GDPR what you should know and how to minimize impact on your business
7 likes2,480 views
The document outlines the General Data Protection Regulation (GDPR), which is the most significant change in data privacy law in over 20 years, replacing the 1995 EU Data Directive and aiming for a unified data protection framework across EU countries. It describes GDPR's broad implications, requiring organizations, including those outside the EU, to comply with new obligations regarding the processing of personal data, such as appointing Data Protection Officers and fulfilling specific data subject rights. Additionally, it addresses compliance challenges and IBM's strategic approach to help organizations achieve GDPR readiness through consulting and technology solutions.
![© 2017 IBM Corporation
Major regulatory compliance areas and actions to be prioritized
Need to demonstrate compliance
with the principles relating to the
personal data processing that
pervades the GDPR
Actions: Consider how compliance is
proven, including data protection
privacy impact assessments, codes of
conduct, governance and certification
Processing is only lawful if there is
one of the following: consent,
necessity, legal obligation,
protection, public interest, official
authority or legitimate interest
Actions: Keep data subjects informed;
manage requests in a transparent,
efficient and effective manner; consider
appointing a DPO
Data controllers and processors must
implement technical and organisational
measures that demonstrate compliance
with the GDPR core principles
Actions: Permeate system development,
maintenance and hosting practices with
privacy principles; demonstrate adherence
and data lineage
Provide for enhanced rights for data
subjects in the EU including erasure,
access and portability
Actions: Keep record of structured and
unstructured personal data; enable
execution of citizen rights amongst which to
understand, access, amend, object, and
export personal data
Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting
Action: Implement and demonstrate adequate internal and external IT- and physical defences and restrictions to reduce
data privacy and security risks, including data minimisation, pseudonymisation [GDPR term] and encryption techniques
Design and
Default
Rights of
EU Data
Subjects
Security of
Personal
Data
Lawfulness
and
Consent
Accountabili
ty of
Compliance
GDPR: IBM’s vision
Lawfulness
and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of
Personal Data](https://image.slidesharecdn.com/ibmgdprpov-170414152847/85/GDPR-what-you-should-know-and-how-to-minimize-impact-on-your-business-8-320.jpg)
GDPR what you should know and how to minimize impact on your business
- 1. GDPR General Data Protection Regulation Olivier Barrot IBM Client Technical Advisor olivier.barrot@fr.ibm.com @olivierbarrot olivier barrot
- 2. © 2017 IBM Corporation • Most significant change in data privacy law in the past 20 years • Replaces the 1995 EU Data Directive • Inspired by Charter of Fundamental Rights of the European Union - Articles 7 (respect for private and family life) and 8 (protection of personal data) • Aim is to have a harmonized, unified data protection law framework for all EU countries • No longer a Directive but a Regulation • Not a one-time effort but a multi-year journey with regular assessment checks GDPR: Introduction Published June 2016 Applicable May 2018 24monthstoprepare We are here Non-compliance?
