Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your...
Transcript of Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your...
WhatAreCompaniesDoingAboutGDPR?IsYourCompanyReady?
DAMADay-June21,2018
ConfidentialandRestricted.Adaptive,Inc.20181
TopicsforDiscussion
Copyright©2018Adaptive,Inc.AllRightsReserved. 2
• HowareorganizationsmeetingGDPRrequirements?
• Whatarethechallenges?Whyisithardandexpensive?
• Applyinglessonslearned:ApracticalimplementationframeworkformeetingGDPRrequirements
GDPRInaNutshell
Copyright©2018Adaptive,Inc.AllRightsReserved. 3
Allaboutprotectingcustomerdata,whichmeans:
• Knowingwhereprotectedclassesofcustomerdataarebeingstored
• Applyingdataprotectioncontrolsonthem
• Usingthemonlywhenneeded
• Keepingthemonlyasneeded
• Deletingthematrequest
• Sharingthematrequest
• Knowingwhentheyaremisused/lost
• Notifying/respondingwhentheyaremisused/lost
ProtectedClassesofData
Copyright©2018Adaptive,Inc.AllRightsReserved. 4
• Basicidentityinformationsuchasname,addressandIDnumbers(PIIorpersonallyidentifiableinformation)
• Webdatasuchaslocation,IPaddress,cookiedataandRFIDtags
• Healthandgeneticdata
• Biometricdata
• Racialorethnicdata
• Politicalopinions
• Sexualorientation
HowAreCompaniesAddressingGDPR
Copyright©2018Adaptive,Inc.AllRightsReserved. 5
ARiskandControlsFrameworkforGDPRReadiness
! HiringKeyCorporateOfficers! InventoryingDataProcessors! UpdatingPrivacyPolicies! RevisingDataProtectionContracts
withSuppliers
! UpgradingIncidentResponseProcedures
Policy&GovernanceControls
DataControls
! IdentifyingSourcesofProtectedData
! MappingSourcestoBusinessFunctions/UsesofData
! ImplementingTechnicalProtectionControlsatSourcesbasedonDataUsage/Function
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 6
HiringtheRightOfficers1. HaveyouformalizedthetitlesforDataControllerandDataPrivacyOfficer?
2. Havetheybeenstaffed?
3. Aretheirresponsibilitiesandorganizationalstructuresclear?
InventoryingDataProcessors
1. AreallDataProcessorswithinacompanyidentified?o Impliesthatweknowwherecustomerdataisstoredthroughouttheenterprise,
andallBusinessandITowners(in-sourcedoroutsourced)areidentified
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 7
UpdatingPrivacyPolicies1. DoesitprovidetheidentityandcontactinformationoftheDataPrivacyOfficer?
2. Doesitdescribethepurposeforstoringcustomerdata,andhowitwillbeused?
o CRITICAL:Purposesandusesneedtobelinkedtobusinessfunctionsandoperations
3. Doesitdescribewhatcategoriesofpersonaldataarebeingcollected?o CRITICAL:CategoriesneedtobelinkedtoBusinessGlossaries/DataDictionaries
4. Doesitdescribewhodataisbeingsharedwith?5. Doesitdescribehowlongdatawillbemaintained(andhowthiswasdetermined)?
6. Doesitlayoutthecustomer’srights(tobeforgotten,tolodgecomplaints)?
7. Doesitdescribewhathappensifthereisabreachandwhattheconsequencesofnon-complianceare?
Policy&GovernanceControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 8
RevisingDataProtectionContractswithSuppliers1. RevisitingwhointheDataProcessors’orgcanaccesscustomerdata
2. Revisitingincidentnotificationresponsibilities
3. Revisitingliabilityclaimsandinsurancerequirementso Thisistypicallythemostchallengingarea
UpgradingIncidentResponseProcedures
1. Canyoumeetthe72-hourtimingwindowtonotifyclientsofbreachormisuseofdata?o Impliesstrongdataleakageandsecurityeventmonitoringtechnicalcontrolsforall
sourcesofprotecteddatawithinallDataProcessorso Impliescomprehensivecustomernotification/escalationcapabilities
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 9
IdentifyingSourcesofProtectedData1. HaveyoudefinedProtectedDataintoCriticalDataElements(CDEs)inyour
DataDictionary?
