SlideShare a Scribd company logo

Teradata's approach to addressing GDPR

Download as PPTX, PDF
P
Paul O'Carroll

The document outlines the Teradata approach to assist organizations in preparing for GDPR compliance through a structured, automated framework, consisting of three stages: risk assessment, remediation, and ongoing monitoring. It emphasizes the importance of automation for accurate data lineage, risk prioritization, and efficient handling of personal data requests while suggesting a roadmap and critical steps for GDPR readiness. Key topics include data protection impact assessments, compliance strategies, and actionable guidelines for managing data access and privacy regulations.

Technology
1 of 53
Downloaded 41 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
EU GENERAL DATA PROTECTION REGULATION (GDPR) TERADATA APPROACH
AGENDA Services to assist as you prepare for GDPR – Stage 1: Risk Assessment Automation to inform your DPIA (Data Protection Impact Assessment) – Stage 2: Remediation Re-use of automation to identify candidates for minimisation and data quality repair – Stage 3: Monitor Re-use of automation to inform SAR (Subject Access Rights) processing and breach management
GDPR COMPLIANCE Supported by central automation for GDPR governance across IT platforms Consortium: Legal focus accelerated by automation ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1
ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 [OPTIONAL] LEGAL OPINION
ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 [OPTIONAL] LEGAL CERTIFICATION REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 ONGOING 3 MONITOR Operate GDPR Compliant business [OPTIONAL] LEGAL OPINION
REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 ONGOING 3 MONITOR Operate GDPR Compliant business ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 [OPTIONAL] LEGAL CERTIFICATION [OPTIONAL] LEGAL OPINION
ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1
GDPR CHALLENGES NEED A COMBINATION OF SKILLS Our automation to inform your Data Protection Impact Assessment (DPIA), supporting your in-house Risk Assessment with verifiable EVIDENCE
*Informed by Teradata automation STAGE 1: ASSESSMENT WORKSHOP UNDERSTAND SCOPE OF IN-HOUSE GDPR PROGRAMME & HOW WE CAN ASSIST ASSESS WHETHER TERADATA INFOSEC SHOULD ENGAGE TO ASSIST IN-HOUSE INFOSEC TEAM e.g. ENCRYPTION/OBSFICATION AND PHYSICAL ASSESS HOW GDPR CAN BUILD CROSS-PLATFORM DATA LINEAGE & ACCESS MAPS TO INFORM DPIA ACCORDING TO RISK PRIORITY DEFINED BY CLIENT ASSESS HOW GDPR ASSIST CAN INFORM WHICH USER/DEPT/TOOL ACCESSES PRIVATE DATA. ASSESS HOW GDPR ASSIST CAN INFORM SARs ASSESS HOW GDPR ASSIST CAN INFORM THE IMPACT ASSESSMENT OF A BREACH e.g. CONSIDER WHICH PRIVATE DATA IS POTENTIALLY AT RISK ASSESS HOW GDPR ASSIST CAN INFORM DPIA BY IDENTIFICATION OF WHO ACCESSES PRIVATE DATA UNDERSTAND OBJECTIVES (REVENUE PILLARS or SERVICE LINES) & FUNCTIONS. UNDERSTAND ORGANISATION & 3rd PARTY DEPENDENCIES ASSESS HOW GDPR ASSIST CAN INFORM WHERE PRIVATE DATA IS HELD. CHECK LEGACY PLATFORMS ARE FEASIBLE FOR REMEDIATION [OR CONVERSION] OBJECTIVES & STAKEHOLDERS ASSESS HOW GDPE ASSIST CAN CREATE DATA LINEAGE & USAGE MAPS TO INFORM DPIA RE USE OF PRIVATE DATA BY BUSINESS PROCESSES BUSINESS PROCESSES BREACH PROCESSING GDPR GOVERNANCE IT ESTATE DATA SECURITY * * * FIND PRIVATE DATA * PEOPLE * UNDERSTAND GDPR PROGRAMME SCOPE & ORGANISATION. ROADMAP & STATUS. ASSESS FEASIBILITY OF DPIA TIMELINE GDPR PROGRAMME & ORGANISATION UNDERSTAND HOW SCOPE & EXPIRY OF CONSENTS FOR LEGAL USE-CASES IS MANAGED – HOW WE ACCESS THIS FOR GDPR ASSIST T&Cs / CONSENTS For PRODUCTS & SERVICES * * UNDERSTAND HOW COMFORTABLE STAKEHOLDERS ARE WITH LEGAL AND RISK ASSESSMENTS, MAKE SPECIALIST REFERRALS TO ASSIST UPON REQUEST LEGAL & RISK ASSESSMENT
ACCELERATED BY AUTOMATION A recent example… GDPR scope is complex, it cannot be done manually. STAGE 1:
ACCELERATED BY AUTOMATION A recent example… GDPR scope is complex, it cannot be done manually. STAGE 1:
Our GDPR approach automates the collection of accurate evidence to inform the DPIA How? It ingests metadata “footprints in the sand” that were written each time data was processed by your IT systems 30m+ Customers 6 Primary Customer Channels 3,000 Branches, 8,000 ATMs 19 PB Data 17 Datacentres & 236 Tech Rooms 3,900 Business Apps 15,000 Point to Point Integrations 20,000 Servers The alternative? Manual data surveys/DPIAs give a “best guess”, no verifiable evidence They are expensive, they divert key staff from day job . . . And they are soon out of date
MANUAL VERSUS AUTOMATION EXAMPLE Tier 1 Global Bank using their SI Partner
MANUAL APPROACH AUTOMATED APPROACH
AUTOMATED APPROACH MANUAL APPROACH
MANUAL APPROACH The Bank had worked for 7 months to manually document source to target data lineage for a business process. MANUAL ANSWER The business process stated only five databases used, these were all on a Teradata platform. Insufficient time to attempt to identify who accessed which data or assess data quality. MONTHS