- 3. © 2017 IBM Corporation In the Digital Single Market Facilitate Free Flow of Data With Emerging Technologies Modernize the Law Data Protection Rights of EU Data Subjects Reinforce & Enhance GDPR: What you need to know Extra-territorial, applies to organisations outside the EU processing EU data subjects’ personal data with obligations not just on Controllers but now also on Processors Requires the appointment of mandatory Data Protection Officers Defines what constitutes personal, directly or indirectly identifiable data, such as online identifiers, IP addresses and location data Will fundamentally change the way organisations must protect, govern and manage their structured and unstructured data
- 4. © 2017 IBM Corporation GDPR issues: What we have seen so far Data retention, storage and security Designation of main establishment Vendor management and outsourcing Processing of personal data in the employment context and potential member state variations IT system capabilities, integrity and functionality, particularly to enable data subject rights Costs to business of free subject access requests Development of digital products and services Processing of data relating to criminal offences or convictions Uncertainty around data transfer mechanisms Engagement with industry associations and advocacy Data protection by design and default Responding to breaches within time limits Designation and tasks of the Data Protection Officer Consent and other lawful grounds for processing Data transfers to third country authorities (“anti-FISA clause”)
- 5. © 2017 IBM Corporation Evolution of Compliance GDPR Policy Procedures and Organisation Training and Communication DPO Board of Directors GDPR Compliance Business IT Department CMO DHR CIO SR GDPR: Who is concerned? Program Stakeholders Communication Collaboration Coordination LEGAL CRO Data Management and BigData architecture teams CIL CDO
- 6. © 2017 IBM Corporation • Customer’s consent is required when transferring personal data to another country. • Access to personal data from another country is considered a transfer of personal data • An EU Model Clause Agreement is generally needed when the transfer is to a non EU/EEA-country (i.e. a third country) • Transfer of personal data to the US NOT allowed under a Safe Harbor certification ANY LONGER GDPR: Hosting & Cloud impacts
- 7. © 2017 IBM Corporation Supporting software and assets Sensitive & Personal Data discovery Data LifeCycle Governance and Protection consent, encryption, masking, deletion, etc. General Data Protection Regulation Where are the major risks What actions to be taken Where to start Operational Methodology to compliance Flash audit to do the GDPR diagnostic Build the roadmap to compliance Privacy Impact Assessment (PIA) IT systems transformation Regulation 2018 GDPR: Why IBM? An end-to-end value proposition: consulting, technology assets and industrialization
- 8. © 2017 IBM Corporation Major regulatory compliance areas and actions to be prioritized Need to demonstrate compliance with the principles relating to the personal data processing that pervades the GDPR Actions: Consider how compliance is proven, including data protection privacy impact assessments, codes of conduct, governance and certification Processing is only lawful if there is one of the following: consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest Actions: Keep data subjects informed; manage requests in a transparent, efficient and effective manner; consider appointing a DPO Data controllers and processors must implement technical and organisational measures that demonstrate compliance with the GDPR core principles Actions: Permeate system development, maintenance and hosting practices with privacy principles; demonstrate adherence and data lineage Provide for enhanced rights for data subjects in the EU including erasure, access and portability Actions: Keep record of structured and unstructured personal data; enable execution of citizen rights amongst which to understand, access, amend, object, and export personal data Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting Action: Implement and demonstrate adequate internal and external IT- and physical defences and restrictions to reduce data privacy and security risks, including data minimisation, pseudonymisation [GDPR term] and encryption techniques Design and Default Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountabili ty of Compliance GDPR: IBM’s vision Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data
