The document outlines the General Data Protection Regulation (GDPR), which is set to apply to organizations processing personal data of EU citizens from May 25, 2018, with significant penalties for non-compliance. It discusses key requirements such as the rights of data subjects, data security measures, and the need for organizations to demonstrate compliance. The document emphasizes taking immediate action to assess data governance strategies and prepare for GDPR implementation to avoid potential fines.

1. With Richard Hogg/IBM
November 17 2016
GDPR – Are You Ready?

2. © 2016 IBM Corporation
GDPR – Are You Ready?
The new General Data Protection Regulation (GDPR) has finally been published and
businesses are now planning to ensure they can demonstrate the steps they have taken
towards compliance, by its application date on May 25, 2018.
The GDPR will become immediately applicable to any organization that operates in the EU
market and processes the personal data of EU subjects. Do you host or process any EU
citizen data anywhere?
Integro and IBM are working with organizations across industries to determine how this new
regulation will change how they manage their structured and unstructured data. Failure to
comply could lead to huge fines of up to €20m or 4% of annual worldwide turnover, whichever
is higher.
In this webinar, GDPR expert, Richard Hogg, will answer the following questions:
§ What will the GDPR mean for my organization?
§ Where do I start on the journey to compliance?
§ What tools and technology are available to help?
2
Today’s 30 minute Webinar

3. © 2016 IBM Corporation
§ IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice and at IBM’s sole discretion.
§ Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
§ The information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality. Information about
potential future products may not be incorporated into any contract.
§ The development, release, and timing of any future features or functionality described for
our products remains at our sole discretion.
§ Performance is based on measurements and projections using standard IBM benchmarks in
a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.
Please note
3
This is intended to provide friendly and helpful
advice only, not a definitive statement of law.

4. © 2016 IBM Corporation
§ Richard Hogg CITP ERMp
§ Global InfoGov Solutions Leader at IBM.
§ With 15+ years experience across RM & ECM, In
the last 6 years he's consulted with Fortune 10
global Financial Services, Insurance, Pharma
and Telco organizations to assess information
governance initiatives and their cost and risk,
developing a business case with focused
recommendations on quick wins to further the
clients objectives, engaging with them on
executing an IG Program delivering benefits of
reduced costs & risks. Client benefits have
covered defensible disposal, ediscovery, records
and retention management, privacy, legacy data
cleanup and archiving.
§ Frequent Speaker annually across AIIM, ARMA,
MER, LegalTech, InfoGovCon, Insight, World of
Watson & IPBA.
§ Finalist Winner 2016 InfoGovCon IG Expert of
the Year.
+1-703-963-2900
rghogg@us.ibm.com
@banjaxx
4

5. © 2016 IBM Corporation
Does GDPR Apply to you?
– Yes
– No
– I don’t know what GDPR is/I’m not sure it applies to
me
5
Poll Question 1

6. © 2016 IBM Corporation
§The “EU’s Right to be
Forgotten Legislation”
§Also known as GDPR
§General Data Protection
Regulation
GDPR?
6

7. © 2016 IBM Corporation
• Published on 4 May 2016, and will
be immediately applicable after a
2 year transition period on 25 May
2018 to any organisation which
operates in the EU market
• Introduces cross-industry 72H
breach reporting to regulators
and without undue delay to
individuals with associated risk of
severe reputational harm
• Plus Right-To duties & obligations
What is GDPR?
7

8. © 2016 IBM Corporation
Non-Compliance Fines
§Non-compliance has
the potential to lead to
huge fines of up to
€20m or 4% of total
annual worldwide
turnover
§Now is the time to build
on the foundations you
already have, to ensure
you Protect, Govern
and Know Your Data
€20m
Or
4%
8
• Additional powers also / alternatively available to regulators,
including gaining access to data and premises, and to auditing

