Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The GDPR from the inside


Published on

What the GDPR regulations mean for data governance
in global organisations:
- What is GDPR?
- How GDPR impacts you
- GDPR Assessment Programme
- Guaranteeing a GDPR compliant data pipeline

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

The GDPR from the inside

  1. 1. P a g e 1 The GDPR from the inside: What the regulations mean for data governance in global organisations Gerry Rankin Mega Associate Programme
  2. 2. P a g e 2 What GDPR is? ●A regulation built to regulate the handling of EU citizens’ personal data. ●Designed to maximise the Free movement of personal data ●Introduces consistency in personal data protection ●Expands the territorial reach of the regulation beyond the EU
  3. 3. P a g e 3 GDPR Awareness 1 in 3 Companies feel prepared for GDPR 97% Of companies have no concrete plans for GDPR post May 2018 70% Business and IT Professionals do not know about their companies GDPR Strategy 75% of outside EU respondents did not know or are prepared for GDPR Source: Dell GDPR Survey Oct 2016
  4. 4. P a g e 4 A set of rights and obligations ● Obligation to obtain consent: signal agreement by “a statement or a clear affirmative action.” ● Right to access (the ability to view what data an organization has collected from them) ● Right to amend (if a customer finds incorrect information) ● Right to be forgotten (asking a company to erase all of one’s data) ● Right to data portability (also called “package and deliver”)
  5. 5. P a g e 5 How GDPR impacts you ●Changes to Data Governance, Data Privacy Officers may be required ● Privacy by design: IT projects will have to integrate an assessment of impact on privacy (PIA) ● Demonstrate and communicate compliance as well as actually achieving it ● Compliance monitoring needed to help communicate privacy/security breaches in less than 72 hours ●Fines up to 20M€ or until 4% of revenue ●Enforcement date: May 25th, 2018
  6. 6. P a g e 6 GDPR Preparation ● How to maintain the fine balance of data privacy risk versus increasing demand to access the data? ● How to improve data accessibility but protect data from misuse? ● How to optimise data placement in order to benefit from virtualisation and Cloud services? ● How do we achieve all this and still comply with the obligations of the GDPR? ● Are you ready? How advanced is your GDPR Assessment Programme (GAP)?
  7. 7. P a g e 7 Foundation Deployment Preparation Discovery Inventory Assessment Transformation Sustainabity ● Foundation o Preparation – Identify and confirm the scope and scale of of the GAP (application vs process focus). o Discovery – What PII data, where and how do I process it today? What controls are in place today? What Tooling will I need? o Inventory – Catalogue, classify and map the critical data elements within you data privacy framework. Capture jurisdictional requirements and restrictions for data use (Rules) ● Deployment o Assessment – Assess the data privacy risk, what improvements are needed and define the required controls o Transformation – Remediate existing controls and plug the GDPR compliance gaps e.g consent, cross-border transfer, transparency o Sustainability – Embed the PIA into your change and portfolio management framework, maintain your inventory, update and remediate your rules for use (GDPR Assessment Programme)Mind the GAP Source: IiM Ltd, Gerry Rankin
  8. 8. P a g e 8 Big challenge ● Are you ready for May 2018? ● What data is considered personal information (PII) or Sensitive? ● Who is processing data, inside and outside the organisation and for what purpose? ● Where (geographically) is the data being processed/serviced? ● How do I mobilise the GDPR Assessment Programme? ● What tools will I need to help articulate the scale of the challenge and manage the detail of the task ahead? ● Where is the data dictionary? ● What about cross-border data? Local laws cannot be overlooked ● How will the systems be architected to achieve compliance?
  9. 9. P a g e 9 Mapping the Data journey for Regulation ● Semantics – Understand the nature of the data being managed – from PII to Material non-public information (Sensitive Data) ● Lineage - Know where data was originated (EU?) and where it is now (Countries, Third-Parties, Cloud) – Remember right to be forgotten! ● Visualisation – How to make the meta-data communicate the scope and scale of data privacy and protection risk compliance Lineage VisualisationSemantic (Enterprise Maps)
  10. 10. P a g e 10 GDPR compliance. The right tools for the job! ● GDPR is a risk management challenge. ● EUCs will not cut it this time! Remember full disclosure within 72hrs and full auditability is key ● There are a number of ORM solutions in the marketplace (ref: Gartner ORM Magic Quadrant Dec 2016) ● With 1 or 2 exception's, they fundamentally lack the capability to manage meta-data as a cornerstone of their ORM offering ● The trick is to couple the ORM tool with the right Enterprise Architecture Tool or a tool that has the best of both ● Leverage the Business and Information Architecture artefacts in conjunction with data governance policies, data use and associated risks and controls ● Define which people and roles can handle what data ● EA tools can help to ”Visualise to Clarify” the definition and impact of a data breach 0 5 10 15 20 25 30 35 Fair Processing & Transparancy Limited Usage Privacy By Design Data Quallity & Accuracy Access & Records Management Data Transfer Data Inventory Compliance Training & Awareness GDPR Assessment Programme As-Is Assement Target Maturity
  11. 11. P a g e 11 ● Data residency issues – country to cloud requires local privacy and data protection laws to be observed ● Sovereignty of the data must be maintained ● Where data resides, who can access for what purpose needs to be known and agreed up-front ● Can’t just spin up a virtual environment in any geographical location or access it from anywhere either ● Data owner controls data access and use, unless they relinquish their controller rights GDPR Cloudbusters
  12. 12. P a g e 12 ● Business imperatives driving greater use of Big Data solutions ● Access to Big Data Services is driving a self-service culture allowing users to provision both platforms and data in the cloud ● Big Data implementations rely on the accumulation of masses of Personal and Sensitive data that is caught by GDPR ● Most likely to be the source of a data breach without the right Big Data Security & Governance procedures in place Big Data – Single point of GDPR Vulnerability Source: IiM Ltd, Gerry Rankin
  13. 13. P a g e 13 Guaranteeing a GDPR compliant data pipeline ● Data about data (metadata) is an essential part of sustainable data privacy risk mitigation and the freedom of access (& movement) of data ● Processes (use), Data & Risk/Control frameworks need to be clearly defined, mapped and visualised to understand and monitor the complexities of GDPR compliance ● Enterprise Architects have the techniques required to extend your EA Framework to integrate data privacy management, Privacy Impact Assessment and collaboration with Legal, Reg. Compliance, Information Security and IT Demand for data will continue to outpace ITs ability to supply it to the business with the required access controls and entitlements unless CDOs use the opportunity cost of GDPR compliance to establish optimised data provisioning capabilities
  14. 14. P a g e 14 An industrial strength meta-data repository like MEGA HOPEX is the foundation of a GDPR data risk and compliance management solution Visit Booth #PL1 MEGA International
  15. 15. P a g e @mega_int Gerry Rankin IiM Ltd Email: Mobile: +44 (0) 7902408045