MANUAL APPROACH The Bank had worked for 7 months to manually document source to target data lineage for a business process. MANUAL ANSWER The business process stated only five databases used, these were all on a Teradata platform. Insufficient time to attempt to identify who accessed which data or assess data quality. MONTHS
AUTOMATED APPROACH WEEKS In 4 weeks Teradata published source to target data lineage that identified how the business process accessed data from 74 databases on multiple platforms (Teradata, MS SQL Server/SSIS, Oracle, into Excel) then data went back onto Teradata for reporting AUTO ANSWER Multi-platform source to target lineage across 74 Databases. Data usage mapped to lineage. Data transformations identified.
OUTCOME Bank verified accuracy of lineage, then remediated [minimisation] to remove >30% of data and redirect users to accurate data Reduced TCO because Bank does not populate/support all of that legacy data … and now they run refreshes to keep everything up to date
GDPR ASSIST COSTING EXAMPLE BASED ON PRIOR CASES
GDPR ASSIST SERVICE RESULTS DURATION CHARGE Setup and populate an automated portal to inform the DPIA for priority risk areas Data Lineage & Data Usage & Candidates for Minimisation 30 days Hosted Sprint £75,000 Populate portal for remaining risk areas Data Lineage & Data Usage & Candidates for Minimisation 60 days Hosted Sprint £150,000 Monthly hosting and licensing of automated portal to inform the DPIA. (max 5 concurrent users) Data Lineage & Data Usage, Candidates for Minimisation Min 3 months. 30 days notice to cancel £8,800/month
STAGE 1: AUTOMATION TO COLLECT EVIDENCE AND POPULATE DPIA
STAGE 1: AUTOMATION TO COLLECT EVIDENCE AND POPULATE DPIA
PRODUCER CONSUMER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM HOW DATA IS ACCESSED
CONSUMER HOW DATA IS ACCESSED PRODUCER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM
PRODUCER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM How is it accurate? How should it reconcile? Where does my data come from? How is it transformed?
CONSUMER HOW DATA IS ACCESSED Fingerprinting to group data into subject areas. Show who uses different versions of a business metric . . . Inform DATA ACCURACY & DATA MINIMISATION PRODUCER & CONSUMER combine to give accurate evidence to help you to quantify risk & decide on appropriate governance
EXAMPLE ROADMAP FOR GDPR READINESS
ASSESSMENT 1 REMEDIATION 2 MONITOR 3 40 DAYS MONTH M MONTH M +1 MONTH M +2 ON GOING CENTRAL REPOSITORY – METADATA DRIVEN Transparency created by GDPR Assist for multiple platforms Remediate high risks Incremental sprints remediate low risk Monitor high risks Monitor low risk OPTIONALLEGALOPINION OPTIONALLEGALCERTIFICATION High risk areas covered first Incremental sprints cover low risk
UK REGULATOR’S GUIDANCE TO PREPARE FOR GDPR Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now ico
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under. ico
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS GDPR Assist provides accurate timely facts to support the Data Protection Officer and governance teams. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS GDPR Assist provides accurate timely facts to support the Data Protection Officer and governance teams. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL GDPR Assist identifies where personal data is held and accessed allowing you to identify data movements.
NEXT STEPS
Assess Client’s current GDPR roadmap & status 1 GDPR FREE PLANNING WORKSHOP: 2 HOURS
Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 GDPR FREE PLANNING WORKSHOP: 2 HOURS
Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 Identify areas where Client requests introductions to specialist legal/business services to augment in-house capabilities 3 GDPR FREE PLANNING WORKSHOP: 2 HOURS
Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 Identify areas where Client requests introductions to specialist legal/business services to augment in-house capabilities 3 Following that workshop we will provide a quotation and Statement of Work for automation to inform the DPIA, based upon agreed scope e.g. Lines of Business or Data Scope 4 GDPR FREE PLANNING WORKSHOP: 2 HOURS
Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 GDPR AUTOMATION SERVICES TO INFORM DPIA
Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 GDPR AUTOMATION SERVICES TO INFORM DPIA
Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 Week 2: Mid-Point Workshop. Demonstrate initial results of automation 3 GDPR AUTOMATION SERVICES TO INFORM DPIA
Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 Week 2: Mid-Point Workshop. Demonstrate initial results of automation 3 Week 4: Final Workshop and Client training to use portal for insights to inform DPIA 4 GDPR AUTOMATION SERVICES TO INFORM DPIA
Teradata's approach to addressing GDPR