9. © 2016 IBM Corporation
Key Duties, Obligations & Sanctions

10. © 2016 IBM Corporation
What is the Right?
§ The Right to Enquire - “Show me my data" - Do you know what and where it is on
your systems?
– Article 15 - Right of Access for Data subject have the right to know “whether or
not data relating to the data subject is being processed”
§ The Right to Erasure - "Right to be forgotten" - Can you, as a business, prove it?
– Article 17 - Right to Erasure (“to be forgotten”)
– Data controller must erase the data if the individual objects to their data collection
for a specific reason e.g. no consent for marketing usage and/or if the data is not
being processed in accordance with the Regulation, it must be forgotten
§ "Privacy by design"- How are you planning this long-term?
– Article 23 - Data Protection by Design and by Default
– Requirement to implement technical and organizational measures to meet
Regulation and ensure data protection rights of subject are met
Rights of EU
Data Subjects
10
Rights of EU Data Subjects
• Enhanced rights for data subjects in the EU
including erasure, access and portability
ü Maintain data quality, amending, manipulating,
erasing and exporting it into usable formats in
both structured and unstructured environments

11. © 2016 IBM Corporation
What is the Right?
How to Prepare
ü Be able to maintain data quality, amending, manipulating, erasing,
importing and exporting it into usable formats as appropriate in both
structured and unstructured environments
üTrack proof of consent, and act promptly and appropriately on
withdrawal of this
üDefensibly dispose of ROT* data to reduce risks associated with
unnecessary retention of personal data
üFind and protect the organisation’s crown jewels and individuals’
personal data
11
Rights of EU Data Subjects
• Enhanced rights for data subjects in the EU including erasure, access and portability
ü Maintain data quality, amending, manipulating, erasing and exporting it into usable formats in both structured and
unstructured environments

12. © 2016 IBM Corporation
Security of
Personal Data
Security of Personal Data
Records &
Retention
Security of
Personal Data
Security of Personal Data
§ Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting
ü Implement pervasive and intelligent internal and external network defences and restrictions to reduce data risks,
including data minimisation, pseudonymisation and encryption techniques
How to Prepare
ü Implement pervasive and intelligent
internal and external network defences
and restrictions, including the effective use
of data minimisation, pseudonymisation
and encryption techniques
ü Take steps to reduce risk both in respect of
data in motion and data at rest to ensure a
level of security appropriate to that risk
ü Facilitate fast reactions to incidents and
identification of data accessed to reduce
the risk and/or occurrence of reputational
harm, to include pre-incident preventative
measures such as defensible disposal
12

13. © 2016 IBM Corporation
Lawfulness and Consent
ArchivingLawfulness
and Consent
Lawfulness and Consent
• Processing is only lawful if there is one of consent, necessity, legal obligation, protection, public interest, official
authority or legitimate interest
ü Keep data subjects informed and manage requests in a transparent, efficient and effective manner, and consider
appointing a DPO
How to Prepare
ü Review how the tracking of giving/ withdrawal of consent is handled,
implementing a single source of truth for personal data and linkage to
operational systems
ü Coordinate and manage data subject requests, the tracking of cross-border
transfers of personal data and other GDPR-centric processes, including
those requiring human oversight, to ensure regulatory policy compliance
ü Keep data subjects informed in a transparent, efficient and effective manner,
and consider appointing a DPO
13

14. © 2016 IBM Corporation
Accountability of Compliance
Curation
Accountability
of Compliance
Accountability of Compliance
• Need to demonstrate compliance with the principles relating to personal data processing pervades throughout the
GDPR
ü Consider how compliance can be proven, including data protection impact assessments, codes of conduct and
proactive certification
How to Prepare
ü Ensure full auditing and other record keeping
and reporting capabilities, including audit by
regulators or external advisers, without
disruption to the business and with protection of
organisation know-how
ü Consider how to prove compliance, including
carrying out data protection impact
assessments, adhering to codes of conduct and
proactively seeking certification via approved
mechanisms
ü Adopt internal policies and implement measures
which meet in particular the principles of Data
Protection By Design and By Default
14

