GDPR in 7 steps. Examples from client. implementations

Transcription

1 GDPR in 7 steps Examples from client implementations

2 KEYRUS INTRODUCTION SPECIALIST IN VALUE ADDING CONSULTING AND TECHNOLOGIES +20 yrs experience 16 countries 5 continents Belgium Brazil Canada China Colombia France Israel Luxembourg Mauritius South Africa Spain Switzerland Tunisia UAE United Kingdom USA DATA INTELLIGENCE MANAGEMENT & TRANSFORMATION Corporate Performance Management Business Intelligence Information Management Big Data & Analytics Strategy & Innovation Performance Management Project Support employees 228m 2016 revenues DIGITAL EXPERIENCE Customer Intelligence Digital Strategy Digital Commerce SOME OF OUR AMBASSADORS Copyright Keyrus 2

3 GDPR IN 7 QUESTIONS 3 1 WHAT? What is GDPR? WHO? Who is impacted? WHY? What are the risks if you are not compliant? 4 Needs? What are the Key Requirements? Actions? What are the Actions to Take? 5 HOW? How to proceed to become compliant? YOUR KEY PARTNER? Why Keyrus can help you? Copyright 2015 Keyrus 3

4 1. WHAT IS GDPR? 1 New EU regulation on ( ) the protection of persons with regards to processing of personal data ( ) Simplify protection Unify & simplify protection & privacy within the European Union (EU) for personal data of EU citizens Timing Objectives Adapt to current world Strenghten citizen s right Strengthen citizens right and give them back control over their data Adapt data protection to new technological developments The regulation entered into force in May 2016 and its direct application will take effect after two years, meaning as from May 2018 Copyright 2015 Keyrus 4

5 1. WHAT IS GDPR? REASONS TO PROCESS PERSONAL DATA 1 Data Processing is any operation performed on personal data; i.e. creation, collection, storage, view, transport, use, modification, transfer, deletion, etc. Copyright 2015 Keyrus 5

6 2. WHO IS IMPACTED? 2 Within European Union Every Public or Private Organization, including subcontractors, processing personal data in the context of the activities establishment in EU Outside European Union Sub-contractors and/or Companies Outside Europe when the processing are related to: Offering of goods or services to persons in the European Union Monitoring of behaviour as far as behaviour takes place within the Union Copyright 2015 Keyrus 6

7 2. WHO IS IMPACTED? 2 Personal data is any information that relates to an identifiable natural person, whether he/she is an employee, a customer, or a prospect customer. Strategic business information Copyright 2015 Keyrus 7

8 2. WHO IS IMPACTED? 2 Client Exemple 1 For statistical purposes I am interested in linking birth dates and postal codes to products. I would like to know the percentage of people in a certain age group in a certain geographic region that has a specific product. I ask Celine, who has full access to source systems, to extract a list of birth dates linked to products to me. Is Celine, while making the extract, handling personal data? (a) Yes, she is. Even though she only needs birth dates, postal codes and products, she has full access to all information in source systems for every client, and can trace the information she extracts to an individual if she wants to. (b) No, she is not. She is not handling personal data because she ignores all information but birth dates, postal codes and products. (c) No, she is not, because in the source system one cannot link information to an individual s name, and without the name it is not personal data. Copyright 2015 Keyrus 8

9 2. WHO IS IMPACTED? 2 Client Exemple 1 For statistical purposes I am interested in linking birth dates and postal codes to products. I would like to know the percentage of people in a certain age group in a certain geographic region that has a specific product. I ask Celine, who has full access to source systems, to extract a list of birth dates linked to products to me. Is Celine, while making the extract, handling personal data? (a) Yes, she is. Even though she only needs birth dates, postal codes and products, she has full access to all information in source systems for every client, and can trace the information she extracts to an individual if she wants to. (b) No, she is not. She is not handling personal data because she ignores all information but birth dates, postal codes and products. (c) No, she is not, because in KL one cannot link information to an individual s name, and without the name it is not personal data. Copyright 2015 Keyrus 9

