GDPR: Is Your Organization Ready for the General Data Protection Regulation?

1 Confiden)al and Proprietary. All rights reserved Copyright© 2016. DATUM LLC

Learning Lab

Is Your Organiza.on Ready for the General Data Protec.on Regula.on? Jonathan Adams, Research Director

GDPR


Peter Steiner; New Yorker Magazine; July 1993


GDPR 3 Reasons to Care


1. Reduce Costs Fines up to 4% of Global Revenue

*2016 Annual Revenues


2. Increase Margins GDPR Capabili)es support digital transforma)on goals and drive new business models:

•  Consumer Centric PLM

•  Supply Chain & Channel OpAmizaAon

•  Customer 360 programs


3. Grow Revenue

Data MoneAzaAon & New Revenue Streams •  Sports “Wearables” •  Self Iden)fica)on at POI •  Cloud Based Services

“Trust” with Partners & Customers


The Clock is Ticking…


Defining GDPR GDPR is a comprehensive set of privacy regula)ons designed to protect data for individuals within the European Union.

ObjecAve:

•  Give individuals control of their personal data

•  Regulatory consistency across the EU

Impact: •  Covers personal data collected in EU regardless of where the data

collector is located

•  All US based mul) na)onals doing business with people in Europe will be impacted


GDPR’s Impact on Companies

Any business (foreign or domes)c) engaged with individuals within the EU

The no)on of Personally Iden)fiable Informa)on (PII) is broadly defined: data that has the poten&al to iden)fy a person living in Europe falls under the GDPR

GDPR applies “horizontally” across the organiza)on’s business components, and “ver)cally” at all decision making levels.

GDPR applies across the complete value chain. Organiza)ons are obligated to verify the compliance of par)es with which they do business.


http://info.datumstrategy.com/gdpr-guide-ebook-paper-privacy-compliance


GDPR Requires InterpretaAon General Data

Protec.on Regula.on


GDPR Requires InterpretaAon It’s Comprehensive & Tightly WriVen •  All personal informa)on regardless of where it came from and how it is used is governed

It’s Principle Based •  Requires companies to adopt privacy principles at the cultural level

It’s Compromise LegislaAon •  GDPR is a piece of what legal scholars call compromise legisla)on: a legisla)ve text that tries to

sa)sfy two starkly opposed sides of the data protec)on debate

When InterpretaAon is Required, Best PracAces are CriAcal


The Governance Challenge

Crea)ng transparent & defensible best prac)ces that address “principles”


Risk Management Accountability

Org Design

Data Lineage

Process Alignment

PII Cataloging Interna)onal

Partner Management

Metadata

Data Governance

Data Architecture

Data Opera)ons

Data Discovery

Best Prac)ces

Security

Data Management

Privacy

Cloud Services

IoT

The Governance Challenge Mapping the best prac)ces to observable & measurable ac)vi)es across many func)onal areas


The 4 Core CapabiliAes GDPR requirements can be simplified by organizing around four core capability areas:

Consulta)on & Repor)ng

•  Cer)fica)on •  Risk Management

•  Organiza)onal Alignment

•  Data by Design •  Risk Management

•  Communica)on •  Remedia)on

•  People

•  Partners

•  Regulators

•  OrganizaAon


1

2

3

4

Forget Art. 17

Quaran)ne Art. 18

Package Art. 20

Fix Art. 16

Cer)fica)on Art. 42

Risk Management

Art. 32

Processor Compliance

Art. 28

Data Management

Art. 6,7,9,14

Interna)onal Art. 27, 44,45,46,47,48,49

Best Prac)ces Art. 25,40,42,41,43

Risk Management

Art. 32,35,36

Accountability Art. 37,38,39

Consulta)on Art 36

Best Prac)ces Art 40

Consent Art. 6,7,8,9,10

No)fica)on Art. 12

Mapping to the RegulaAon


Datum's Advisory Services group leverages our proprietary data governance model Capture Key governance components and structure the governance opera)ng model to transparently and defensibly achieve GDPR compliance

DATUM’s InformaAon Value Management®

How DATUM Can Help

DATUM’s GDPR Readiness Assessment & Roadmap

DATUM’s Informa)on Value Management® sojware plakorm allows you to implement this governance opera)ng model throughout the organiza)on by discovering, understanding and connec)ng the cri)cal data to important business value drivers. Informa)on Value Management® also comes with a library of resources that help jump start customers’ GDPR ini)a)ves.


Where to Start: 3 QuesAons

3

2

Can I catalog my GDPR related data?

Do I know where and how it is used?

Do I have a governance process with observable and measurable controls?

1


1. Can I Catalog my GDPR Related Data?


Knowing what PII you have and how it is organized is founda)onal


•  If asked what is GDPR PII, can a data dic)onary be produced?

•  Is it detailed enough to apply governance?

If the Answer is No…

•  If I you don’t know where it is, you I can’t apply any sort of governance

1. Can I Catalog my GDPR Related Data?


Who is in charge? Why is this informaAon valuable? And what is the impact of a privacy breach?

2. Where Is It and How Is It Used


2

Do I know where, how and who uses it?

•  What business processes use GDPR PII?

•  Why do they need PII?

•  How cri)cal is the PII?

Accountability is Key

•  I cannot fix things if no one is accountable!

•  Understanding value and impact priori)zes resources

2. Where Is It and How Is It Used


3. Do I have a Governance Process?

2


Demonstrable due diligence

Governance from policy to data mi)gates risk

How do I make engaging with regulators a posi)ve experience?


The IVM demonstraAon drills down on these three foundaAonal uses cases


•  If asked what is GDPR PII, can a data dic)onary be produced?

•  Is it detailed enough to apply governance?

Do I know where, how and by whom it is used?

•  What business processes use GDPR PII?

•  Why do they need PII? •  How cri)cal is the PII?


It all starts here…

If I do not know where it is I cannot apply any sort of governance

Accountability is key

•  I cannot fix things if no one is accountable!

•  Understanding value and impact priori)zes resources

Demonstrable due diligence

Governance from policy to data mi)gates risk

3

2

1


Datum's Advisory Services group leverages our proprietary data governance model Capture Key governance components and structure the governance opera)ng model to transparently and defensibly achieve GDPR compliance

DATUM’s InformaAon Value Management®

How DATUM Can Help

DATUM’s GDPR Readiness Assessment & Roadmap

DATUM’s Informa)on Value Management® sojware plakorm allows you to implement this governance opera)ng model throughout the organiza)on by discovering, understanding and connec)ng the cri)cal data to important business value drivers. Informa)on Value Management® also comes with a library of resources that help jump start customers’ GDPR ini)a)ves.


Right Data. Right Decisions. Right Now.

•  Discover and understand the data available to your company •  Connect that data to the most important business value drivers -‐ opera)ons, analy)cs

and compliance

•  Clearly measure the impact data has on corporate ini)a)ves

http://www.datumstrategy.com/information-governance-software-platform


http://info.datumstrategy.com/gdpr-guide-ebook-paper-privacy-compliance

Data & Analytics

GDPR: Is Your Organization Ready for the General Data Protection Regulation?