2. HaveyouinventoriedallSourcesofCDEsfronttoback–mappingbusinessappstodataclasses(logicaltophysical)?
ProtectedDataClass CriticalDataElement(CDE)
IdentityInformation • FirstName• LastName• HomeorPhysicalmailingaddress• …
WebData • IPaddress• MACaddress• WebsiteURL• …
HealthandGeneticData • Prescription• MedicalID/recordnumber• AdmitDate• …
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 10
MappingSourcestoBusinessFunctions/UsesofData1. HaveyoudefinedaFunctionalTaxonomy(functionmodel),whichmapsto
theusesofdata?
2. HaveyoumappedSourcesofdata(businessapps)tofunctions?
FunctionalCategory Function
SalesandMarketing • MarketResearch• AdvertisingandPromotion• NewCustomerAcquisition• …
CustomerLifecycleManagement
• OnboardingandKYC• CustomerRelationshipManagement• CustomerSupport• …
ProductManagement • ProductSelectionandPromotion• ProductStrategy• NewProductDevelopment• …
DataControls
Copyright©2018Adaptive,Inc.AllRightsReserved. 11
ImplementingTechnicalProtectionControls1. Encryption(inflight,atrest)
2. Accesscontrol(authentication,authorization)
3. ArchivalandRetention(informationlifecyclemanagement)
4. Deletion(forindividualrecordsanddatabasevalues)
5. Distribution/Sharing
6. Monitoring/IncidentDetection(leakage,securityevent)
7. Escalation(notification,communication)
Goalistomapcontroltypestofunctions,dataandsystemsinordertomeasurecompliance
WhataretheEmergingBestPractices?
Copyright©2018Adaptive,Inc.AllRightsReserved. 12
• Eitherinvestinmodelingcontrols,functionsanddatarelationships
• Or,investinKnowledgeGraphsorsemanticontologies(e.g.,FIBO,RDF,commercialmodels)
ReusableSimpleEnterpriseModels
AutomatedHarvesting
• Adaptorstobuildinventoriesofdataandmeta-dataacrossecosystemofbusinessapps
• Inferenceenginesandmachinelearningclassificationmodelsthatmapdatafrombusinessappstosemanticmodels
HowMuchInvestmentisRequired?
Copyright©2018Adaptive,Inc.AllRightsReserved. 13
HowMuchInvestmentisRequired?
Copyright©2018Adaptive,Inc.AllRightsReserved. 14
WhatAretheKeyChallenges?
Copyright©2018Adaptive,Inc.AllRightsReserved. 15
1. IdentifyinglistofDataProcessors,andrenegotiatingliabilityandinsuranceclausesrelatedtomanagementofcustomerinformation
2. Modelingofbusinessfunctions,dataclassesandrequiredcontrols
3. Comprehensiveidentificationofin-scopesystems
4. Implementationofadequatetechnicaldataprotectioncontrolswithinin-scopesystems–especiallyforCustomerRighttoForget
APathForward
Copyright©2018Adaptive,Inc.AllRightsReserved. 16
Data Governance Policy Management
Policy Requirements
Policy Controls
Required Evidence
Control Rating Self Assessment
Action / Remediation
Plan
Enterprise Data Management Model
Data Controls
Required Evidence
Control Rating Self Assessment
Action / Remediation
Plan
Enterprise Function Model
Business Information Model
Critical Data Elements
Business Rules
Identification of Golden Source
Data Quality Monitoring
Data Lineage Management
Data Issues Management
Mappings to Business
Applications
TheAdaptiveData“BankinaBox”Meta-Model
Adaptive“BankinaBox”
Copyright©2018Adaptive,Inc.AllRightsReserved. 17
• DataGovernanceinaBox,fortheBankingindustry
• ComeswithDataManagementpoliciespre-definedforthemostsignificantregulations
• ComeswithdefinitionsofBankingbusinessfunctions,informationanddatamodels,andinsightandknowledgeofwhichfunctionscreateandconsumedata
• Comeswithpre-defineddescriptionsofCriticalDataElementsforregulatoryfunctions,aswellasthecorebusinessandtechnicalrulesrequiredtoattesttotheirquality