10 2. WHO IS IMPACTED? 2 Client Exemple 1 For statistical purposes I am interested in linking birth dates and postal codes to products. I would like to know the percentage of people in a certain age group in a certain geographic region that has a specific product. I ask Celine, who has full access to source systems, to extract a list of birth dates linked to products to me. Is Celine, while making the extract, handling personal data? (a) Yes, she is. Even though she only needs birth dates, postal codes and products, she has full access to all information in source systems for every client, and can trace the information she extracts to an individual if she wants to. (b) No, she is not. She is not handling personal data because she ignores all information but birth dates, postal codes and products. (c) No, she is not, because in KL one cannot link information to an individual s name, and without the name it is not personal data. Celine sends me the information I requested, and indeed I receive a list of birth dates, postal codes and products. Is this considered personal information? (a) No, it is not, because I could never link birth dates and postal codes to a natural person. (b) Yes, it is, because the information was extracted from an application that allows you to link the information to a natural person. (c) It may be, but only if I have a way of linking this information back to an individual. For example, if I can enter this information in an application that links geographic area and age to account numbers. Copyright 2015 Keyrus 10

11 2. WHO IS IMPACTED? 2 Client Exemple 1 For statistical purposes I am interested in linking birth dates and postal codes to products. I would like to know the percentage of people in a certain age group in a certain geographic region that has a specific product. I ask Celine, who has full access to source systems, to extract a list of birth dates linked to products to me. Is Celine, while making the extract, handling personal data? (a) Yes, she is. Even though she only needs birth dates, postal codes and products, she has full access to all information in source systems for every client, and can trace the information she extracts to an individual if she wants to. (b) No, she is not. She is not handling personal data because she ignores all information but birth dates, postal codes and products. (c) No, she is not, because in KL one cannot link information to an individual s name, and without the name it is not personal data. Celine sends me the information I requested, and indeed I receive a list of birth dates, postal codes and products. Is this considered personal information? (a) No, it is not, because I could never link birth dates and postal codes to a natural person. (b) Yes, it is, because the information was extracted from an application that allows you to link the information to a natural person. (c) It may be, but only if I have a way of linking this information back to an individual. For example, if I can enter this information in an application that links geographic area and age to account numbers. Copyright 2015 Keyrus 11

12 2. WHO IS IMPACTED? 2 Client Exemple 2 Jonathan has access to an application that does not give him client names or account numbers, but it does give him a combination of other information: street name, postal code, date of birth, gender, account balance, and telephone number (landline, not mobile). Is this personal data? (a) Yes, it is. A combination of all these categories allows him to identify an individual natural person. (b) No, it is not. A combination of all these categories does not allow him to identify an individual natural person with 100% assurance. For example, if same-sex twins live together, you would never know to which individual the information relates based upon this information. (c) No, it is not. Personal data is only personal data if it can be linked directly to an individual natural person, for example by adding a name or an account number. Copyright 2015 Keyrus 12

13 2. WHO IS IMPACTED? 2 Client Exemple 2 Jonathan has access to an application that does not give him client names or account numbers, but it does give him a combination of other information: street name, postal code, date of birth, gender, account balance, and telephone number (landline, not mobile). Is this personal data? (a) Yes, it is. A combination of all these categories allows him to identify an individual natural person. (b) No, it is not. A combination of all these categories does not allow him to identify an individual natural person with 100% assurance. For example, if same-sex twins live together, you would never know to which individual the information relates based upon this information. (c) No, it is not. Personal data is only personal data if it can be linked directly to an individual natural person, for example by adding a name or an account number. Note with correct response: It is true that there is no 100% assurance that you can link this information to an individual natural person. However, traceability is riskbased: even if the risk that one can link information to an individual is small, the fact that the risk exists, classifies the information as «personal data». Copyright 2015 Keyrus 13

14 2. WHO IS IMPACTED? 2 Client Exemple 3 Vincent works in the marketing department. Launching marketing campaigns can be quite stressful when deadlines approach and because Vincent does not have a VPN token he decides to send some customer name lists to his gmail address. This way he can continue working on the campaign in the evening. Why do you think Vincent s action violates not only security, but also privacy principles? (a) Gmail is a cloud-based provider. From a privacy perspective, using cloud-based services is the same as performing an international data transfer outside of white-listed countries. International data transfers in processes or projects are, in general, subject to a privacy impact assessment. (b) Sending personal data to a gmail address is not in line with the original processing purpose of the personal data in question, and can only be done with explicit consent from the data subject. (c) Both of the above Copyright 2015 Keyrus 14