15. © 2016 IBM Corporation
Data Protection By Design and By Default
Design
and Default
By Design and By Default
• Data controllers must implement technical and organisational measures which demonstrate compliance with GDPR core
principles
ü Plan for this in the long term e.g. instrument and manage data syndication and data lineage
How to Prepare
ü Plan in the long term to adopt policies and implement appropriate measures to
ensure and be able to demonstrate compliance with GDPR principles, including
using technical measures effectively and obtaining data protection certification
ü Syndicate, instrument and enforce policies in respect of the mapping, management
and security of personal data, both improving information economics and reducing
risk
ü Implement policy and metadata management, together with exploring and
managing data lineage, to create trusted information that supports GDPR principles
15

16. © 2016 IBM Corporation
Does it affect US Companies?
Yes!
16

17. © 2016 IBM Corporation
Nearly 100 countries around the world have adopted
data protection and privacy laws
17
Comprehensive data protection law enacted
Pending effort or obligation to enact law
No comprehensive law

18. © 2016 IBM Corporation
Compliance with Local Laws & Regulations is Challenging
– a Growing Risk & Cost
Operating in many countries- Managing information at the local level reduces storage overall vs.
applying worse case retention rules across all countries.
U.S. 29 CFR 516, 825.500(b), & 1627
Employee payroll and other employee information
Retain for 3 years
HIPAA HITECH Act – Privacy and PHI access
Patriot Act – Retain for 5 years
U.K. Principles 5 & 8 Data Protection Act, 1998
Personal data processed for any purpose should not be kept
for longer than is necessary for that purpose
Generally interpreted as 2 years MAX
Switzerland Code of Obligations, Article 957 & 962
Employee Training Records, including attendance records
Retain 10 years
Singapore IRAS regulations
Income tax act and GST act, 5 years for records
up to 1/2007, 7 years for records after 1/2007
PDPA Data Privacy – from July 2014
Australia Retention & Privacy regulations
There are around 80 Acts at both the State and
Federal level which regulate document and record
retention and destruction.
Privacy Act changes March 2014 (APP)
EU GDPR
Now live and extra-territorial..
Obligation for Compliance, Right to Erasure,
Data Breach Notification
Data Protection & Privacy – from 2018
Hong Kong
PDPO Privacy Act
1996
SEPA & ISO 20022
information around mandated XML
transaction archiving for banks
18

19. © 2016 IBM Corporation
What must be forgotten?
If the business
relationship with the
customer has ended….
And there’s no other
requirements to keep
the information...
Then All the customer’s
information.
19

20. © 2016 IBM Corporation
Do you have an active Information Governance
Program under way, which addresses GDPR or data
privacy?
20
Poll Question 2

21. © 2016 IBM Corporation
Do you have a silo’d data privacy initiative?
21
Poll Question 3

22. © 2016 IBM Corporation
Have you done an Enterprise Privacy Impact
Assessment?
22
Poll Question 4

23. © 2016 IBM Corporation
How will it affect my organization?
§Know Your Data
–Need to know What you have
–& Where
§Need to ensure policies are
enforced
§Key Duties, Obligations and
Sanctions
–Assess & Action Your Data
Protection Readiness
23

24. © 2016 IBM Corporation
Holsticviewacrossfive
domains
GDPR Governance
Data Privacy Strategy, Policies,
and Standards
Third party GDPR Alignment
Monitor and implement GDPR
regulations, guidelines and best
practices
People and
Communications
Allocate GDPR roles and
responsibilities; assure training
Notice Management
Processes Compliance for operational
processes and services
Data
Identify and manage all
structured and unstructured
personal data
Manage EU citizens’ rights
across all channels
Security
Secure legitimate access to
digital and physical data
Manage and report data privacy
breaches within set timeframe
IBM has clustered GDPR activities
across five domains, thereby covering
the whole spectrum of GDPR:
• GDPR governance, covering amongst
others legal assessment, third party
management and risk and compliance
• People and Communications,
covering employee awareness and
training, and internal and external
communication
• Processes, covering the GDPR duties
& readiness of HR, CRM and other
business processes
• Data, covering personal data life cycle
management and citizen interaction
• Security, covering breach prevention
and management and other digital
security measures
IBM’s GDPR approach is holistic
24