More Related Content

PDF
GDPR - a view for the non experts
Claudio Bolla, CISM
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
PDF
Gdpr overview ciso platform presentation
Priyanka Aash
 
PPTX
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
DAMA Ireland - GDPR
DAMA Ireland
 
PPTX
Gdpr action plan - ISSA
Ulf Mattsson
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR - a view for the non experts
Claudio Bolla, CISM
 
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
Gdpr overview ciso platform presentation
Priyanka Aash
 
Payroll Data & GDPR: What you need to know?
BrightPay Payroll and Auto Enrolment Software
 
The Essential Guide to GDPR
Tim Hyman LLB
 
DAMA Ireland - GDPR
DAMA Ireland
 
Gdpr action plan - ISSA
Ulf Mattsson
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 

What's hot (20)

PPTX
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
PPTX
GDPR Workshop
Curt Lewis
 
PDF
GDPR for Dummies
Caroline Boscher
 
PDF
GDPR and Irish SMEs May 2017
Amarach Research
 
PPTX
Gdpr action plan
Ulf Mattsson
 
PDF
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
PDF
GDPR changes affect direct marketing
Spotler
 
PDF
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
PPT
Building a register of data processing
Tim Gough
 
PPTX
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
 
PDF
A practical guide to GDPR preparation
Promapp Solutions
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
PDF
SureSkills GDPR - Discover the Smart Solution
Google
 
PPTX
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
PDF
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
PPTX
The GDPR for Techies
Lilian Edwards
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PPTX
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
PPTX
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
PPTX
GDPR security services - Areyou ready ?
Frederick Penaud
 
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
GDPR Workshop
Curt Lewis
 
GDPR for Dummies
Caroline Boscher
 
GDPR and Irish SMEs May 2017
Amarach Research
 
Gdpr action plan
Ulf Mattsson
 
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
GDPR changes affect direct marketing
Spotler
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
Building a register of data processing
Tim Gough
 
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
 
A practical guide to GDPR preparation
Promapp Solutions
 
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
SureSkills GDPR - Discover the Smart Solution
Google
 
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
Six Steps to Addressing Data Governance under GDPR and US Privacy Shield Regu...
DATUM LLC
 
The GDPR for Techies
Lilian Edwards
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
GDPR security services - Areyou ready ?
Frederick Penaud
 
Ad

Similar to Teradata's approach to addressing GDPR (20)

PDF
Setting the right GDPR priorities
Alberto Canadè
 
PPTX
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
PDF
IAB Europe's GDPR Compliance Primer
IAB Europe
 
PDF
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PDF
GDPR Data Discovery and Management Brochure
Connexica
 