15 2. WHO IS IMPACTED? 2 Client Exemple 3 Vincent works in the marketing department. Launching marketing campaigns can be quite stressful when deadlines approach and because Vincent does not have a VPN token he decides to send some customer name lists to his gmail address. This way he can continue working on the campaign in the evening. Why do you think Vincent s action violates not only security, but also privacy principles? (a) Gmail is a cloud-based provider. From a privacy perspective, using cloudbased services is the same as performing an international data transfer outside of white-listed countries. International data transfers in processes or projects are, in general, subject to a privacy impact assessment. (b) Sending personal data to a gmail address is not in line with the original processing purpose of the personal data in question, and can only be done with explicit consent from the data subject. (c) Both of the above Correct response: (a). Note that aside from violating the Clients Privacy Policy, sending confidential information also violates the Clients Security Policy. Copyright 2015 Keyrus 15

16 3. WHY: WHAT ARE THE RISKS IF YOU ARE NOT COMPLIANT? 3 Fines up to 20 Million or 4% of the Worldwide Annual Turnover, whichever is the highest Risk of damaging your company reputation due to Direct dissatisfaction of clients to exercise their rights Consequential impacts from bad news (e.g. press communications) Copyright 2015 Keyrus 16

17 3. WHAT ARE THE RISKS IF YOU ARE NOT COMPLIANT? Copyright 2015 Keyrus 17

18 3. WHAT ARE THE RISKS IF YOU ARE NOT COMPLIANT? BUSINESS CASE FOR OUR CLIENT IN THE FS SECTOR Copyright 2015 Keyrus 18

19 4. NEEDS: WHAT ARE THE KEY REQUIREMENTS? 4 Privacy by Design Security by Default Data Accountability Respect of Individual Rights Breach Notification Ensure technical and Minimize collected and Identify, document and Respect the data subjects Embed Breach Management organisational protection retained personal data justify any personal data rights : in the Information Security measures (native, permanent Limit Storage in time (no processing, also when to be informed Incident Management and monitored protection of longer than is necessary for recourse to external partner to access Ensure clear personal data against the purpose for which the Process data only for to rectify communication streams destruction, loss, personal data are processed) specified, explicit and to object with the data protection dissemination, alteration or Balance between the legitimate Business purpose to be forgotten authorities and stakeholders access) controller s interest and the and recipient to transfer Evaluate obligation to data subjects interest (Have Ask explicit consent (i.e. Stick to the specific and appoint a Data Privacy the fair, adequate, not «Opt-in» on a voluntary lawful purposes (i.e. for the Officer excessive and lawfulness basis from the consumer normal contract Put appropriate level of processing for purposes or rather than «Opt-out») performance) security according to the risk storage) and consider protection means (encryptions, pseudonymisation, ) Minimise data transfers and arrange them contractually Copyright 2015 Keyrus 19

20 4. NEEDS? THE CHALLENGE FOR ANOTHER CLIENT Sensitive personal data Certain personal data are more sensitive than others. This sensitivity is defined by law, and has been assessed by our Client. Surely most customers understand that the organisation wants to know their name and address. But they might not accept so easily that the organisation asks them for medical information. Below are some examples of personal data. Can you classify them correctly into the «standard categories» and «sensitive categories»? Copyright 2015 Keyrus 20

21 4. NEEDS? THE CHALLENGE FOR ANOTHER CLIENT Data Quality and MDM Personal data is a term that is subject to interpretation. Often personal data is not one piece of information in itself, but a combination. Your first name is probably not unique at all, nor is your last name. But a combination of your first and last name is often pretty unique. And combined with your date of birth, it can single you out as an individual. Likewise, when using information, be wary of the potential combinations it allows. Checking account balances in itself is not necessarily a consultation of personal information. But entering an account number and checking its account balance is, especially if the account number also yields the name of the customer on the same page.! In your domain of responsibility, where do you encounter or work with personal data? Do you have a good view on this? If asked, could you draft a flowchart of how personal data flows through your process, asset or application? Do you know exactly which types of personal data you process? Copyright 2015 Keyrus 21

