Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise Data World 2018


Published on

Data Privacy; GDPR and the Role of Governance

Published in: Business
  • Be the first to comment

  • Be the first to like this

Enterprise Data World 2018

  1. 1. 7 Key GDPR Requirements & the Role of Data Governance Jonathan Adams, DATUM
  2. 2. Jonathan Adams • Director of Research that supports customers in building governance discipline around analytics and regulatory compliance • Certified CMMI Enterprise Data Management Expert (EDME) • 20+ years of experience in leading requirements, design and implantation efforts for retailers, financial organizations and federal agencies
  3. 3. Data is Everything – Personal Data is Everywhere
  4. 4. GDPR is … Right around the corner
  5. 5. If you are just starting… How do I start ? • What is my risk exposure? • What do I need to do NOW?!
  6. 6. If you are well on your way … How do you avoid the MV Paradox? You do just enough to be compliant and then stop; compliance hell! Doing the right thing; but doing it WRONG! Focus on building capabilities that scale, are robust are transparent and defensible Doing the right thing; AND doing it Right!
  7. 7. Agenda: • Quick Overview of GDPR • Critical first steps – what you need to do NOW • Ensuring long term stress free compliance (Audit Resilience)
  8. 8. Defining GDPR GDPR is a comprehensive set of privacy regulations designed to protect data for individuals within the European Union. Objective: • Give individuals control of their personal data • Regulatory consistency across the EU Impact: • Covers personal data collected in EU regardless of where the data collector is located • All US based multi nationals doing business with people in Europe will be impacted • Fines are significant up to 4% of Global revenue
  9. 9. GDPR’s Impact on Companies Any business (foreign or domestic) engaged with individuals within the EU The notion of Personal Information (PI) is broadly defined: data that has the potential to identify a person living in Europe falls under the GDPR GDPR applies “horizontally” across the organization’s business components, and “vertically” at all decision making levels. GDPR applies across the complete value chain. Organizations are obligated to verify the compliance of parties with which they do business.
  10. 10. GDPR requirements can be simplified by organizing around four core capability areas • People • Partners • Regulators • Organization Organization People Partners Regulators • Communication • Remediation • Certification • Risk Management • Consulting & Reporting • Organizational Alignment • Privacy by Design • Risk Management Privacy Culture
  11. 11. People: The “owners” of Personal Information Forget Quarantine PackageFix Consent Notification Access • Need for greater detail and clarity when collecting data • Consent must be explicit as to use of data, how it will be processed, and by whom • Notification of breach is required Obligations Under GDPR Individuals have the following rights: • To be Informed • To Access • To Rectify • To Erasure • To Restrict Processing • To Data Portability • To Object • Related to automated Decision Making and Profiling Rights People
  12. 12. Organization: “Data Protection by Design” Data Management International Best Practices Risk Management Accountability Obligations • Accountability – vertically, horizontally and externally • Data Protection Officer required for most large companies • Best practice “Codes of Conduct” mitigate against enforcement action • Assessment of risk will drive multiple decisions – it needs to be transparent and defensible • Cross border data exchanges do not obviate requirements Organization
  13. 13. Partners: A New Risk Dimension Certification Risk Management Processor Compliance Obligations • Transfers of Personal Information between your company and business partners does not transfer the responsibility to ensure it is safeguarded – it is still yours to look after • Establish a way to ensure your partners are providing GDPR level security • Best practices certifications that support third party audits will streamline assessment process and mitigate risk • Due diligence and transparency is key to demonstrating diligence Partners
  14. 14. Regulators: Communication is key Consultation Best Practices Obligations • Notification is required in the event of a breach • “Breach” is broadly defined: destruction, loss, alteration, unauthorized disclosure of, or access to, personal data • Reporting to regulators within 72 hours when breach is likely to result in a risk to the rights and freedoms of individuals • “Prior Consultation” is an expectation • Privacy Impact Assessment anchors the regulator and risk discussions • Best Practices will streamline these discussions Regulators
  15. 15. What do you need to do NOW?
  16. 16. Get a grip!
  17. 17. Catalog your Personal Information “The first thing you have to know is yourself...” – Adam Smith Identify Data: PI: Collected, Observed, Derived1 2 Catalog Data: Foundational to Managing Data 3 Describe Data: Tag to Answer Compliance Requirements
  18. 18. Understand Risk Is your Business Model “risky”? What is your risk tolerance? What does your lawyer say? Remember – your lawyer interprets the regulation Your governance team builds auditable controls consistent with policy shaped by interpretation Your executive leadership defines policy
  19. 19. 19 Build a Risk Model for transparency & defensibility Confidential and Proprietary. Copyright© 2017. DATUM LLC Vulnerabilities 17-2 32-1 32-2 33-1 33-3 34-1 GDPR Risk Areas 34-3 35-1 35-7- c,d 35-11 49-1-a Practices Mitigation Risk Governance Risk Analysis & Metrics “To [the] rights and freedoms of natural persons” Best Practices COBit; CMMI DMM; ISO 27001 NIST 800-61 …
  20. 20. Avoiding the Minimum Viable Paradox
  21. 21. Audit Resilient?
  22. 22. Focus on Capabilities Compliance Capability Readiness=+ Do the Right Thing – Do it Right!
  23. 23. Best Practices Mitigate Risk Aligning to Recognized Best Practice Frameworks Mitigates Risk Pick a Framework That Works for You1 2 Talk the Talk – Walk the Walk 3 Promote within Industry Associations
  24. 24. Operating Model Builds Accountability Actors & Roles Organizational Design Methods • Who needs to be engaged in the Data Governance program? • What are their roles? • The ideal design for ‘data’ given organizational competencies • What makes sense for the organization today? • What is the vision given business goals? • The governance functions and Teams • What skills sets are required? • What functions are performed? • Where do we get those resources? • What level of automation should exist to support Actors, Roles and the functions they perform? Functions
  25. 25. Change management is the challenge Operating Model Organizational Alignment Mobilizing Cross-Functional Teams Empowerment (with Rules and Tools) Outcome focused Metrics Accountability Step-Change Change Management
  26. 26. In the immortal words of Bill & Ted
  27. 27. Be Agile – it’s a journey! Steps can be iterative • All data does not have to be cataloged day one • All processes do not have to be known • Have a Plan • Focus on Demonstrable Due Diligence • The solution ecosystem & governance framework that:  Supports agile iterative evolution of capabilities  Shows early successes Success
  28. 28. 28 Thank You for Your Time! • Any questions? • Visit us at for more information • For the latest news follow us on Twitter at @datumstrategy Confidential and Proprietary. Copyright© 2018. DATUM LLC