PDF
California Consumer Privacy Act (CCPA)
Happiest Minds Technologies
 
PPTX
General Data Protection Regulation (GDPR) Compliance
accenture
 
PPTX
Op tijd klaar voor de naderende gdpr avg privacywet - Janus de Visser
Netprofiler
 
PDF
Impact of GDPR on Third Party and M&A Security
EQS Group
 
PPTX
GDPR How to get started?
Peter Witsenburg
 
PDF
Managing Information For Climate Change Reporting
Raphael Hitzke
 
PDF
What is a data protection impact assessment? what are the essential stages to...
Infinity Legal Solutions
 
PDF
What is a data protection impact assessment?
Infinity Legal Solutions
 
PDF
The Risks of Delaying KSA PDPL Compliance - Why Early Action Matters
Pyxos
 
PDF
SAP insider GDPR compendium Hernan Huwyler
Hernan Huwyler, MBA CPA
 
PPTX
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
PDF
Michael Josephs
daveGBE
 
PDF
Janrain Identity Cloud GDPR Assessment Kit
Sean Bailey
 
PPTX
DevOps vs GDPR: How to Comply and Stay Agile
Ben Saunders
 
Setting the right GDPR priorities
Alberto Canadè
 
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
IAB Europe's GDPR Compliance Primer
IAB Europe
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
GDPR Data Discovery and Management Brochure
Connexica
 
California Consumer Privacy Act (CCPA)
Happiest Minds Technologies
 
General Data Protection Regulation (GDPR) Compliance
accenture
 
Op tijd klaar voor de naderende gdpr avg privacywet - Janus de Visser
Netprofiler
 
Impact of GDPR on Third Party and M&A Security
EQS Group
 
GDPR How to get started?
Peter Witsenburg
 
Managing Information For Climate Change Reporting
Raphael Hitzke
 
What is a data protection impact assessment? what are the essential stages to...
Infinity Legal Solutions
 
What is a data protection impact assessment?
Infinity Legal Solutions
 
The Risks of Delaying KSA PDPL Compliance - Why Early Action Matters
Pyxos
 
SAP insider GDPR compendium Hernan Huwyler
Hernan Huwyler, MBA CPA
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
Michael Josephs
daveGBE
 
Janrain Identity Cloud GDPR Assessment Kit
Sean Bailey
 
DevOps vs GDPR: How to Comply and Stay Agile
Ben Saunders
 
Ad

Recently uploaded (20)

PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Encapsulation theory and applications.pdf
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
KodekX | Application Modernization Development
KodekX
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