22 4. NEEDS? THE CHALLENGE HOW PERSONAL DATA FLOWS THE INFORMATION LIFECYCLE Who enters data into the system? Who decides on updates? People & Organisation Who makes actual changes to the data? Who uses the information? Who sets the retention policy? Who archives the data? 6 What develops processes, business rules and standards? Apply Who deletes the data? Plan Obtain Store Dispose Maintain What triggers creation of a new records? How data are used? Business processes What triggers maintenance? How the data is entered into the system? How the information is secured? Copyright 2015 Keyrus 22 What are the interfaces between applications? How data is maintained? Technology & Systems How the information is accessed?

23 4. NEEDS? THE IMPACT FOR A CLIENT - PEOPLE Overview of topics relevant to each role Ref Topic Privacy Specialists,DPO Staff, POBs 1 Applicable laws & regulations X Copyright 2015 Keyrus 23 Project/asset managers, process owner, GS staff 2 DPP governance and framework X X 3 DPO functional standard X 4 Data documentation X X X 5 Legal grounds for personal data processing X X X 6 Personal data X X X 7 User consent X X X 8 Transparency, data integrity X X X 9 Subject access request X X 10 Privacy impact assessment X X 11 Privacy by design X X 12 Third party privacy management X 13 International data transfers X 14 Retention X X X 15 Data anonymization X X 16 The Data Protection Office X X X 17 Data Breach Management X X X Clientoriented (ZORO, DORs, Marketing, Sales)

24 4. NEEDS? THE CHALLENGE FOR ANOTHER CLIENT Département / nom Data Documentation One of those consequences concerns the way we need to document the personal data processed by the Client. There is a shift from the Declaration Principle ( where the client had to declare the different types of personal data used to the Privacy Commission, as well as their processing purposes) to the Audit Principle. This means that the burden of proof lies with the Client: the Client needs to be able upon simple request- to show what personal data they process and why. What does this imply for its employees? Everyone in the organisation handling personal data, has to maintain an overview of, amongst others: - The type(s) of personal data being processed - The processing purpose(s) - Retention periods - Data transfers to third parties or other countries Awareness and training employees Copyright 2015 Keyrus 24

25 4. NEEDS? THE IMPACT FOR A CLIENT PEOPLE & PROCESSES Governance structure Whom do you talk to if you have questions on personal data? Multiple answers can be selected. 1. The Data Protection Office 2. Your Privacy Officer Business 3. Compliance 4. The Project Manager of the project you are involved in 5. The Process Owner of your process 6. The Global Security Architect you happen to know Copyright 2015 Keyrus 25

26 4. NEEDS? THE IMPACT FOR A CLIENT PEOPLE & PROCESSES Governance structure Whom do you talk to if you have questions on personal data? Multiple answers can be selected. 1. The Data Protection Office 2. Your Privacy Officer Business 3. Compliance 4. The Project Manager of the project you are involved in 5. The Process Owner of your process 6. The Global Security Architect you happen to know! All of these responses are correct. Privacy is not restricted to a single team at the Client s. Instead it follows a transversal governance structure, and different stakeholders carry different responsibilities. Copyright 2015 Keyrus 26

27 4. NEEDS? THE IMPACT FOR A CLIENT - STRUCTURAL The Enterprise IT Environment/infrastructure -- Common Challenges: E.g. shared architecture within the Organisation, mergers and acquisitions; Customer-Facing Applications: Software-based notice and consent, (contractual) agreements; Identity and Access Management: E.g. role-based and user-based access controls, cross-enterprise authentication; For customers: customer authentication; For employees: Remote Access, Telecommuting, and Bring Your Own Devices; For partners: Third-Party Management: e.g. access to non-production environments for developers; Copyright 2015 Keyrus 27

