THE FIRST THREE STEPS TO GETTING GDPR READY

Transcription

1 THE FIRST THREE STEPS TO GETTING GDPR READY GDPR 25 MAY 2018

2 Agile Solutions is a specialist Information Management and Data Analytics consultancy. We provide applications, technology and support services across the UK, with offices in Glasgow, Manchester and Milton Keynes. As an independent UK company, we are passionate about using agile methods and automation to help clients manage, comply, safeguard and derive value from their data.

3 CONTENTS 4 Can GDPR be pain free? 6 How to approach GDPR readiness 8 What we offer 10 Preparing for success 11 Delivering success 13 Step 1 Raise GDPR awareness and assess impact on business areas 16 Step 2 Create a program roadmap 17 Step 3 Address technology architecture 18 IBM Solutions Architecture 19 IBM Product Solutions that can help and support a GDPR Program Data Governance Data Mapping 20 Data profiling and quality Data integration 21 Archiving Data management and lineage Data analytics 22 Data security Systems security 23 Useful links and contact

4 4 Agile Solutions CAN GDPR BE PAIN FREE? GETTING READY FOR GDPR CAN FEEL OVERWHELMING. THE TEMPTATION TO BURY ONE S HEAD IN THE SAND PROBABLY NEVER HAD SUCH APPEAL. However, GDPR can be part of a strategy to become more data-driven as it requires data governance across all areas: both business-led and IT-led. This makes agile methodologies ideally suited to tackling GDPR. It identifies where you are now and where you need to be on 25 May Then it breaks it up into manageable steps.

5 5 The first three steps to getting GDPR ready The advantages are: Even if you are already on your GDPR journey, you can apply agile methodologies to take stock and ensure you are on track to meet compliance. Agile methodologies allow you to change, adapt and evolve your Data management practices to meet your organisational needs. You can combine agile methodologies with other methods. If you re using agile at the outset, you create a data governance framework and roadmap to follow. But to deliver you can switch to waterfall or hybrid. Agile is results-driven. By working in sprints, you see results fast. This helps ensure you get the full support of key stakeholders in your organisation and that your results meet best practice. You can scale an agile approach to focus on: - a particular data governance issue (such as data quality) - an entire organisation to develop an Enterprise approach, or - a specific business, department or region The success to any approach is to engage the key people. A comprehensive Data Governance Framework encompasses all the following data governance domains (as identified by DAMA, Data Management Association International). We use the DAMA Governance model and the Gartner Maturity Model to analyse your data governance and data maturity. The principles of DAMA DMBOK provide a data quality assessment framework to use as a starting point to understand where you are on your data governance journey. Data Data Quality Architecture Management Management Metadata Management Development and Content Management Data Development Data Governance Strategy Data Operations Managment Data Data Warehousing Security and Business Reference Management Intelligence and Master Data Management Figure 1: Data Governance Domains

6 6 Agile Solutions HOW TO APPROACH GDPR READINESS FUNDAMENTALLY GDPR SIMPLY SEEKS TO ENFORCE RESPONSIBLE DATA MANAGEMENT PRACTICES. We show you how to address GDPR compliance within existing or planned business and IT projects as well as embedding it into new projects. Compliance with GDPR has to be a cross functional initiative. It involves input from all parts of the organisation and requires investment in people, data and technology. There is no one widget or commercial-off-theshelf (COTS) application you can purchase to become compliant, and if you were to request funding outside of BAU activities for a standalone GDPR program, the investment involved could be eye watering. Your data governance framework has to have the ability to evolve and respond to changes in your organisation (specifically movement of key stakeholders and sponsors), development in technology (big data, cloud, IoT) and changes in your business model (e.g. new strategic initiatives, acquisitions, divestitures). Our pragmatic approach when developing a data management strategy focuses on the short to medium term priorities and plans accordingly. We recommend a phased approach to implementation. This involves prioritising domains, process and technology to operationalise the data stewardship model. This needs to be accompanied by a strong change management plan to sustain your GDPR compliance program.

