© 2017 IBM UK & Ireland

Understanding my data and

getting value from itCreating Value With GDPR: Practical Steps

20th February 2017

Gregory CampbellGovernance, Regulatory and Legal Consultant, IBM Analyticsgcampbell@uk.ibm.com

Sol BarronInformation Governance Specialist, IBM Analyticssol.barron@uk.ibm.com

Simon KnezevicGDPR Lead – Distribution Sector, IBM GBSsimon.knezevic@uk.ibm.com

© 2017 IBM UK & Ireland 2

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European

Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to

the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions

the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities

described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal,

accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with

any law or regulation.

References to GDPR are references to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Notice

© 2017 IBM UK & Ireland 3

Understanding My Data – Data Mapping and Data Discovery

© 2017 IBM UK & Ireland 4

Understanding My Data – Data Mapping and Data Discovery

ORGANISATIONAL and TECHNICAL MEASURES

© 2017 IBM UK & Ireland 5

Understanding My Data – Data Mapping and Data Discovery

PROACTIVE vs REACTIVE

© 2017 IBM UK & Ireland 6

Understanding My Data – Data Mapping and Data Discovery

PROACTIVE vs REACTIVE

© 2017 IBM UK & Ireland 7

Understanding My Data – Data Mapping and Data Discovery

PROACTIVE and REACTIVE

© 2017 IBM UK & Ireland 8

Understanding My Data – Data Mapping and Data Discovery

VALUE

© 2017 IBM UK & Ireland 9

Understanding My Data – Data Mapping and Data Discovery

DATA MAPPING

DATA DISCOVERY

VALUE

© 2017 IBM UK & Ireland 10

DATA MAPPING

Understanding My Data – Data Mapping and Data Discovery Basic Concepts

“Top Down” process cataloguing the locations in your

organisation where (personal) data and processes

exist, together with e.g. their usage and purposes

© 2017 IBM UK & Ireland 11

DATA DISCOVERY

Understanding My Data – Data Mapping and Data Discovery Basic Concepts

“Bottom up” process, commonly supported by tools,

to discover and classify the content of data stores

© 2017 IBM UK & Ireland 12

DATA MAPPING

What is Data Mapping? GDPR Context…

Article 30 of Regulation (EU) 2016/679

Recital 82 of Regulation (EU) 2016/679

© 2017 IBM UK & Ireland 13

GD

PR

A

RT

IC

LE

3

0

Re

co

rds

of

Pro

ce

ss

ing

Ac

tivit

ies

who

where

way

controller

processor

written

sme

why

who

where

way

regulator

when

what

why

What is Data Mapping? GDPR Context…

Article 30 of Regulation (EU) 2016/679

© 2017 IBM UK & Ireland 14

What is Data Mapping? The Challenges…

Interpreting, following and actioning Article 30

Building on existing data mapping activities to align with GDPR

Leveraging the application of data mapping beyond Article 30

Continuing obligation, not a one-time process

© 2017 IBM UK & Ireland 15

Methodical and/or targeted review of data stores across the information landscape

Generally a tools based approach to understand contents but can involve manual activity

Discovery and classification of personal data is an implicit and pervasive requirement of the GDPR

What is Data Discovery? How does it relate to and help Data Mapping?

© 2017 IBM UK & Ireland 16

Data Mapping and Data Discovery – GDPR outcomes… and beyond

Support demonstration of records of processing activities to regulators

Enabler towards master data

management (single view of the individual) projects

Foundational steps towards

conforming with the wider GDPR…

… and beyond GDPR...

© 2017 IBM UK & Ireland 17

Understand My Data

Protect, govern and know your data – you can’t protect and govern what you don’t know

Finding Personal Data within the petabytes of information across an enterprise is a technical and organisational challenge

The proliferation of unstructured data makes this even harder

Tools need to be an essential element of your discovery projects

© 2017 IBM UK & Ireland 18

PREPARE

So What Do You Do?

© 2017 IBM UK & Ireland 19

Fast discovery of unstructured data across the enterprise scaling from Terabytes to multiple Petabytes

Where the data is

What the data is

How big the data is

What the data is called

Who created the data

Deep knowledge of the data, many layers of attributes

StoredIQ – Understanding Unstructured Data

© 2017 IBM UK & Ireland 20

StoredIQ – Deeper Analysis

Open each text file, index its content:

Words, Phrases, Names

Patterns

National Insurance numbers,

credit cards, IDs, etc.

Auto-Classification:

Classifies content

based on user-

definable taxonomy

No coding required,

uses Natural Language Processing

Provides additional

overlay/filter analysis capability

© 2017 IBM UK & Ireland 21

Cataloguing and making Data Mapping and Data Discovery results useable

Ease of access, control, maintainability and auditability of this information is necessary to ensure your catalogue remains

accurate

Clipboard and spreadsheet approaches fall short

The regulations applying to

the data

The purpose

Type of data

Ownership and

stewardship

Retention rules

Results of data mapping and data discovery must be documented. It is necessary to understand:

© 2017 IBM UK & Ireland 22

Atlas for Data Mapping

Helps you improve information economics and reduce risk by

enabling defensible disposal of data debris

Primary features include:

A citation database of relevant legislation, regulation and policy

An organizational, multi-jurisdictional retention file plan for all information types with cross-

reference back to the corresponding citation

A catalogue of data sources (processes, data repositories, applications, etc.)

Maps all information types to the data sources which utilize them as well as the business

units and individuals who own the information

The who, why, what, where, when and way in which you handle your (personal) data

© 2017 IBM UK & Ireland 23

Understand My Data – Data Mapping and Data Discovery Approach

© 2017 IBM UK & Ireland 24

Phased Implementation Approach

CrawlStart Small

Start Quickly

WalkExpand

Introduce Tooling

JogGovernance and

Integration

RunContinuing

Accountability

Confirm data mapping and data

discovery focus based business

use of personal data and risk

based priority

Extend focus of data mapping

and discovery beyond initial focus

areas

Implement and refine data

governance process to

incorporate personal data

Full information governance

implemented across enterprise to

ensure data is controlled and

processes in place

Conduct data mapping exercise

and maintain an inventory /

catalogue manually in

spreadsheets or stand alone

tools

Utilise centralised tool based

catalogue with audit control and

accessibility

Integrate discovery and

catalogue tools to ensure

discovery to simplified and

ongoing maintenance of personal

data catalogue

Incorporate master data

management for digital personal

data enabling control and audit

and embed in as part of

information governance

Validation of personal data is

conducted by business, system

owners and administrators and

manually captured

Conduct tool based data

discovery to assess structured

and unstructured data sources for

potential personal data

© 2017 IBM UK & Ireland 25