28 4. NEEDS? THE IMPACT FOR A CLIENT - IT Data Encryption: Technological protection measures rendering personal data unintelligible to any person who is not authorised to access it; Regulations and standards; File and disk encryption, application or field encryption; Data loss prevention solutions; Technologies with privacy considerations: I.e. Cloud Computing, Video/Audio Surveillance Online privacy considerations: Usage of social media; Web browser, privacy (tracking, cookies); Copyright 2015 Keyrus 28

29 5. WHAT ACTIONS TO TAKE? 5 Embrace a philosophy of minimal personal data gathering AND freely and unambiguously given Consent Consider to appoint a Data Privacy Officer acting as a key point of contact to coordinate data protection activities Review Risk and Security across all Personal Data flows, third-party vendors included Companies are advised to undertake a set of actions Put Processes in place to be ready in satisfying clients request based on their rights to access, delete, or transfer their personal data Foresee a process to notify personal data breach to the supervisory authority Implement Technical and Organisational Measures in the context of processing Personal Data Demonstrate compliance with all those principles through appropriate documentation Copyright 2015 Keyrus 29

30 5. KEY TO THE SOLUTION - FINDINGS Message to the client management: The draft regulation has the potential (pending establishment of jurisprudence) to significantly drive up the costs of data collection and processing for organisations Digital future of organisation can only be build in trust. If people feel they are in control of their data and it is used for better serving them, sharing will be easier. Copyright 2015 Keyrus 30 30

31 6. HOW TO PROCEED TO BECOME COMPLIANT? ASSESS DECIDE IMPLEMENT CONTROL GDPR Compliancy FIT-GAP evaluation with 3focus on sensitive data, big data, decision automation Weight the risks and decide on corrective actions Take organizational & technical corrective actions Monitor & control current and future GDPR compliance Copyright 2015 Keyrus 31

32 INTERVIEWS PROPOSITION SCOPING EXERCISE Copyright 2015 Keyrus 32

33 OUR METHODOLOGY Scoping & Risk assessment User Stories & Risk backlog Copyright 2015 Keyrus 33

34 OUR METHODOLOGY Prioritisation output: the Risk backlog Each sprint implement the highest priority risks Each new risk is prioritized and added to the stack Risks may be prioritized at any time Risks may be removed at any time Risks Copyright 2015 Keyrus 34

35 ASSESSMENT DOMAINS A comprehensive view on the environment and ecosystem 6 Five assessment areas ECOSYSTEM Solution architecture & fit for requirements ENVIRONMENT Taking into account the maturity level of the organization towards GDPR Compliance and Data & Digital Transformation Environment Solutions for data management and GDPR compliance and their functional, technical and technological components Processes Governance & Strategy People & Organization Ecosystem All stakeholders involved in Data and the way they are organized and interact to create and maintain Data applications Information management Governance & Strategy A clearly documented plan that structures the journey to deploy and maintain solutions across the organization Copyright 2015 Keyrus 35

36 ASSESSMENT RESULTS SUMMARY Gap analysis: example of key outputs 6 Formalized vision on organization GDPR Compliance Data & Digital transformation Solution architecture and fit for requirements Roadmap aligned with business strategy Formalized GDPR Compliance and Data & Digital transformation processes: demand management, Processes Governance & Strategy People & Organization project delivery, information management, change management Solution design according to best practice Information Management Technology choice Governance & Strategy allowing proper Business and IT alignment Copyright 2015 Keyrus 36

37 Business value Roadmap & Delivery DEFINE ROADMAP high Complex 360 Customer View Priority Plot Map 4 1 Training Easy wins Data security by default & Individual rights management Breach Notification Production 3 Data privacy by design 2 Master Data Management & Documentation low Low priority Feasibility Nice to have high Copyright 2015 Keyrus 37

38 OUR METHODOLOGY PROJECT ROADMAP SAMPLE Project Roadmap Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Scoping Study Sprint Zero Sprint backlog Sprint Sprint backlog Sprint Principal Consultant Senior Consultant Sprint backlog Sprint Data Analyst Copyright 2015 Keyrus 38