7 The first three steps to getting GDPR ready 7 100% GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. An example of this approach is shown below: INFORMATION MANAGEMENT MATURITY AND GDPR Personal Data Consent Privacy Model Privacy Officers Data Access Data Breaches Suppression Data Profiling Data Portability People Level 1 Level 2 Level 3 Level 4 Level 5 Data Design Technology Informal Process Emerging Process Engineered Process Controlled Process Optimised Process Figure 2: Example of Change Management Plan

8 8 Agile Solutions WHAT WE OFFER To support you in your GDPR journey, we can hit the ground running by providing you with our proven templates and GDPR-enhanced Agile toolkit. These assets have been produced by our team to help many Tier 1 organisations implement robust and scalable Data Management practices over the last 16 years. These Agile Solutions templates have helped many Tier 1 organisations implement very strong data management practices over the last 16 years SYSTEMS DATA We assess the systems landscape and document system owners We identify any significant IT projects that a data governance program could leverage We look at the escalation structure for systems-related issues Where required for understanding, we deep dive into the current systems associated with data management We identify the data to be governed We document the ownership for each data set We document the administrators, stewards and end users of the data We seek to understand the nature and utility of data (frequency of data transfer, rate of change, number of downstream consumers, etc.)

9 The first three steps to getting GDPR ready 9 PROCESSES PEOPLE We examine existing standard operating procedures (to determine to what extent documentation related to business rules and data management rules exists) We seek to understand how the business rule is formalised We document any best practice as a template for consolidation of business rules We seek to understand business processes driving data management For key data processes, we walk through the Create, Read, Update, De-activate/Delete (CRUD) cycle We identify key stakeholders We document the various roles in GDPR: data controller, data processor, data steward, etc, and identify who currently occupies these roles We analyse whether the systems and processes in place ensure people are carrying out their roles without unknowingly contravening GDPR We assess current and future training requirements

10 10 Agile Solutions PREPARING FOR SUCCESS THE AGILE INFORMATION MANAGEMENT (AIM) FRAMEWORK HAS BEEN DEVELOPED BY AGILE SOLUTIONS. For further information please download our AIM ebook An innovative structured method towards achieving the goals of Business Agility through applying a strategic approach to data management solutions and services delivery. The framework selectively overlays a number of proven management methods, system design techniques and technology types over a data centric architecture, design and delivery capability, in order to allow companies to evolve, capturing opportunities and reacting to market threats quickly. 44% incorrectly believe GDPR will not apply to UK business after Brexit

11 The first three steps to getting GDPR ready 11 DELIVERING SUCCESS WE USE AGILE METHODOLOGIES. Fundamental to this is to agree with our clients a backlog that forms a program of work that we can organise into sprint cycles. Whether true agile or a hybrid or waterfall approach is used for the delivery of the program of work, agreeing priorities up front and setting limits on scope to avoid creep in delivery is key to success. This means the data governance roadmap and strategy can be scaled in a number of ways: focused to address a particular data governance issue (such as data quality) employed across an entire organisation to develop an Enterprise approach applied within a line of business, department or region Our initial exercise (in the form of workshops) with the program sponsors, focuses on the following objectives: 1. Prioritise data governance domains 2. Prioritise business areas 3. Prioritise data management processes 4. Prioritise systems landscape Multiple business and functional areas will be impacted by GDPR and early engagement with key stakeholders to solicit their input is vital.

12 12 Agile Solutions 24% of UK companies are incorrectly no longer preparing for GDPR post Brexit We carry out a pre-workshop (electronic) survey of stakeholders in order to: Get people engaged with a GDPR and Data Governance roadmap in advance of the overview session Gain insight into the understanding of GDPR and current compliance / known risks per business domain to tailor the contextual workshop content Collect quantitative data on the current level of understanding and possible risks

13 The first three steps to getting GDPR ready 13 STEP 1 RAISE GDPR AWARENESS AND ASSESS IMPACT ON BUSINESS AREAS 1 An electronic survey conducted a week in advance of the workshops to assess GDPR knowledge. In step 1, we run two workshops to: Identify and engage key stakeholders Evaluate and establish awareness Assess GDPR readiness by undertaking a GAP Analysis to assess risk and current capability across people, process and technologies Using the DAMA Data Governance Framework and Gartner maturity models linked to our own AIM methods, we run exercises that allow us to examine your data governance and check data quality. This provides an objective assessment of your data maturity. Recommended reading prior to workshops: 12 Essential steps to help you prepare for GDPR

14 14 Agile Solutions WORKSHOP 1 OVERVIEW PRESENTATION Agile Solutions provides an overview of GDPR. Workshop 1 Designed for C-level Location onsite. Duration 1 hour Legal HR Compliance Audience Chief Data Officer (CDO), related DQ/DM functions and other data consumers Ops and technology services management Legal counsel, risk and compliance management Supply chain/vendor management Sales BUSINESS AREAS IMPACTED BY GDPR Agenda Key elements of GDPR Overview of 12 steps to prepare for GDPR IT Supply Chain Operations Marketing Finance Figure 3: Business areas impacted by GDPR

