Steve Norledge, UKI GDPR Leader Sol Barron, Information Governance Specialist February 2017 EU General Data Protection Regulation Getting Started with GDPR
GDPR significantly extends EU member-state data privacy regulation EU Citizen Rights enhanced, harmonised and extended globally Inform / access / rectify / erase / object Give or withdraw specific data usage consent Insight in automatic decision making Transfer personal data to another provider (portability) Broadened scope Personal Data All direct and indirect identifiers Behavioural-, derived- and self-identified data Unstructured data Format and technology agnostic Organisational Impact Data controller and data processors liable for breaches Data controllers legally bound to validate data processor s compliance Data Protection Officer obligatory Stringent data security & breach management Conditions for cross-border data transfer altered Increased cost of non-compliance Fines up to 4% of annual turnover or 20 million Data Privacy Authorities empowered Increased activist and court activity Increased risk and cost of reputational damage 2
Focused on the citizen... Make it easy for me to manage how I consent to share different types of personal data with you Consent Management Erasure I want to be forgotten by you What information do you hold on me and what do you use it for? Subject Access Request Rectification & Data Portability I want you to correct my data and then I want to take my data to a new provider I want to develop a new process using personal data. Am I allowed to gather, augment and analyse all this personal data? Privacy Impact Assessment Breach Notification Tell me if my personal data has been breached. Was it encrypted? Access Management Data Transfer Do I have the right data access privileges to allow access to the data I need to I want to transfer or process run my new process? this data in a different country 3
...IBM s five layer model for GDPR Governance GDPR governance, covering amongst others legal assessment, third party management and risk and compliance; DPO role Communications & People People and Communications, covering employee awareness and training, and internal and external communication Process Processes, covering the GDPR readiness of HR, CRM and other business processes Data Data, covering personal data life cycle management and citizen interaction Security Security, covering cyber security technologies to protect critical personal data and capabilities that enable timely breach notification 4
IBM supports your GDPR timeline until 2018 and beyond GDPR Timeline Now 2H 2016 2017 1H 2018 May 2018 Diagnose Define, Design and build Deliver and Demonstrate Legal review Identify gaps Impact analysis Governance People & Communications Process Data Security Test & Assure Deploy to production Demonstrate compliance (ongoing) Many firms are currently working through the legal interpretation. IBM can support the gap- and impact analysis. IBM can speed up your deployment programme at a reduced cost by bringing GDPR solutions, tools and accelerators across the full spectrum of your needs. IBM can provide the capabilities to help you deliver and demonstrate your GDPR capability. 5
So What Do You Do? PREPARE 6
What Does GDPR Ask of You? The GDPR is all about acting responsibly with personal information, in its widest sense Therefore, in broad terms compliance with GDPR will require you to Understand Your Data, in order to Protect Your Data and Govern Your Data Wherever it is (databases, file shares, email systems, storage boxes) In whatever format it is (structured, unstructured, audio, etc.) 7
IBM Solution Framework Rights of EU Data Subjects Security of Personal Data Lawfulness and Consent Accountability Lawfulness of and Compliance Consent Design and Default Dynamic Policy Management: Define what, why, how long Implementation Services: Distribute policies to data sources Data Infrastructure: Control use, align cost to value P o l i c i e s R u l e s A u d i t P r o c e s s e s A n a l y s e s IBM Atlas Databases & Data Warehouse ECM & Collaboration IBM Case Manager Data Management Archive Platform Hadoop Platform Master Data Email Servers InfoSphere User Devices & File Shares Optim Cloud & Social Security & Compliance Monitoring 8
StoredIQ Understanding Your Unstructured Data Fast discovery of unstructured data across the enterprise scaling to 00s Terabytes and Petabytes o Where the data is o What the data is o How big the data is o What the data is called o Who created the data o Deep knowledge of the data, many layers of attributes 9
StoredIQ Deeper Analysis Open each text file Index its content: Words, Phrases, Names Patterns National Insurance numbers, credit cards, IDs, etc. Auto-Classification Classifies content based on user-definable taxonomy No coding required, uses Natural Language Processing Provides additional overlay/filter analysis capability 10
Atlas Policy Suite provides broad support for regulatory and legal compliance The IBM Atlas Policy Management Suite is a pivotal component of the IBM Information Lifecycle Governance (ILG) solution portfolio Helps organizations improve information economics and reduce risk by enabling defensible disposal of data debris. Aligns information cost to value through value-based archiving and tiering Reduces information risk by instrumenting privacy, electronic discovery (ediscovery), and regulatory policy across the data environment Primary features include: Incorporates a citation database of relevant legislation, regulation and policy Maintains an organizational, multi-jurisdictional retention file plan for all information types with cross-reference back to the corresponding citation Provides a catalogue of data sources (processes, data repositories, applications, etc.) Maps all information types to the data sources which utilize them as well as the business units and individuals who own the information 11
Let s take a look 12