39 Data & Digital transformation APPROACH A GRADUAL APPROACH TAILORED TO YOUR NEED Change Plan & Decide Transform & Comply BEYOND Assess & Analyze Deep dive, Prioritize & Plan Xxx Weeks Initiate Assessment Awareness GDPR IN 7 QUESTIONS 2-3 days Who enters data into the system? What develops processes, business rules and standards? Who decides on updates? PEOPLE & ORGANIZATION Who makes actual changes to the data? Who uses the information? APPY PLAN OBTAIN STORE 1 Week Who sets the retention policy? Who archives the data? Who deletes the data? DISPOSE 1 WHAT? What is GDPR? 3 WHY? What are the risks if you are not compliant? 4 Needs? WHO? What are the Who is Key impacted? Requirements? 2 Actions? What are the Actions to Take? 5 HOW? How to proceed to become compliant? 6 YOUR KEY PARTNER? Why Keyrus can help you? 7 MAINTAIN What triggers creation of a new How the data is records? entered into the system? How data is What are the interfaces maintained? between applications? How data are used? BUSINESS PROCESSES How the information is secured? TECHNOLOGY & SYSTEMS How the information What triggers maintenance? is accessed? Data protection journey (incl. GDPR compliance) (monitored and evolutive) Copyright 2015 Keyrus 2 Compliance CAF KEYRUS CLIENT Copyright 2015 Keyrus 39

40 6. BECOMING COMPLIANT IMPLEMENTATION PRIORITIES Data Governance Domains Data Architecture & Design Management Composed of models, policies, rules or standards that govern which data is collected, and how it is stored, arranged, integrated, and put to use in data systems and in organizations MetaData Management Involves managing data about other data, whereby this "other data" is generally referred to as content data. Metadata management can be defined as the end-to-end process and governance framework for creating, controlling, enhancing, attributing, defining and managing a metadata schema Data Integration Management Combining data residing in different sources and providing users with a unified view of these data. Master Data & Reference Data Management Comprises the processes, governance, policies, standards and tools managing the critical organization data to provide a single point of reference. Data Security Management Viewed as a way to maintain the integrity of data and to make sure that the data is not accessible by unauthorized parties or susceptible to corruption of data. Data security is put in place to ensure privacy in addition of protecting this data. Data Quality Management Data Quality Management revolves around safeguarding the data to certify that the data is relevant, reliant and accurate. Incorporates the role establishment, responsibilities and processes with regard to the acquisition, maintenance, disposition and distribution of data. Data Compliance Management In addition to Data Security and Quality standards, Data Compliance are legal or regulatory frameworks defining data rules/principles to respond to internal or external hazards. Data Lifecycle management Viewed as a policy-based approach to managing the flow of an information system's data throughout its life cycle: from creation and initial storage to the time when it becomes obsolete and is deleted Data Warehousing & BI management Data warehouses integrate with all applications and databases, aggregate their data, categorize and manage the data according to rules and business criteria, BI allows analyse the data to find and define interrelationships, and present it back in various structures and/or formats to meet the needs of different users across the organization. Copyright 2015 Keyrus 40

41 6. BECOMING COMPLIANT IMPLEMENTATION PRIORITIES 6 Short term Focus & Priorities in Big Data Context Data Architecture & Design Management MetaData Management Data Integration Management OBJECTIVES: SUPPORT DELIVERY & TRUSTFULNESS OF INSIGHTS Master Data & Reference Data Management Data Quality Management Data Lifecycle management Metadata management PRIORITIES: Data Quality Data Security Management Data Compliance Management Data Warehousing & BI management Data Security & Access Data Compliance Copyright 2015 Keyrus 41

42 6. BECOMING COMPLIANT IMPLEMENTATION PRIORITIES 6 Long term Focus & Priorities in Big Data Context Data Architecture & Design Management Master Data & Reference Data Management MetaData Management Data Quality Management Data Integration Management Data Lifecycle management OBJECTIVES: PROPERLY GOVERNED SOLUTION INTEGRATED ACROSS TRADITIONAL AND BIG DATA PLATFORMS AND ORGANIZATION PRIORITIES: Data Security Management Data Compliance Management Data Warehousing & BI management Define Governance Zones: Highly Governed & Validated Metadata management Data Quality Data Security & Access Data Compliance Information integration Master Data & Reference Data Management Copyright 2015 Keyrus 42

