Dimitri Sirota, CEO, BigID and Blake Bannon, VP of Product, OneTrust, present will detail best practices for synchronizing a privacy office enterprise privacy management platform with a tool for finding, classifying and correlating PI or PII across the data center and cloud. Access the webinar presentation to learn: -What the market landscape for privacy-centric products looks like -Key considerations for evaluating privacy office software -Key considerations to consider for privacy-oriented data discovery software -How to ensure your privacy policy is aligned with operational reality -Integration scenarios and use cases that connect the privacy office with IT

2. www.iapp.org
Thursday, April 25, 2019
Time: 8:00–9:00 a.m. PT
11:00 a.m.–noon ET
5:00–6:00 p.m. CET
Bridging the Privacy Office with IT

3. www.iapp.org
Welcome and Introductions
Host:
Dimitri Sirota
CEO, Founder
BigID
Panelists:
2
Dave Cohen
CIPP/E, CIPP/US
Knowledge Manager
IAPP
Blake Brannon
VP, Product
OneTrust

4. www.iapp.org
Privacy is a Global Problem
3
Personal Information Protection and
Electronic Documents Act (PIPEDA)
Protection of Personal Information
Act 2013 (POPI)
General Data Privacy Law
(LGPD) 2018
The Privacy Protection
Act (PPA) 2017
Personal Data
Protection Act (PDPA)
2012
Personal Information
Protection Act (PIPA) 2011
Personal Information
Security Specification
2018
Act on Protection of
Personal Information
(APPI) 2017
Australia Privacy Principles
2014
General Data Protection Regulation
(GDPR 2016)
Personal Data
Protection Bill 2018
Federal Data Protection Law 2000
Data Protection in Act (pending)
California Consumer Privacy
Act (CCPA) 2018

5. www.iapp.org
Global Privacy Program Initiatives
4

6. www.iapp.org
Data Map Architecture: What, Why, How
5
Purpose & Legal Basis of Processing
Controller, Processor
Countries of Data Subjects Involved
Data Elements Processes
Parties who access
Classification of Data
Storage Locations
Servers, Applications, IP Addresses
Tables & Columns in Database
Data Map Details
LEGAL
BUSINESS
TECHNICAL

7. www.iapp.org
Building a Data Map In Practice
6
Assessment / Surveys
Purpose & Legal Basis of Processing
Controller, Processor
Countries of Data Subjects Involved
Data Elements Processes
Parties who Access Data
Classification of Data
Storage Locations
Servers, Applications, IP Addresses
Tables & Columns in Database
Data Map Details
Integrate with
Systems You Know
Scan and Discover
Salesforce
Marketo
Zendesk
Etc.

8. www.iapp.org7
Storage of the Data Map Model Equally Important

9. www.iapp.org8
Visualize the Flow of Data and Transfers

10. www.iapp.org9
Leverage the Data Map to Automate DSARs

11. www.iapp.org10
Easily Export Article 30 ROPA Reports

12. www.iapp.org
Data Map Model – Examples
11
Find all data from Data Subject &
Delete
Look at the data elements stored in
the system and classification (e.g.
email address)
Update your systems Vendor list.
Customer Exercises Deletion Request
What is the business risk associated with
using system A from Vendor B?
Vendor changes a subprocess. New
transfers exist.
Purpose of processing limits what needs
to be done to the data
Vendors using data need to be included
in fulfilling processing request
Each RoP in your system needs to
reflect the inherited linking of the
vendors transfers become the
processing activities transfers
Context of use matters. (e.g. clinical
trial database vs marketing)
Consent when given, did not
disclose Vendor B
Example Typical Behavior Business Context

13. www.iapp.org
Managing Consumer & Data Subject Access Requests
12
Data
Subject
Multi-lingual
Dynamic Routing
1 Click Hosting
Auto Email
Verification
Request
Intake Form
Validation
& Triage
Encrypted Messaging Portal
Validate Identity
Route Request
Template
Responses
& Subtasks
Record
Keeping
& Metrics
Request Extension
Delete Request
Fulfill Request
3rd Party ITSM or
Case Mgmt
Integration
Documentation
Calculate Costs
Generate Reports
Fulfillment with
Targeted Data
Discovery
Automatically
Discover Data
from Targeted
Systems

14. www.iapp.org
Managing Consumer & Data Subject Access Requests
13
DSAR Request
Received
ASSETS
Data Map
VENDORS
PROCESSING
ACTIVITIES
Assign
Manual
Tasks
Assign
Manual
Tasks
Assign
Manual
Tasks
Assign
Manual
Tasks

