1. 7 Key GDPR Requirements &
the Role of Data Governance
Jonathan Adams, DATUM
2. Jonathan Adams
⢠Director of Research that supports
customers in building governance
discipline around analytics and
regulatory compliance
⢠Certified CMMI Enterprise Data
Management Expert (EDME)
⢠20+ years of experience in leading
requirements, design and
implantation efforts for retailers,
financial organizations and federal
agencies
5. If you are just startingâŚ
How do I start ?
⢠What is my risk exposure?
⢠What do I need to do NOW?!
6. If you are well on your way âŚ
How do you avoid the MV Paradox?
You do just enough to
be compliant and then
stop; compliance hell!
Doing the right
thing; but doing it
WRONG!
Focus on building
capabilities that
scale, are robust are
transparent and
defensible
Doing the right
thing; AND doing it
Right!
7. Agenda:
⢠Quick Overview of GDPR
⢠Critical first steps â what you need to
do NOW
⢠Ensuring long term stress free
compliance (Audit Resilience)
8. Defining GDPR
GDPR is a comprehensive set of privacy regulations designed to protect data
for individuals within the European Union.
Objective:
⢠Give individuals control of their personal data
⢠Regulatory consistency across the EU
Impact:
⢠Covers personal data collected in EU regardless of where the data
collector is located
⢠All US based multi nationals doing business with people in Europe will be
impacted
⢠Fines are significant up to 4% of Global revenue
9. GDPRâs Impact on Companies
Any business (foreign or domestic) engaged with individuals within the EU
The notion of Personal Information (PI) is broadly defined: data that has the
potential to identify a person living in Europe falls under the GDPR
GDPR applies âhorizontallyâ across the organizationâs business components,
and âverticallyâ at all decision making levels.
GDPR applies across the complete value chain. Organizations are obligated to
verify the compliance of parties with which they do business.
10. GDPR requirements can be simplified by
organizing around four core capability areas
⢠People
⢠Partners
⢠Regulators
⢠Organization
Organization
People
Partners
Regulators
⢠Communication
⢠Remediation
⢠Certification
⢠Risk Management
⢠Consulting &
Reporting
⢠Organizational
Alignment
⢠Privacy by Design
⢠Risk Management
Privacy Culture
11. People: The âownersâ of Personal Information
Forget
Quarantine
PackageFix
Consent
Notification
Access
⢠Need for greater detail and clarity
when collecting data
⢠Consent must be explicit as to use
of data, how it will be processed,
and by whom
⢠Notification of breach is required
Obligations
Under GDPR Individuals
have the following rights:
⢠To be Informed
⢠To Access
⢠To Rectify
⢠To Erasure
⢠To Restrict Processing
⢠To Data Portability
⢠To Object
⢠Related to automated
Decision Making and
Profiling
Rights
People
12. Organization: âData Protection by Designâ
Data
Management
International
Best Practices
Risk
Management
Accountability
Obligations
⢠Accountability â vertically, horizontally and externally
⢠Data Protection Officer required for most large
companies
⢠Best practice âCodes of Conductâ mitigate against
enforcement action
⢠Assessment of risk will drive multiple decisions â it needs
to be transparent and defensible
⢠Cross border data exchanges do not obviate
requirements
Organization
13. Partners: A New Risk Dimension
Certification
Risk
Management
Processor
Compliance
Obligations
⢠Transfers of Personal Information between your company
and business partners does not transfer the responsibility
to ensure it is safeguarded â it is still yours to look after
⢠Establish a way to ensure your partners are providing
GDPR level security
⢠Best practices certifications that support third party audits
will streamline assessment process and mitigate risk
⢠Due diligence and transparency is key to demonstrating
diligence
Partners
14. Regulators: Communication is key
Consultation
Best Practices
Obligations
⢠Notification is required in the event of a breach
⢠âBreachâ is broadly defined: destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
⢠Reporting to regulators within 72 hours when breach is
likely to result in a risk to the rights and freedoms of
individuals
⢠âPrior Consultationâ is an expectation
⢠Privacy Impact Assessment anchors the regulator and risk
discussions
⢠Best Practices will streamline these discussions
Regulators
17. Catalog your Personal Information
âThe first thing you have to know is yourself...â â Adam Smith
Identify Data: PI: Collected, Observed, Derived1
2 Catalog Data: Foundational to Managing Data
3 Describe Data: Tag to Answer Compliance
Requirements
18. Understand Risk
Is your Business Model âriskyâ?
What is your risk tolerance?
What does your lawyer say?
Remember â your lawyer interprets the regulation
Your governance team builds auditable controls consistent with policy
shaped by interpretation
Your executive leadership defines policy
19. 19
Build a Risk Model for transparency &
defensibility
Confidential and Proprietary. CopyrightŠ 2017. DATUM LLC
Vulnerabilities
17-2
32-1
32-2
33-1
33-3
34-1
GDPR
Risk
Areas
34-3
35-1
35-7-
c,d
35-11
49-1-a
Practices
Mitigation
Risk
Governance
Risk Analysis &
Metrics
âTo [the] rights
and freedoms of
natural personsâ
Best Practices
COBit; CMMI DMM; ISO 27001
NIST 800-61 âŚ
23. Best Practices Mitigate Risk
Aligning to Recognized Best Practice Frameworks Mitigates Risk
Pick a Framework That Works for You1
2 Talk the Talk â Walk the Walk
3 Promote within Industry
Associations
24. Operating Model Builds Accountability
Actors & Roles Organizational Design Methods
⢠Who needs to
be engaged in
the Data
Governance
program?
⢠What are
their roles?
⢠The ideal design for
âdataâ given
organizational
competencies
⢠What makes sense for
the organization
today?
⢠What is the vision
given business goals?
⢠The governance
functions and Teams
⢠What skills sets are
required?
⢠What functions are
performed?
⢠Where do we get those
resources?
⢠What level of
automation should
exist to support
Actors, Roles and the
functions they
perform?
Functions
25. Change management is the challenge
Operating
Model
Organizational
Alignment
Mobilizing
Cross-Functional
Teams
Empowerment
(with Rules and
Tools)
Outcome
focused Metrics
Accountability
Step-Change
Change Management
27. Be Agile â itâs a journey!
Steps can be iterative
⢠All data does not have to be cataloged day one
⢠All processes do not have to be known
⢠Have a Plan
⢠Focus on Demonstrable Due Diligence
⢠The solution ecosystem & governance framework that:
ďź Supports agile iterative evolution of capabilities
ďź Shows early successes
Success
28. 28
Thank You for Your Time!
⢠Any questions?
⢠Visit us at http://www.datumstrategy.com/gdpr-solution for more
information
⢠For the latest news follow us on Twitter at @datumstrategy
Confidential and Proprietary. CopyrightŠ 2018. DATUM LLC