43 OUR METHODOLOGY Benefits of Agile vs Traditional Waterfall Visibility Adaptability Shorter iteration delivery provide a better visibility to the business. Business Value Agile allows clients to re-evaluate their priorities and make changes at any stage of the project. Risk Business value is perceptible at the early stage of the project and consistently until the final delivery. Traditional development Copyright 2015 Keyrus 43 The risk is considerably reduced as mistakes can be corrected at early stages. Agile development

44 6. BECOMING COMPLIANT GOVERNANCE STRUCTURE 6 A Client decided to put the second line of defense concerning privacy with the compliance department (whereas the first line of the defense lies with the Data Protection Office of the Global Security Team). Why did they do so? Data Protection Office Data Protection Office (DPO): DPO Staff; a Compliance specialist; a network of Privacy Officers Business (POB); (a Legal specialist). (a) Because the applicable legislation says this is how it should be. (b) Certain aspects of the privacy function are closely linked to existing compliance functions, such as monitoring of the legal framework and second line control. (c) Both Copyright 2015 Keyrus 44

45 6. BECOMING COMPLIANT - GOVERNANCE STRUCTURE 6 A Client decided to put the second line of defense concerning privacy with the compliance department (whereas the first line of the defense lies with the Data Protection Office of the Global Security Team). Why did they do so? Data Protection Office Data Protection Office (DPO): DPO Staff; a Compliance specialist; a network of Privacy Officers Business (POB); (a Legal specialist). (a) Because the applicable legislation says this is how it should be. (b) Certain aspects of the privacy function are closely linked to existing compliance functions, such as monitoring of the legal framework and second line control. (c) Both Through this set-up, privacy has become a true transversal function at the Client s, which is essential. After all data protection and privacy is the responsibility of every single employee. Copyright 2015 Keyrus 45

46 6. BECOMING COMPLIANT BIG DATA COMPETENCY CENTER (BDCC) TO ENSURE TRANSFORMATION 6 Data Security & Compliance expert Take the lead on data security & compliance management aspects. Ensure conformity with internal security & compliance standards and local & global legislations. Ensure that data security policies are implemented, applied and monitored in the big data context. Advise on security concerns and make recommendations with regard to the security of data and systems to improve data security management. Report on information security incidents. Database / Hadoop Administrator Responsible for implementation and ongoing administration of Hadoop infrastructure. Set up Hadoop users. Cluster maintenance as well as creation and removal of nodes. Performance tuning of Hadoop clusters and Hadoop MapReduce routines. Monitor Hadoop cluster connectivity and security. Manage and review Hadoop log files. File system management and monitoring. HDFS support and maintenance. Data Scientist Contribute to the development of data models and protocols for mining production databases. Develop statistical analysis and create prediction models & algorithm Contribute to data mining architectures, modelling standards, reporting, and data analysis methodologies. Work with data acquisition expert & developers to extract data relevant for analysis. BIU Role IT Role Copyright 2015 Keyrus 46

47 6. BECOMING COMPLIANT BIG DATA COMPETENCY CENTER (BDCC) TO ENSURE TRANSFORMATION 6 General P01. Big Data Governance & Steering process P02. Big Data Knowledge & Training Management Architecture P03.Big Data Application Architecture Definition, Design & Compliance P04. Big Data Architecture Definition, Compliance & Documentation P05. Big Data Application Ownership & Performance Monitoring Demand Management P06. Big Data Demand & Release Management P91. Big Data Functional Solution Definition & Design process BDCC Operations Out of BDCC Scope Security management Compliance management P07. Big Data Security management P08. Big Data Compliance management Data Quality Management BAU P09. Big Data Quality Improvement process P92. Master Data Management P94. Big Data Operational Run & Control process P14. Big Data Support & Coaching P95. Big Data Application Life Cycle Mgt /Maintenance Delivery P10. Big Data Reporting Factory P11. Big Data Advanced Analytics Delivery P12. Big Data Program / Project Management P13. Big Data Application Delivery Quality Assurance P93. Big Data Project Delivery Copyright 2015 Keyrus 47