15. www.iapp.org
Data Matters to Privacy
Can’t protect what you can’t find
15

16. www.iapp.org16
Privacy Revolves Around Knowing Your Data
Personal Data Rights Require Personal Data Insights
What Data Do I Have Where
Who Does The Data Belong To
What Data Is At Risk
Where Is The Data Going
When Can I Use The Data
16

17. www.iapp.org17
Petabyte Scale Data Agnostic Identity Aware Can Find PI & PII
Permission & Purpose No Data
Duplication
De-risk & De-ID Bridge IT & Business
Requires New Approach to Data Discovery
On-prem or Cloud, Micro-service, API-first
17

18. www.iapp.org18
Middleware Cloud / SaaSMessagingApplications
Structured
Databases
Big Data & NoSQL
Unstructured File
Shares
Files
That Can Span Any Data or Application
Span Silos, Bridge BUs, Cross Regions
18

19. www.iapp.org19
Need to Look Beyond Classification Based Discovery
RegX Pattern Matching Can’t Meet Today’s Privacy Needs
To Find Contextual
PI vs Just PII
To Correlate By
Person
Vs Just Classify
To Automate
Privacy
Data Operations
To Resolve One
Person from
Another
To Look Across
All Data
19

20. www.iapp.org20
Needs to be ML Based & Deployable on Prem or Cloud
Can Correlate, Classify, Catalog
Mine Machine Manage
Agentless
Any data type
Cloud
Analysis
Reporting
API
20

21. www.iapp.org21
Needs to be Enterprise Ready
Flexible & Secure Deployment
Docker with Kubernetes
RBAC with Scoping Credential
Externalization
No Data CopyingPre-built 3rd Party
Orchestrations
On-prem
or Cloud Deployment
API-firstAny Data /
Any Language
21

22. www.iapp.org22
Use Case:
Classify By Categories, Data Source, Location & App
Automatically Inventory & Map All
Data By Person, Type, Server,
Application, Location, etc., without
Copying or Duplicating
22

23. www.iapp.org23
Use Case:
Classify Data by Person for GDPR & CCPA Data Rights
Patent-pending Correlation-led
Classification Automatically Indexes
Data By Person for Right-to-be-
forgotten
23

24. www.iapp.org24
Use Case:
Apply Labels Using Microsoft AIP Framework
Label Files Using AIP Automatically
Based on Classified & Categorized Data
24

25. www.iapp.org25
Use Case:
Set Policies Around Data Movement & Compliance
Monitor and Detect Data Transfer,
Misuse or Policy Violations
25

26. www.iapp.org26
Use Case:
Simplify Breach Response Investigation
Quickly Determine Exactly What and
Whose Data was Compromised in Case
of a Breach to Minimize the Impact
26

27. www.iapp.org27
Use Case:
Data Access Insights & Protection
Identified Over-permissioned Files and
File Shares
27

28. www.iapp.org
Data Mapping Integration
28

29. www.iapp.org
Integrate the privacy office with IT
● CSV-import
● API in future
● Validate policies based on PI
Use Case: BigID & OneTrust Data Inventory and Mapping
29

30. www.iapp.org
Host:
Dimitri Sirota
CEO, Founder
BigID
Info@bigid.com
Panelists:
30
Dave Cohen
CIPP/E, CIPP/US
Knowledge Manager
IAPP
dave@iapp.org
Blake Brannon
VP, Product
OneTrust
bbrannon@onetrust.com
Questions and Answers

31. www.iapp.org
Thank You
to our
Sponsor
Speakers and Participants
31

32. www.iapp.org
32
Web Conference
Participant Feedback Survey
Please take this quick (2 minute) survey to let us know how satisfied you
were with this program and to provide us with suggestions for future
improvement.
Click here:
https://www.questionpro.com/t/AOhP6ZeNFx
Thank you in advance!
For more information: www.iapp.org

33. www.iapp.org
Attention IAPP Certified Privacy Professionals:
This IAPP web conference may be applied toward the continuing privacy education
(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM
credential worth 1.0 credit hours. IAPP-certified professionals who are the named
participant of the registration will automatically receive credit. If another certified
professional has participated in the program but is not the named participant then
the individual may submit for credit by submitting the continuing education
application form here: CPE credit application.
Continuing Legal Education Credits:
The IAPP provides certificates of attendance to web conference attendees.
Certificates must be self-submitted to the appropriate jurisdiction for
continuing education credits. Please consult your specific governing body’s
rules and regulations to confirm if a web conference is an eligible format
for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of
programming.
33

34. www.iapp.org
For questions on this or other
IAPP Web Conferences or recordings
or to obtain a copy of the slide presentation please contact:
Dave Cohen, CIPP/E, CIPP/US
Knowledge Manager
International Association of Privacy Professionals (IAPP)
dave@iapp.org
603.427.9221
34