25. © 2016 IBM Corporation
Compliance use cases (DPO)
IT
§ Data discovery & classification (PII Assessment)
§ Retention policy governance
§ Data deletion (Right to Erasure)
§ Data masking (obfuscation)
§ Data protection (blocking, breach notification)
Business
§ KYC process
§ Right to Enquiry, to Correction, to Erasure
§ Legal hold and defensible disposal
§ Litigation and dispute management
§ Consent management
§ Portability
§ Accountability
Indirect benefits (CDO)
IT
§ Legacy retro-documentation
§ Data governance definition
§ Performance improvements
§ Reduction of storage costs
§ De-identified data generation (test /
analysis)
§ Increased data security
Business
§ Data quality improvements / referentials
§ Accurate 360°view
§ Audit trail
§ Enabling analytics (w/ de-identified
data)
§ Other?
GDPR Use Cases and Benefits
25

26. © 2016 IBM Corporation
Assess and Benchmark
the current state of
privacy program
Reline Privacy Policy and
Privacy Statement, Plan
for Change, Develop
Privacy Metrics
Develop Privacy
Compliance Testing and
Monitoring Program,
Enhance Training
Enterprise Privacy Assessment
26
Data Privacy & Information Lifecycle
IBM Methodology Frameworks

27. © 2016 IBM Corporation
Security & Privacy
GDPR – Required Capabilities
Info Lifecycle
Management
Case Management
Metadata & Policy
Mgmt
Metadata repository
Identity & Access Mgt
Usage limitation
Info Governance
Utility Services
BI / Dashboarding
Subject Rights Mgmt Compliance Mgmt
Loss Prevention
Breach Reporting
Intrusion detection &
blocking
Activity Monitoring
Security Info Event
Mgmt
Data Stewardship
Process Mgmt
Retention
Archival
Records Mgmt
Data Classification
Audit & Reporting Remediation
Incident Response
Employee Training Investigation/Dispute
Data Dictionary
Policy Syndication
Master / Reference
Data Mgmt
Data Discovery
Data Quality
Request Mgmt Consent Mgt
Data Encryption
Lineage
RTBF KYC
Data Anonymization
Privacy by
Design
Individuals
rights
Consent
Accountability
Data Security
Disposal
360° view
Testing
27

28. © 2016 IBM Corporation
Where to Start?
28

29. © 2016 IBM Corporation
Assessment & Clean Up - Advanced visualizations show what types
of data are stored across your enterprise

30. © 2016 IBM Corporation
Assessment & Clean Up -
Discover where your oldest or least used data resides
30

31. © 2016 IBM Corporation
Assessment & Clean Up -
Use intelligent overlays to spot potential compliance issues
31

32. © 2016 IBM Corporation
Phase 1: Identify
Data Sources
Phase 2: Filter
based on metadata
Action
Filter2
Filter1
Phase 4:
Investigate
relevant data and
compile evidence
Phase 3: Manage
deep inquiries
through full-text and
metadata indexing
Volume Relevance
§ Data about your
information
§ Take action (move, copy,
delete, etc.)
§ Use a combination of rules
and machine learning to
identify and classify
content
Classification
Full Text
Metadata
Identify Relevant Information in its Native Location
- Data Discovery and Information Catalogue Population
Sources
32

33. © 2016 IBM Corporation
GDPR is Live 2018
§ Data protection by Default and by
Design
§ Right to Enquire & Right to Erasure
§ Large Fines
– To total €20m or 4% of Global Annual
Turnover, whichever is higher
§ Reputational Risk
– Enforcement Activities by Data Protection
Regulators will increase
– Data breaches will be brought to light
sooner
– Risk of real rapid reputational
consequences
33

34. © 2016 IBM Corporation
Summary
§ Know what you have
§ Know where it is
§ Know what policies apply
§ Execute And Stand Up Right to
Enquire, Right to Erasure,
Privacy By Design Processes,
Policies & Procedures
§ GDPR is Not the Only Data
Regulation that may apply…
34

35. © 2016 IBM Corporation
35
Thank you!
§ Kristyn Dorr
§ 720.904.1601
§ kdorr@Integro.com
§ @Integro
§ Richard Hogg
§ +1-703-963-2900
§ rghogg@us.ibm.com
§ @banjaxx