48 OUR APPROACH IN SUMMARY 7. KEYRUS CAN HELPS YOU IDENTIFYING CHALLENGES OF GDPR DESIGNATION OF A DPO DIGITAL TRANSFORMATION IDENTITY ACCESS MANAGEMENT SENSIBLE DATA INFORMATION SECURITY (ISO 27000) PERSONAL DATA TRAININGS FOR THE EMPLOYEES ACCOUNTABILITY DATA IS EVERYWHERE (BYOD, ) NECESSITY TO SECURE THE DATA Copyright 2015 Keyrus 48

49 7. WHY KEYRUS CAN HELP YOU? KEYRUS DNA FOR 20 YEARS Data Intelligence and Data Management is Keyrus DNA for more than 20 Years. Our expertise is your best asset to identify personal data, assess the current state of data security & privacy and to design & implement corrective actions. Copyright 2015 Keyrus 49 MORE THAN TRADITIONAL INTELLIGENCE Ensuring GDPR compliance requires a mix of skills outside traditional Data Intelligence. Keyrus has developed strong collaboration and partnership with specialized legal advisors and cutting edge technology vendors. EXPERIENCE & REFERENCES See our references on related topics; BI/IM Maturity assessment (Keyrus Maturity model), Data Governance, Data process reengineering, Data Management.

50 7 7. WHY KEYRUS CAN HELP YOU? A COMPREHENSIVE RESPONSE TO THE MAJOR CHALLENGES FACING ENTERPRISES 90% of the data in the world Innovation created in the last two years alone (source: IBM) DIGITAL TRANSFORMATION Agility & collaborative approaches Disruptive business models Profitability Growth & Sustainability 3.5 billion searches analyzed by Google each day (source: Google Search Statistics) 2/3 of organizations will have to drastically change, or even replace, their Business Model in order to survive by 2020 (source: Gartner) Copyright 2015 Keyrus 50

51 Data & Digital transformation 7 7. WHY KEYRUS CAN HELP YOU? A GRADUAL APPROACH TAILORED TO YOUR NEED Change Plan & Decide Transform & Comply BEYOND Assess & Analyze Deep dive, Prioritize & Plan Xxx Weeks Initiate Assessment Awareness GDPR IN 7 QUESTIONS 2-3 days Who enters data into the system? What develops processes, business rules and standards? Who decides on updates? PEOPLE & ORGANIZATION Who makes actual changes to the data? Who uses the information? APPY PLAN OBTAIN STORE 1 Week Who sets the retention policy? Who archives the data? Who deletes the data? DISPOSE 1 WHAT? What is GDPR? 3 WHY? What are the risks if you are not compliant? 4 Needs? WHO? What are the Who is Key impacted? Requirements? 2 Actions? What are the Actions to Take? 5 HOW? How to proceed to become compliant? 6 YOUR KEY PARTNER? Why Keyrus can help you? 7 MAINTAIN What triggers creation of a new How the data is records? entered into the system? How data is What are the interfaces maintained? between applications? How data are used? BUSINESS PROCESSES How the information is secured? TECHNOLOGY & SYSTEMS How the information What triggers maintenance? is accessed? Data protection journey (incl. GDPR compliance) (monitored and evolutive) Copyright 2015 Keyrus 2 Compliance CAF KEYRUS CLIENT Copyright 2015 Keyrus 51

52 Resource Involved UP-SKILLING PLANNING STAFF ALLOCATION & UP-SKILLING PLANNING Working on-site alongside client teams allows our consultants to transfer knowledge and skills throughout the project, allowing for phased reduction in our involvement and hand-over of maintenance and further development to client teams. Client autonomy and self- sufficiency are the product of joint implementation and knowledge transfer Upskilling Implementing Self-serving Analysing Keyrus Client Time & Knowledge Transfer Advice Training Implementing Servicing Copyright 2015 Keyrus 52

53 Copyright 2015 Keyrus 53

54 THANK YOU FOR YOUR ATTENTION To contact us