15 The first three steps to getting GDPR ready 15 WORKSHOP 2 ASSESS GDPR IMPACT ON BUSINESS AREAS Workshop 2 examines the impact GDPR has on business areas. Workshop 2 Business Area Level Location onsite Duration 2 hours Audience CDO, related DQ/DM functions Business function management Ops and technology services management Legal counsel, risk and compliance management Supply chain/vendor management Agenda Outline activities relevant for each business area Map personal data within each business area Identify current high, medium and low risk data management practices Outcomes Each business area creates an overarching plan and identifies the key people to implement it. 40% admit to being less than fully prepared to comply with GDPR requirements

16 16 Agile Solutions STEP 2 WORKSHOP 3 CREATE A PROGRAM ROADMAP Each individual business function area requires a minimum one-day program backlog refinement workshop. We demonstrate what good governance looks like in this area. This enables participants to identify all the things they want to achieve (defined in Scaled Agile terminology as Themes, Epics, Capabilities, Features). These are categorised into order of priority, as well as, short-term, mediumterm and long-term projects. 2 Audience Business function management Data stewards within each business function Enterprise architect Agenda Create a list of Themes, Epics, Capabilities, Features and Enablers (the program backlog) Create a roadmap to undertake the program backlog development Identify data and data flow prioritisation Identify existing and planned technology stack and its function Workshop 3 Business Function Level Location onsite Duration one day workshop, followed by a follow-up session to be arranged FOLLOW-UP SESSION PRESENTATION OF PROGRAM ROADMAP A program roadmap across all functions with the capabilities or features that require addressing. This identifies any duplication that could be addressed simultaneously. A clear view of who needs to help achieve each milestone on the roadmap

17 The first three steps to getting GDPR ready 17 STEP 3 3 ADDRESS TECHNOLOGY ARCHITECTURE Having identified any issues regarding technology architecture currently in use or which you plan to adopt, we carry out an assessment. Agile Solutions has an agnostic approach to technology. In other words, we are completely neutral as regards technology, and only give advice based on what we believe works best for your business requirements and budget. As we are partnered with a number of leading technologies (including Informatica, IBM, SAS, and Experian), we are able to provide robust, scalable and future-proofed architectures.. In this paper we showcase IBM s GDPR solutions. Tasks Assess existing and planned technology stack Run our fit for purpose tool to recommend any changes or improvements Offer strategic advice on which technologies could fulfil current and future needs Outcomes We provide a report on the current state of your technology and advise on what we believe to be the best technology selection as appropriate Create a technology adoption plan Create a training plan Prepare a budget plan and business case for approval Penalties up to 20m or 4% of global turnover for failure to comply with GDPR requirements

18 18 Agile Solutions IBM SOLUTION ARCHITECTURE TO HELP PREPARE FOR THE CHANGES THAT MAY 2018 IS BRINGING, IBM HAS DEVELOPED AN ENTERPRISE-WIDE SOLUTION ARCHITECTURE. It includes a methodology that can scale both for GDPR and clients own specific regulatory demands. IBM s portfolio of technology addresses data management, data governance, analytics and security, as well as bespoke research assets. IBM s GDPR solution framework (Figure 4) is a reference point for the technical capabilities required for aspects of GDPR. Clients often use a combination of products for structured and unstructured data, all with business mapping capability. Key areas IBM products can help with are: Discovering and documenting what personal data is held, where it came from and with whom it is shared. Supporting requests from data subjects such as right of access and right to be forgotten within the new GDPR timeframes. Documenting the legal basis for each type of data processing activity. Applying techniques such as anonymisation and pseudonymisation to personal data. Handling and governing personal data more efficiently and safely. GDPR Solution Framework Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability of Compliance Design and Default Dynamic Policy Management: Define what, why, how long Implementation Services: Distribute policies to data sources Data Infrastructure: Control use, align cost to value Policies Rules Audit Processes Analyses Databases and Data Warehouse ECM and Collaboration Archive Platform Data Management Hadoop Platform Master Data Servers User Devices and File Shares Cloud and Social Compliance monitoring Figure 4: IBM s GDPR Solution Framework

19 The first three steps to getting GDPR ready 19 IBM PRODUCT SOLUTIONS THAT CAN HELP AND SUPPORT A GDPR PROGRAM DATA GOVERNANCE DATA MAPPING InfoSphere Information Governance Catalog Policy and metadata management Business and technical glossary Searchable catalog of information assets Point of access and control for data stewardship tasks Encourages a standardised approach to discovering IT assets and defining a common business language. Atlas (Data Mapping) Management of retention and disposition policies and rules Point of access for legal and records management personnel Helps improve information economics and reduce risk by defensibly disposing of data debris.

