Table
ID First_Name
5 Damien
6 Romanth
7 Clara
UNMASKED DATA MASKED DATA
✓ REALISTIC ✓ IRREVERSIBLE ✓ REFERENTIAL
INTEGRITY
SENSITIVE DATA IN PRODUCTION
Social Security Numbers, Credit Card Information, Patient
Information, Email Addresses

Ensure Continuous Compliance
24
Comprehensive Auditing and
Reporting Capabilities
• Maintain inventory of masking policies
• Log and report against policy enforcement
• Automatic report generation
• Integration with 3rd-party monitoring tools,
e.g. Splunk
Positions businesses
to prove that effective CCPA controls
have been implemented

Key CCPA Challenges
Enterprise Complexity
Identification and
Assessment
Management of
Data Copies
Sensitive Data
Protection
Compliance
Auditing

BECU (Boeing Employee Credit Union) Reduces Data Risk with Delphix
Fourth largest credit union in the United States, with over $17 billion in assets and over 1 million members
26
“Not only does Delphix allow us to reduce our risk footprint by masking sensitive data, but we can also give developers realistic,
production-like environments, which ensures we’re not introducing defects because of bad data.” KYLE WELSH | Chief Information
Security Officer
THE CHALLENGE THE SOLUTION THE RESULT
Build an agile testing
infrastructure while upholding
the highest data privacy and
security standards
Identify sensitive data values
across all environments
including flat files and automate
masking those values
Delphix automated data
masking and maintains the
referential integrity of masked
data both within and across all
databases and flat files
37% less
time to mask data than initial
requirement
2x faster
product deployment
ROI in less than 6 weeks

Dentegra Protects Sensitive Data in the Cloud with Delphix
The largest dental benefits system in the United States
27
“Delphix transforms how we use AWS and increases our development velocity. We immediately increased our ability to scale to meet new
business requirements.” SAI ADIVI | Director of Application Development, Dentegra
THE CHALLENGE THE SOLUTION THE RESULT
Provision secure data
environments in AWS to
support over 200
developers
Needed to protect PII
(personally identifiable
information) and PHI (protected
health information) before
moving data to AWS
Hybrid cloud architecture with
Delphix automatically masking
and delivering data from on-
prem to cloud environments
Hours instead of 8 weeks
to migrate data to AWS
HIPAA compliance
with masked non-prod data
On-demand data for dev/test
environments drives
Faster time to market

Q&A

Thank You
karun.bakshi@delphix.com
alex.redlich@capgemini.com

Secure Your Enterprise Data Now and Be Ready for CCPA in 2020

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Secure Your Enterprise Data Now and Be Ready for CCPA in 2020

Similar to Secure Your Enterprise Data Now and Be Ready for CCPA in 2020 (20)

More from Delphix

More from Delphix (20)

Recently uploaded

Recently uploaded (20)

Secure Your Enterprise Data Now and Be Ready for CCPA in 2020

Editor's Notes