This document discusses 7 key GDPR requirements and the role of data governance in complying with GDPR. It summarizes the core capabilities organizations need to focus on: People, Partners, Regulators, and the Organization. For each area, it outlines the obligations and what organizations need to do now, including cataloging personal data, understanding risk exposure, and building risk models. It emphasizes that organizations should focus on building long-term compliance capabilities through best practices, rather than just achieving minimum viability, to avoid "compliance hell."

1. 7 Key GDPR Requirements &
the Role of Data Governance
Jonathan Adams, DATUM

2. Jonathan Adams
• Director of Research that supports
customers in building governance
discipline around analytics and
regulatory compliance
• Certified CMMI Enterprise Data
Management Expert (EDME)
• 20+ years of experience in leading
requirements, design and
implantation efforts for retailers,
financial organizations and federal
agencies

3. Data is Everything – Personal Data is Everywhere

4. GDPR is …
Right around the corner

5. If you are just starting…
How do I start ?
• What is my risk exposure?
• What do I need to do NOW?!

6. If you are well on your way …
How do you avoid the MV Paradox?
You do just enough to
be compliant and then
stop; compliance hell!
Doing the right
thing; but doing it
WRONG!
Focus on building
capabilities that
scale, are robust are
transparent and
defensible
Doing the right
thing; AND doing it
Right!

7. Agenda:
• Quick Overview of GDPR
• Critical first steps – what you need to
do NOW
• Ensuring long term stress free
compliance (Audit Resilience)

8. Defining GDPR
GDPR is a comprehensive set of privacy regulations designed to protect data
for individuals within the European Union.
Objective:
• Give individuals control of their personal data
• Regulatory consistency across the EU
Impact:
• Covers personal data collected in EU regardless of where the data
collector is located
• All US based multi nationals doing business with people in Europe will be
impacted
• Fines are significant up to 4% of Global revenue

9. GDPR’s Impact on Companies
Any business (foreign or domestic) engaged with individuals within the EU
The notion of Personal Information (PI) is broadly defined: data that has the
potential to identify a person living in Europe falls under the GDPR
GDPR applies “horizontally” across the organization’s business components,
and “vertically” at all decision making levels.
GDPR applies across the complete value chain. Organizations are obligated to
verify the compliance of parties with which they do business.

10. GDPR requirements can be simplified by
organizing around four core capability areas
• People
• Partners
• Regulators
• Organization
Organization
People
Partners
Regulators
• Communication
• Remediation
• Certification
• Risk Management
• Consulting &
Reporting
• Organizational
Alignment
• Privacy by Design
• Risk Management
Privacy Culture

11. People: The “owners” of Personal Information
Forget
Quarantine
PackageFix
Consent
Notification
Access
• Need for greater detail and clarity
when collecting data
• Consent must be explicit as to use
of data, how it will be processed,
and by whom
• Notification of breach is required
Obligations
Under GDPR Individuals
have the following rights:
• To be Informed
• To Access
• To Rectify
• To Erasure
• To Restrict Processing
• To Data Portability
• To Object
• Related to automated
Decision Making and
Profiling
Rights
People

12. Organization: “Data Protection by Design”
Data
Management
International
Best Practices
Risk
Management
Accountability
Obligations
• Accountability – vertically, horizontally and externally
• Data Protection Officer required for most large
companies
• Best practice “Codes of Conduct” mitigate against
enforcement action
• Assessment of risk will drive multiple decisions – it needs
to be transparent and defensible
• Cross border data exchanges do not obviate
requirements
Organization

13. Partners: A New Risk Dimension
Certification
Risk
Management
Processor
Compliance
Obligations
• Transfers of Personal Information between your company
and business partners does not transfer the responsibility
to ensure it is safeguarded – it is still yours to look after
• Establish a way to ensure your partners are providing
GDPR level security
• Best practices certifications that support third party audits
will streamline assessment process and mitigate risk
• Due diligence and transparency is key to demonstrating
diligence
Partners

14. Regulators: Communication is key
Consultation
Best Practices
Obligations
• Notification is required in the event of a breach
• “Breach” is broadly defined: destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
• Reporting to regulators within 72 hours when breach is
likely to result in a risk to the rights and freedoms of
individuals
• “Prior Consultation” is an expectation
• Privacy Impact Assessment anchors the regulator and risk
discussions
• Best Practices will streamline these discussions
Regulators

15. What do you need to do NOW?

16. Get a grip!

17. Catalog your Personal Information
“The first thing you have to know is yourself...” – Adam Smith
Identify Data: PI: Collected, Observed, Derived1
2 Catalog Data: Foundational to Managing Data
3 Describe Data: Tag to Answer Compliance
Requirements

18. Understand Risk
Is your Business Model “risky”?
What is your risk tolerance?
What does your lawyer say?
Remember – your lawyer interprets the regulation
Your governance team builds auditable controls consistent with policy
shaped by interpretation
Your executive leadership defines policy

19. 19
Build a Risk Model for transparency &
defensibility
Confidential and Proprietary. Copyright© 2017. DATUM LLC
Vulnerabilities
17-2
32-1
32-2
33-1
33-3
34-1
GDPR
Risk
Areas
34-3
35-1
35-7-
c,d
35-11
49-1-a
Practices
Mitigation
Risk
Governance
Risk Analysis &
Metrics
“To [the] rights
and freedoms of
natural persons”
Best Practices
COBit; CMMI DMM; ISO 27001
NIST 800-61 …

20. Avoiding the Minimum Viable Paradox

21. Audit Resilient?

22. Focus on Capabilities
Compliance Capability Readiness=+
Do the Right Thing – Do it Right!

23. Best Practices Mitigate Risk
Aligning to Recognized Best Practice Frameworks Mitigates Risk
Pick a Framework That Works for You1
2 Talk the Talk – Walk the Walk
3 Promote within Industry
Associations

24. Operating Model Builds Accountability
Actors & Roles Organizational Design Methods
• Who needs to
be engaged in
the Data
Governance
program?
• What are
their roles?
• The ideal design for
‘data’ given
organizational
competencies
• What makes sense for
the organization
today?
• What is the vision
given business goals?
• The governance
functions and Teams
• What skills sets are
required?
• What functions are
performed?
• Where do we get those
resources?
• What level of
automation should
exist to support
Actors, Roles and the
functions they
perform?
Functions

25. Change management is the challenge
Operating
Model
Organizational
Alignment
Mobilizing
Cross-Functional
Teams
Empowerment
(with Rules and
Tools)
Outcome
focused Metrics
Accountability
Step-Change
Change Management

26. In the immortal words of Bill & Ted

27. Be Agile – it’s a journey!
Steps can be iterative
• All data does not have to be cataloged day one
• All processes do not have to be known
• Have a Plan
• Focus on Demonstrable Due Diligence
• The solution ecosystem & governance framework that:
 Supports agile iterative evolution of capabilities
 Shows early successes
Success

28. 28
Thank You for Your Time!
• Any questions?
• Visit us at http://www.datumstrategy.com/gdpr-solution for more
information
• For the latest news follow us on Twitter at @datumstrategy
Confidential and Proprietary. Copyright© 2018. DATUM LLC