Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regulations

1
Confidential and Proprietary. All rights reserved Copyright© 2017. DATUM LLC
Six Steps to GDPR
Readiness
Is Your Organization Ready for the
General Data Protection Regulation?
Jonathan Adams, Research Director
GDPR

2
Peter Steiner; New Yorker Magazine; July 1993

3
GDPR3 Reasons to Care

4
1. Reduce Costs
Fines up to 4% of Global Revenue
*2016 Annual Revenues

5
2. Increase Margins
GDPR Capabilities support digital transformation goals and drive
new business models:
• Consumer
Centric PLM
• Supply Chain &
Channel
Optimization
• Customer 360
programs

6
3. Grow Revenue
Data Monetization &
New Revenue Streams
• Sports “Wearables”
• Self Identification at POI
• Cloud Based Services
“Trust” with Partners
& Customers

7
The Clock is Ticking…

8
Defining GDPR
GDPR is a comprehensive set of privacy regulations designed to protect data for individuals
within the European Union.
Objective:
• Give individuals control of their personal data
• Regulatory consistency across the EU
Impact:
• Covers personal data collected in EU regardless of where the data
collector is located
• All US based multi nationals doing business with people in Europe
will be impacted

9
GDPR’s Impact on Companies
Any business (foreign or domestic) engaged with individuals within the EU
The notion of Personal Information (PI) is broadly defined: data that has the
potential to identify a person living in Europe falls under the GDPR
GDPR applies “horizontally” across the organization’s business components,
and “vertically” at all decision making levels.
GDPR applies across the complete value chain. Organizations are obligated to
verify the compliance of parties with which they do business.

10
GDPR Requires Interpretation
General Data
Protection Regulation

11
GDPR Requires Interpretation
It’s Comprehensive & Tightly Written
• All personal information regardless of where it came from and how it is used is governed
It’s Principle Based
• Requires companies to adopt privacy principles at the cultural level
It’s Compromise Legislation
• GDPR is a piece of what legal scholars call compromise legislation: a legislative text that tries to
satisfy two starkly opposed sides of the data protection debate
When Interpretation is Required, Best Practices are Critical

12
The Governance Challenge
Creating transparent &
defensible best practices
that address “principles”

13
Risk
Management
Accountability
Org Design
Data Lineage
Process
Alignment
PII Cataloging International
Partner
Management
Metadata
Data
Governance
Data
Architecture
Data
Operations
Data Discovery
Best Practices
Security
Data
Management
Privacy
Cloud Services
IoT
The Governance Challenge
Mapping the best practices to observable & measurable
activities across many functional areas
Processes
Objectives
Standards
Metrics
Data
Rules

14
The 4 Core Capabilities
GDPR requirements can be simplified by
organizing around four core capability areas:
Consultation
& Reporting
• Certification
• Risk Management
• Organizational
Alignment
• Privacy by Design
• Risk Management
• Communication
• Remediation
• People
• Partners
• Regulators
• Organization

15
People: The “owners” of Personal Information
Forget
Quarantine
Package
Fix
Consent
Notification
Access
• Greater detail and clarity is
called for when collecting
data
• Consent must be explicit as
to use of data, how it will be
processed, and by whom
• Notification of breach is
required (within 72 hours to
the regulator)
Under GDPR Individuals
have the following rights:
• To be Informed
• To Access
• To Rectify
• To Erasure
• To Restrict Processing
• To Data Portability
• To Object
• Related to automated
Decision Making and
Profiling
Obligations Rights

16
Organization: “Data Protection by Design”
Data
Management
International
Best Practices
Risk
Management
Accountability
Obligations
• Accountability – vertically, horizontally and
externally
• Data Protection Officer required for most
large companies
• Best practice “Codes of Conduct” mitigate
against enforcement action
• Assessment of risk will drive multiple
decisions – it needs to be transparent and
defensible
• Cross border data exchanges do not obviate
requirements

17
Partners: A New Risk Dimension
Certification
Risk
Management
Processor
Compliance
Obligations
• Transfers of Personal Information between your
company and business partners does not transfer
the responsibility to ensure it is safeguarded – it is
still yours to look after
• Establish a way to ensure your partners are
providing GDPR level security
• Best practices certifications that support third
party audits will streamline assessment process
and mitigate risk
• Due diligence and transparency is key to
demonstrating diligence