Teradata's approach to addressing GDPR

  • 1. EU GENERAL DATA PROTECTION REGULATION (GDPR) TERADATA APPROACH
  • 2. AGENDA Services to assist as you prepare for GDPR – Stage 1: Risk Assessment Automation to inform your DPIA (Data Protection Impact Assessment) – Stage 2: Remediation Re-use of automation to identify candidates for minimisation and data quality repair – Stage 3: Monitor Re-use of automation to inform SAR (Subject Access Rights) processing and breach management
  • 3. GDPR COMPLIANCE Supported by central automation for GDPR governance across IT platforms Consortium: Legal focus accelerated by automation ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1
  • 4. ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 [OPTIONAL] LEGAL OPINION
  • 5. ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 [OPTIONAL] LEGAL CERTIFICATION REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 ONGOING 3 MONITOR Operate GDPR Compliant business [OPTIONAL] LEGAL OPINION
  • 6. REMEDIATION Accelerated change programme Finalise DPIA 2-6 MONTHS 2 ONGOING 3 MONITOR Operate GDPR Compliant business ASSESSMENT Collect evidence Build initial DPIA 40 DAYS 1 [OPTIONAL] LEGAL CERTIFICATION [OPTIONAL] LEGAL OPINION
  • 8. GDPR CHALLENGES NEED A COMBINATION OF SKILLS Our automation to inform your Data Protection Impact Assessment (DPIA), supporting your in-house Risk Assessment with verifiable EVIDENCE
  • 9. *Informed by Teradata automation STAGE 1: ASSESSMENT WORKSHOP UNDERSTAND SCOPE OF IN-HOUSE GDPR PROGRAMME & HOW WE CAN ASSIST ASSESS WHETHER TERADATA INFOSEC SHOULD ENGAGE TO ASSIST IN-HOUSE INFOSEC TEAM e.g. ENCRYPTION/OBSFICATION AND PHYSICAL ASSESS HOW GDPR CAN BUILD CROSS-PLATFORM DATA LINEAGE & ACCESS MAPS TO INFORM DPIA ACCORDING TO RISK PRIORITY DEFINED BY CLIENT ASSESS HOW GDPR ASSIST CAN INFORM WHICH USER/DEPT/TOOL ACCESSES PRIVATE DATA. ASSESS HOW GDPR ASSIST CAN INFORM SARs ASSESS HOW GDPR ASSIST CAN INFORM THE IMPACT ASSESSMENT OF A BREACH e.g. CONSIDER WHICH PRIVATE DATA IS POTENTIALLY AT RISK ASSESS HOW GDPR ASSIST CAN INFORM DPIA BY IDENTIFICATION OF WHO ACCESSES PRIVATE DATA UNDERSTAND OBJECTIVES (REVENUE PILLARS or SERVICE LINES) & FUNCTIONS. UNDERSTAND ORGANISATION & 3rd PARTY DEPENDENCIES ASSESS HOW GDPR ASSIST CAN INFORM WHERE PRIVATE DATA IS HELD. CHECK LEGACY PLATFORMS ARE FEASIBLE FOR REMEDIATION [OR CONVERSION] OBJECTIVES & STAKEHOLDERS ASSESS HOW GDPE ASSIST CAN CREATE DATA LINEAGE & USAGE MAPS TO INFORM DPIA RE USE OF PRIVATE DATA BY BUSINESS PROCESSES BUSINESS PROCESSES BREACH PROCESSING GDPR GOVERNANCE IT ESTATE DATA SECURITY * * * FIND PRIVATE DATA * PEOPLE * UNDERSTAND GDPR PROGRAMME SCOPE & ORGANISATION. ROADMAP & STATUS. ASSESS FEASIBILITY OF DPIA TIMELINE GDPR PROGRAMME & ORGANISATION UNDERSTAND HOW SCOPE & EXPIRY OF CONSENTS FOR LEGAL USE-CASES IS MANAGED – HOW WE ACCESS THIS FOR GDPR ASSIST T&Cs / CONSENTS For PRODUCTS & SERVICES * * UNDERSTAND HOW COMFORTABLE STAKEHOLDERS ARE WITH LEGAL AND RISK ASSESSMENTS, MAKE SPECIALIST REFERRALS TO ASSIST UPON REQUEST LEGAL & RISK ASSESSMENT
  • 10. ACCELERATED BY AUTOMATION A recent example… GDPR scope is complex, it cannot be done manually. STAGE 1:
  • 11. ACCELERATED BY AUTOMATION A recent example… GDPR scope is complex, it cannot be done manually. STAGE 1:
  • 12. Our GDPR approach automates the collection of accurate evidence to inform the DPIA How? It ingests metadata “footprints in the sand” that were written each time data was processed by your IT systems 30m+ Customers 6 Primary Customer Channels 3,000 Branches, 8,000 ATMs 19 PB Data 17 Datacentres & 236 Tech Rooms 3,900 Business Apps 15,000 Point to Point Integrations 20,000 Servers The alternative? Manual data surveys/DPIAs give a “best guess”, no verifiable evidence They are expensive, they divert key staff from day job . . . And they are soon out of date
  • 13. MANUAL VERSUS AUTOMATION EXAMPLE Tier 1 Global Bank using their SI Partner
  • 16. MANUAL APPROACH The Bank had worked for 7 months to manually document source to target data lineage for a business process. MANUAL ANSWER The business process stated only five databases used, these were all on a Teradata platform. Insufficient time to attempt to identify who accessed which data or assess data quality. MONTHS
  • 17. MANUAL APPROACH The Bank had worked for 7 months to manually document source to target data lineage for a business process. MANUAL ANSWER The business process stated only five databases used, these were all on a Teradata platform. Insufficient time to attempt to identify who accessed which data or assess data quality. MONTHS
  • 18. AUTOMATED APPROACH WEEKS In 4 weeks Teradata published source to target data lineage that identified how the business process accessed data from 74 databases on multiple platforms (Teradata, MS SQL Server/SSIS, Oracle, into Excel) then data went back onto Teradata for reporting AUTO ANSWER Multi-platform source to target lineage across 74 Databases. Data usage mapped to lineage. Data transformations identified.
  • 19. OUTCOME Bank verified accuracy of lineage, then remediated [minimisation] to remove >30% of data and redirect users to accurate data Reduced TCO because Bank does not populate/support all of that legacy data … and now they run refreshes to keep everything up to date
  • 20. GDPR ASSIST COSTING EXAMPLE BASED ON PRIOR CASES
  • 21. GDPR ASSIST SERVICE RESULTS DURATION CHARGE Setup and populate an automated portal to inform the DPIA for priority risk areas Data Lineage & Data Usage & Candidates for Minimisation 30 days Hosted Sprint £75,000 Populate portal for remaining risk areas Data Lineage & Data Usage & Candidates for Minimisation 60 days Hosted Sprint £150,000 Monthly hosting and licensing of automated portal to inform the DPIA. (max 5 concurrent users) Data Lineage & Data Usage, Candidates for Minimisation Min 3 months. 30 days notice to cancel £8,800/month
  • 22. STAGE 1: AUTOMATION TO COLLECT EVIDENCE AND POPULATE DPIA
  • 23. STAGE 1: AUTOMATION TO COLLECT EVIDENCE AND POPULATE DPIA
  • 24. PRODUCER CONSUMER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM HOW DATA IS ACCESSED