- 9. © 2017 IBM Corporation IBM’s five layer model for GDPR GDPR: IBM’s vision IBM has clustered GDPR activities across five layers, thereby covering the whole spectrum of GDPR: • GDPR governance, covering amongst others legal assessment, third party management and risk and compliance • People and Communications, covering employee awareness and training, and internal and external communication • Processes, covering the GDPR readiness of HR, CRM and other business processes • Data, covering personal data life cycle management and citizen interaction • Security, covering breach prevention and management and other digital security measures BusinessIT
- 10. © 2017 IBM Corporation Business Capability Reference Architecture Governance People & Communications Data Security Processes Roles & Responsibility Management Training & Certification Communication Management Monitor Communication s Individual PD Records Maintenance “Privacy by Design” Development Rules Execution Workflow Management Catalogue Lifecycle Management Archiving (Minimisation) Data Disposal (Minimisation) Data Lifecycle Monitoring (Minimisation) Policies & Measures Management Regulations & Requirements Management DP Governance Third Parties Management Reqs & Controls Monitoring Compliance Demonstration DP Strategy & Risks Assessment Access Control Breach Prevention & Management Security Monitoring Vulnerabilities Assessment& Mitigation Citizen Interaction Center Forensics Automated Decision making Information PD Rights execution Information & Notice Delivery Complaints Registration Citizen Identification Data Management PD Taxonomy Consent Management Breach Notification PD Purpose Register Metadata Identification Metadata Classification Data Lineage Individual PD Identification Individual PD Classification Data Desensitizing (Minimisation) Data Management Assurance Data Quality Data Dictionary Data Processing Monitoring Rules Definition Notice Management PD Record Processing Data Source Discovery Data Masking (Minimisation) Business focus IT focus Security focus GDPR: IBM’s vision
- 11. © 2017 IBM Corporation Data Catalogue Lifecycle Management Citizen Interaction CenterData Management IBM software components and services mapping Governance People & Communications Security Processes Roles & Responsibility Management Training & Certification Communication Management Monitor Communication s Individual PD Records Maintenance “Privacy by Design” Development Rules Execution Workflow Management Archiving (Minimisation) Data Disposal (Minimisation) Data Lifecycle Monitoring (Minimisation) Policies & Measures Management DP Governance Third Parties Management Reqs & Controls Monitoring Compliance Demonstration Access Control Breach Prevention & Management Security Monitoring Forensics Automated Decision making Information PD Rights execution Consent Management Breach Notification PD Taxonomy PD Purpose Register Metadata Identification Metadata Classification Data Lineage Individual PD Identification Individual PD Classification Data Desensitizing (Minimisation) Data Quality Data Dictionary Data Processing Monitoring Rules Definition Notice Management PD Record Processing Data Source Discovery Data Masking (Minimisation) IBM Software components Expertise / Consulting Optim IER Research Asset Resilient Change Mgt / Process reengineering / Training Consulting Vulnerabilities Assessment& Mitigation Data Management Assurance Consulting Consultin g DP Strategy & Risks Assessment Regulations & Requirements Management Consulting Information Analyzer Guardium DE Case Manager Information & Notice Delivery Complaints Registration Citizen Identification Devt Expertise Case Manager Consulting Information Analyzer StoredIQ Guardium DP Information Governance Catalog Program Mgt + Consulting Open PagesRC Analytics Optim Guardium DP Identity Gov. Intel. Sec. Access Mgr QRadarGuardium VA+DP QRadar i2 GDPR Operational implementation
- 12. © 2017 IBM Corporation IBM Case Manager GDPR: IBM SW Solutions Framework IBM Technology overview Dynamic Policy Management: Define what, why, how long Data Infrastructure: Control use, align cost to value Implementation Services: Distribute policies to data sources Data Management Email Servers User Devices & File SharesECM & Collaboration Archive Platform Master Data Cloud & Social Databases & Data Warehouse Hadoop Platform Lawfulness and Consent Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data P o l i c i e s R u l e s A u d i t P r o c e s s e s An a l y s e s Security&ComplianceMonitoring InfoSphereIBM Atlas Optim