18
Regulators: Communication is key
Consultation
Best Practices
Obligations
• Notification is required in the event of a breach
• “Breach” is broadly defined: destruction, loss,
alteration, unauthorized disclosure of, or access
to, personal data
• Reporting to regulators within 72 hours when
breach is likely to result in a risk to the rights and
freedoms of individuals
• “Prior Consultation” is an expectation
• Privacy Impact Assessment anchors the regulator
and risk discussions
• Best Practices will streamline these discussions

19
GDPR6 Steps to Readiness

20
1. Readiness Baseline
Compliance Capability Readiness=+
Do the Right Thing – Do it Right!
Understand Where You Are

21
2. Best Practices
Aligning to Recognized Best Practice Frameworks Mitigates Risk
2 Talk the Talk – Walk the Walk
3 Promote within Industry Associations
Pick a Framework That Works for You1
Understand How You Want to Manage

22
What is my GDPR Related Data?

23
3. Catalog
“To understand yourself is the beginning of wisdom.” – Krishnamaurti
2 Catalog Data: Foundational to Managing Data
3 Describe Data: Tag to Answer Compliance
Requirements
Identify Data: PI; Sensitive; Packaged; Erasable1
Understand What You are Managing

24
Who is in charge? Why is this information valuable? And what is the impact of a privacy breach?
Why Do I Have It; How Is It Used?

25
4. Data Lifecycle
Where Is It and How Is It Used?
Lineage is a challenge!
• E-commerce sites
• Marketing functions
• Shipping fulfillment
• CRM
Start with known
Business
Functions
Focus on Core
Requirements
• Consent
• Notification
• Remediation
• Partner Management

26
5. Build Risk Capabilities
Defensible; Transparent; Demonstrable
Vulnerabilities
17-2
32-1
32-2
33-1
33-3
34-1
GDPR
Risk
Areas
34-3
35-1
35-7-c,d
35-11
49-1-a
Practices
Mitigation
RiskGovernance
Risk Analysis &
Metrics
“To [the] rights
and freedoms of
natural persons”

27
Am I Ready For the Regulators?

28
6. Governance Framework
Operating
Model
Organizational
Alignment
Mobilizing Cross-
Functional Teams
Empowerment
(with Rules and
Tools)
Outcome focused
Metrics
Ownership &
Accountability
Step-Change
Change Management
Pulling it all Together!

29
GDPRQuestions?
Jonathan Adams; 443-223-2534
jonathan.adams@datumstrategy.com

30
Some Useful Links
Whitepapers
• GDPR Guide: 3 Steps to Readiness: http://info.datumstrategy.com/gdpr-guide-ebook-paper-privacy-compliance
Blogs
• Will the Privacy Shield Protect You? http://www.datumstrategy.com/blog/will-the-privacy-shield-protect-you
• 7 Key GDPR Requirements & the Role of Data Governance: http://www.datumstrategy.com/blog/gdpr-requirements-and-data-
governance
• What’s GDPR and the Penalty for Not Complying? http://www.datumstrategy.com/blog/what-is-gdpr-fines-penalties-for-not-
complying
Websites
• GDPR Portal: http://www.eugdpr.org
• DATUM Strategy: http://www.datumstrategy.com
Informative Sites:
• The UK Information Commissioner’s Office (ICO) has a well put together site that makes it easy to find answers:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
• The Linklaters Law Firm has a number of resource papers (versus marketing papers): The General Data Protection Regulation:
A Survival Guide; and A report on global data protection laws in 2016.
https://clientsites.linklaters.com/Clients/dataprotected/Pages/TheGDPR.aspx
• The book by Chiara Rustici: Applying the GDPR: Privacy Rules For The Data Economy is very informative. Pre-release is out
http://shop.oreilly.com/product/0636920055723.do

Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regulations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regulations

Similar to Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regulations (20)

More from DATUM LLC

More from DATUM LLC (14)

Recently uploaded

Recently uploaded (20)

Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regulations