  • 25. CONSUMER HOW DATA IS ACCESSED PRODUCER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM
  • 26. PRODUCER HOW DATA FLOWS ACROSS THE COMPLEX ECOSYSTEM How is it accurate? How should it reconcile? Where does my data come from? How is it transformed?
  • 27. CONSUMER HOW DATA IS ACCESSED Fingerprinting to group data into subject areas. Show who uses different versions of a business metric . . . Inform DATA ACCURACY & DATA MINIMISATION PRODUCER & CONSUMER combine to give accurate evidence to help you to quantify risk & decide on appropriate governance
  • 29. ASSESSMENT 1 REMEDIATION 2 MONITOR 3 40 DAYS MONTH M MONTH M +1 MONTH M +2 ON GOING CENTRAL REPOSITORY – METADATA DRIVEN Transparency created by GDPR Assist for multiple platforms Remediate high risks Incremental sprints remediate low risk Monitor high risks Monitor low risk OPTIONALLEGALOPINION OPTIONALLEGALCERTIFICATION High risk areas covered first Incremental sprints cover low risk
  • 30. UK REGULATOR’S GUIDANCE TO PREPARE FOR GDPR Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now ico
  • 31. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under. ico
  • 32. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 33. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 34. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 35. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS You should update your procedures and plan how to you will handle requests within the new timescales and provide any additional information. DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 36. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 37. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT You should review how you are seeking, obtaining and recording consent and whether you need to make any changes. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 38. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 39. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 40. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation. GDPR identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 41. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 42. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR Assist identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS GDPR Assist provides accurate timely facts to support the Data Protection Officer and governance teams. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
  • 43. 1 2 3 4 5 6 7 8 9 10 11 12 AWARENESS GDPR Assist identifies who accesses which private data, how often, tools etc. Ensure that these people are included in awareness plans. SUBJECT ACCESS REQUESTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] DATA BREACHES GDPR Assist identifies where private data is held and used across all technologies. This informs reporting of a personal data breach within 72 hour timescale. INFORMATION YOU HOLD GDPR identifies what personal data you hold, where it came from [including lineage] and the apps and users who see it [usage]. LEGAL BASIS FOR PROCESSING PERSONAL DATA DATA PROTECTION BY DESIGN AND IMPACT ASSESSMENTS GDPR Assist identifies where private data is held, processed and accessed, including lineage and in-flight transformations. GDPR automation keeps the DPIA accurate/current. GDPR Assist identifies where personal data is processed and used, including lineage and in- flight transformations. COMMUNICATING PRIVACY INFORMATION GDPR Assist shows how users and apps access private data so appropriate privacy notices can be put in place at all access points. CONSENT GDPR Assist identifies where private data is held across all technologies. It informs where consents are required or have expired. DATA PROTECTION OFFICERS GDPR Assist provides accurate timely facts to support the Data Protection Officer and governance teams. INDIVIDUALS’ RIGHTS GDPR Assist identifies where private data is held across all technologies, it manages Subject Access Requests [portability, right to be forgotten, accuracy challenge], and identifies who to notify within GDPR breach notification timescales [72 hours.] CHILDREN GDPR Assist identifies where private data on children is held, across all technologies. This informs where all ages should be verified and parental consent is required. INTERNATIONAL GDPR Assist identifies where personal data is held and accessed allowing you to identify data movements.
  • 45. Assess Client’s current GDPR roadmap & status 1 GDPR FREE PLANNING WORKSHOP: 2 HOURS
  • 46. Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 GDPR FREE PLANNING WORKSHOP: 2 HOURS
  • 47. Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 Identify areas where Client requests introductions to specialist legal/business services to augment in-house capabilities 3 GDPR FREE PLANNING WORKSHOP: 2 HOURS
  • 48. Assess Client’s current GDPR roadmap & status 1 Identify areas where Client seeks Teradata services to inform DPIA using automation 2 Identify areas where Client requests introductions to specialist legal/business services to augment in-house capabilities 3 Following that workshop we will provide a quotation and Statement of Work for automation to inform the DPIA, based upon agreed scope e.g. Lines of Business or Data Scope 4 GDPR FREE PLANNING WORKSHOP: 2 HOURS
  • 49. Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 GDPR AUTOMATION SERVICES TO INFORM DPIA
  • 50. Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 GDPR AUTOMATION SERVICES TO INFORM DPIA
  • 51. Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 Week 2: Mid-Point Workshop. Demonstrate initial results of automation 3 GDPR AUTOMATION SERVICES TO INFORM DPIA
  • 52. Prior to commencement of first automation sprint Teradata will provide metadata extract scripts for Client to execute 1 Teradata will then ingest the metadata into our secure hosted service (or on premises) and deliver the 1 month automation to inform the DPIA 2 Week 2: Mid-Point Workshop. Demonstrate initial results of automation 3 Week 4: Final Workshop and Client training to use portal for insights to inform DPIA 4 GDPR AUTOMATION SERVICES TO INFORM DPIA