20 20 Agile Solutions DATA PROFILING AND QUALITY InfoSphere Information Analyser (structured data) Discovers structured data sources, to reverse engineer the data model and feed into catalog Locates personal data within the information landscape Provides data quality assessment, data quality monitoring and data rule design and analysis capabilities. StoredIQ (Un-structured data) Policy and Legal Automates discovery and classification of unstructured content within the information landscape Identifies personal information subject to GDPR controls Identifies, classifies and manages enterprise information according to business value in order to reduce risk and cost. IBM StoredIQ for Legal Manages data discovery and collection for legal processes Streamlines the ediscovery process for legal stakeholders to gain efficiency and transparency in custodian identification, legal hold notification, and ediscovery collection and preservation. DATA INTEGRATION InfoSphere Optim Suite a) InfoSphere Optim Archive Archives / disposes of personal data in accordance with retention / disposition policies defined in GDPR solution policy management layer Manages the volume, speed and complexity of data growth for reduced storage costs and improved performance. b) InfoSphere Optim Data Privacy Obfuscates / redacts personal data in accordance with policies defined in GDPR solution policy management layer De-identifies confidential data on demand throughout the enterprise including big data platforms. It masks data statically or dynamically in applications, databases and reports across production and nonproduction environments. c) InfoSphere Optim Test Data Management Applies subsetting, anonymisation and pseudonymisation to production data to create realistic test data sets while minimising risks associated with any breach of test environments Optimises and automates the test data management process.

21 The first three steps to getting GDPR ready 21 ARCHIVING Enterprise Records Archives / disposes of unstructured information as per retention / disposition policies defined in GDPR solution policy management layer Addresses, maintains and provides a record of compliance for electronic and physical records. DATA ANALYTICS Watson Explorer Able to search for personal data across the data landscape and combine results in a single portal tailored to their needs Uses natural language processing, content analytics and cognitive techniques to present a single view Accesses and analyses structured and unstructured content and presents data, analytics and cognitive insights. DATA MANAGEMENT AND LINEAGE InfoSphere MDM Provides of a single source of truth for citizen data and linkage to operational systems Point of access and control for stewardship Manages master data for single or multiple domains customers, patients, citizens, suppliers, locations, products, services offerings, accounts, etc. 90% believe GDPR will impact the way they collect, use and process personal data

22 22 Agile Solutions DATA SECURITY SYSTEMS SECURITY Security Guardium Data Activity Monitor Monitors and audits access to personal data, detection and alerting of non compliant access. Prevents unauthorised data access, alerts on changes or leaks to help ensure data integrity, automates compliance controls and protects against internal and external threats. Security QRadar Security Information and Event Management Monitors systems involved in processing of personal data, to provide early identification of attack and potential data breaches. Consolidates log source event data from thousands of devices, endpoints and applications distributed throughout a network. Security Guardium Data Encryption Provides encryption capabilities to safeguard on-premises structured and unstructured data to comply with industry and regulatory requirements. This software performs encryption and decryption operations with minimal performance impact and requires no changes to databases, applications or networks. Security Guardium File Activity Monitoring Continuously monitors files, detecting and blocking suspicious activity. Monitors unstructured data such as documents, spreadsheets, web pages, presentations, chat logs and multimedia ensuring sensitive data is secure. 46% are highly confident that they ll be ready by May 2018 and 88% report technological challenges

23 23 USEFUL LINKS AND CONTACTS THE INFORMATION COMMISSIONERS S OFFICE IS THE UK S INDEPENDENT AUTHORITY SET UP TO UPHOLD INFORMATION RIGHTS IN THE PUBLIC INTEREST, PROMOTING OPENNESS BY PUBLIC BODIES AND DATA PRIVACY FOR INDIVIDUALS. ICO: Information Commissioner s Office To find out more about Agile Solutions and our approach to making GDPR a positive experience, get in touch. Agile Solutions GB Ltd Ocean Chambers 190 West George Street Glasgow G2 2NR info@agilesolutions.co.uk

24