- 13. © 2017 IBM Corporation Business Processes Accountability Data Security and Protection Privacy by Design / Privacy by Default IT Operational Security Rights of Restitution / Transfer / Rectification Archival / Deletion / Quarantine Files encryption Anonymization / Data Masking Operational Data Protection Users and administrators Activity monitoring Policies, Rules and Definitions GDPR Trajectory Consent Explicit Consent Management / RTBF Incidents Management / Data breach Applications StoredIQ QRadar Atlas Guardium VA Optim DP Guardium DP Guardium DE StoredIQ Optim StoredIQ Legal Case Manager QRadar Guardium DP Resilient Identity Gov. & Intelligence Atlas Appscan Personal Data inventory Unstructured data Exploration GDPR Assessment (Gap Analysis) Design and Default Rights of EU Data Subjects Lawfulness and Consent Accountability of Compliance Security of Personal Data Minimization of personal data used and stored by applications Infrastructure and Devices Guardium VA Bigfix / MaaS360 Structured data ExplorationGuardium DP Info Analyzer GDPR Operational implementation Major IT workstreams and IBM solutions Data Repositories Review of Design principles
- 14. © 2017 IBM Corporation Sensitive data Governance Layer • Metadata & Policy Mgmt • Compliance Mgmt Data Management Layer • Info Lifecycle Mgmt Compliance & Security Layer • Security & Privacy • Info Gov Utility Services • Subject Rights Mgmt Users Activity Identity & Access Mgmt Incidents correlation & identification CISO, DPO, CPO Group Compliance Legal Security Incidents Mgmt & Reporting DBA DB & File Activity Monitoring Data & Policy Governance Retention & Disposal Data Discovery & Classification Masking & Encryption Vunerabilities Databases, Apps, Infrastructure Dynamic blocking GDPR in practice Data Governance & Security tooling contribution to Compliance by capability
- 15. © 2017 IBM Corporation Compliance & Security Layer • Security & Privacy • Info Gov Utility Services • Subject Rights Mgmt Data Management Layer • Info Lifecycle Mgmt Governance Layer • Metadata & Policy Mgmt • Compliance Mgmt Sensitive data CISO, DPO, CPO Group Compliance Legal Users Activity Vunerabilities Databases, Apps, Infrastructure Dynamic blocking Data & Policy Governance Masking & Encryption Retention & Disposal DB & File Activity Monitoring Data Discovery & Classification Identity & Access Mgmt Incidents correlation & identification Security Incidents Mgmt & Reporting Information Governance Catalog Atlas DBA AppScan BigFix/ MaaS360 Identity Governance Intelligence Information Analyzer GDPR in practice Data Governance & Security tooling contribution to Compliance by capability
- 16. © 2017 IBM Corporation IBM help clients to define their roadmap for compliance and support support the implementation program until 2018 and beyond… 16 GDPR Timeline 2H 2016 2017 1H 2018 Legal review Identify gaps Impact analysis Many firms are currently working through the legal interpretation. IBM can support the gap- and impact analysis. IBM can speed up your deployment programme at a reduced cost by bringing GDPR solutions, tools and accelerators across the full spectrum of your needs. IBM can provide the capabilities to deliver and demonstrate your GDPR compliance. Governance People & Communications Process Data Security Test & Assure Demonstrate compliance (ongoing) Deploy to production Now Diagnose Define, Design and build Deliver and Demonstrate May 2018 GDPR: IBM’s Proposal
- 17. © 2017 IBM Corporation Characteristics of the implementation approach Understand your dataPrioritize Optimize as you go Define the data privacy relevant data as part of the implementation Key questions to be answered are:- • What data do we have? • Where does it reside? • Do we need to data for service delivery or do we need consent? • How do we use the date? • Did we already obtain consent to use the data? • What data retention and access rules apply? Apply Data Governance principles by defining data owners and governance processes, BUT only for DP relevant data Align to MDM for client implementations where possible Implement controls in order of GDPR risk assessment Create inventory on the revelant data sets in the organization and prioritize Implement following the priorities high => medium => low Use an agile approach to allow for changes in prioritizations Focus on compliance risk not on completeness or perfection Develop a solid foundation for optimization after May 2018 Add technical capabilities (e.g. new connector types and processing power) in the architecture as you go Build your maintenance organization while implementing; transfer knowledge and skills from IBM to the AXA organization Re-use components to the max GDPR: IBM’s Proposal
- 18. © 2017 IBM Corporation References and Contacts • GDPR Regulation – https://en.wikipedia.org/wiki/General_Data_Protection_Regulation – https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation – http://ec.europa.eu/justice/data-protection/reform/index_en.htm • IBM France GDPR Proof Of Technology – http://www-05.ibm.com/fr/events/tec/new/MCHR-AHKCEJ.html • IBM Technical Expert Council France – @ibmtecf – https://www.linkedin.com/groups/8457887