Editor's Notes

  • #24: The manual answer was that the business process used five databases all on TD platform. No information was available on how the data was used or data quality. The business process in fact used data in 74 databases across 4 technologies with 18 platforms. The automated process provided detailed lineage from source to target and detailed information on data usage and data quality. Savings of future wasted cost: Reduced Total Cost of Ownership because data no longer fragmented across 74 costly databases (decommissioning savings). Also overnight batch window >40% faster (not loading complex data flows).
  • #25: The manual answer was that the business process used five databases all on TD platform. No information was available on how the data was used or data quality. The business process in fact used data in 74 databases across 4 technologies with 18 platforms. The automated process provided detailed lineage from source to target and detailed information on data usage and data quality. Savings of future wasted cost: Reduced Total Cost of Ownership because data no longer fragmented across 74 costly databases (decommissioning savings). Also overnight batch window >40% faster (not loading complex data flows).
  • #26: The manual answer was that the business process used five databases all on TD platform. No information was available on how the data was used or data quality. The business process in fact used data in 74 databases across 4 technologies with 18 platforms. The automated process provided detailed lineage from source to target and detailed information on data usage and data quality. Savings of future wasted cost: Reduced Total Cost of Ownership because data no longer fragmented across 74 costly databases (decommissioning savings). Also overnight batch window >40% faster (not loading complex data flows).
  • #27: The manual answer was that the business process used five databases all on TD platform. No information was available on how the data was used or data quality. The business process in fact used data in 74 databases across 4 technologies with 18 platforms. The automated process provided detailed lineage from source to target and detailed information on data usage and data quality. Savings of future wasted cost: Reduced Total Cost of Ownership because data no longer fragmented across 74 costly databases (decommissioning savings). Also overnight batch window >40% faster (not loading complex data flows).
  • #28: The manual answer was that the business process used five databases all on TD platform. No information was available on how the data was used or data quality. The business process in fact used data in 74 databases across 4 technologies with 18 platforms. The automated process provided detailed lineage from source to target and detailed information on data usage and data quality. Savings of future wasted cost: Reduced Total Cost of Ownership because data no longer fragmented across 74 costly databases (decommissioning savings). Also overnight batch window >40% faster (not loading complex data flows).
  • #31: 12months - £8,800 per month, minimum of 3mths, cancellable with 30 days notice