Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc.

WhatAreCompaniesDoingAboutGDPR?IsYourCompanyReady?

DAMADay-June21,2018

ConfidentialandRestricted.Adaptive,Inc.20181

TopicsforDiscussion

Copyright©2018Adaptive,Inc.AllRightsReserved. 2

•  HowareorganizationsmeetingGDPRrequirements?

•  Whatarethechallenges?Whyisithardandexpensive?

•  Applyinglessonslearned:ApracticalimplementationframeworkformeetingGDPRrequirements

GDPRInaNutshell


Allaboutprotectingcustomerdata,whichmeans:

•  Knowingwhereprotectedclassesofcustomerdataarebeingstored

•  Applyingdataprotectioncontrolsonthem

•  Usingthemonlywhenneeded

•  Keepingthemonlyasneeded

•  Deletingthematrequest

•  Sharingthematrequest

•  Knowingwhentheyaremisused/lost

•  Notifying/respondingwhentheyaremisused/lost

ProtectedClassesofData


•  Basicidentityinformationsuchasname,addressandIDnumbers(PIIorpersonallyidentifiableinformation)

•  Webdatasuchaslocation,IPaddress,cookiedataandRFIDtags

•  Healthandgeneticdata

•  Biometricdata

•  Racialorethnicdata

•  Politicalopinions

•  Sexualorientation

HowAreCompaniesAddressingGDPR


ARiskandControlsFrameworkforGDPRReadiness

!  HiringKeyCorporateOfficers!  InventoryingDataProcessors!  UpdatingPrivacyPolicies!  RevisingDataProtectionContracts

withSuppliers

!  UpgradingIncidentResponseProcedures

Policy&GovernanceControls

DataControls

!  IdentifyingSourcesofProtectedData

!  MappingSourcestoBusinessFunctions/UsesofData

!  ImplementingTechnicalProtectionControlsatSourcesbasedonDataUsage/Function



HiringtheRightOfficers1.  HaveyouformalizedthetitlesforDataControllerandDataPrivacyOfficer?

2.  Havetheybeenstaffed?

3.  Aretheirresponsibilitiesandorganizationalstructuresclear?

InventoryingDataProcessors

1.  AreallDataProcessorswithinacompanyidentified?o  Impliesthatweknowwherecustomerdataisstoredthroughouttheenterprise,

andallBusinessandITowners(in-sourcedoroutsourced)areidentified



UpdatingPrivacyPolicies1.  DoesitprovidetheidentityandcontactinformationoftheDataPrivacyOfficer?

2.  Doesitdescribethepurposeforstoringcustomerdata,andhowitwillbeused?

o  CRITICAL:Purposesandusesneedtobelinkedtobusinessfunctionsandoperations

3.  Doesitdescribewhatcategoriesofpersonaldataarebeingcollected?o  CRITICAL:CategoriesneedtobelinkedtoBusinessGlossaries/DataDictionaries

4.  Doesitdescribewhodataisbeingsharedwith?5.  Doesitdescribehowlongdatawillbemaintained(andhowthiswasdetermined)?

6.  Doesitlayoutthecustomer’srights(tobeforgotten,tolodgecomplaints)?

7.  Doesitdescribewhathappensifthereisabreachandwhattheconsequencesofnon-complianceare?



RevisingDataProtectionContractswithSuppliers1.  RevisitingwhointheDataProcessors’orgcanaccesscustomerdata

2.  Revisitingincidentnotificationresponsibilities

3.  Revisitingliabilityclaimsandinsurancerequirementso  Thisistypicallythemostchallengingarea

UpgradingIncidentResponseProcedures

1.  Canyoumeetthe72-hourtimingwindowtonotifyclientsofbreachormisuseofdata?o  Impliesstrongdataleakageandsecurityeventmonitoringtechnicalcontrolsforall

sourcesofprotecteddatawithinallDataProcessorso  Impliescomprehensivecustomernotification/escalationcapabilities

DataControls


IdentifyingSourcesofProtectedData1.  HaveyoudefinedProtectedDataintoCriticalDataElements(CDEs)inyour

DataDictionary?

2.  HaveyouinventoriedallSourcesofCDEsfronttoback–mappingbusinessappstodataclasses(logicaltophysical)?

ProtectedDataClass CriticalDataElement(CDE)

IdentityInformation •  FirstName•  LastName•  HomeorPhysicalmailingaddress•  …

WebData •  IPaddress•  MACaddress•  WebsiteURL•  …

HealthandGeneticData •  Prescription•  MedicalID/recordnumber•  AdmitDate•  …

DataControls


MappingSourcestoBusinessFunctions/UsesofData1.  HaveyoudefinedaFunctionalTaxonomy(functionmodel),whichmapsto

theusesofdata?

2.  HaveyoumappedSourcesofdata(businessapps)tofunctions?

FunctionalCategory Function

SalesandMarketing •  MarketResearch•  AdvertisingandPromotion•  NewCustomerAcquisition•  …

CustomerLifecycleManagement

•  OnboardingandKYC•  CustomerRelationshipManagement•  CustomerSupport•  …

ProductManagement •  ProductSelectionandPromotion•  ProductStrategy•  NewProductDevelopment•  …

DataControls


ImplementingTechnicalProtectionControls1.  Encryption(inflight,atrest)

2.  Accesscontrol(authentication,authorization)

3.  ArchivalandRetention(informationlifecyclemanagement)

4.  Deletion(forindividualrecordsanddatabasevalues)

5.  Distribution/Sharing

6.  Monitoring/IncidentDetection(leakage,securityevent)

7.  Escalation(notification,communication)

Goalistomapcontroltypestofunctions,dataandsystemsinordertomeasurecompliance

WhataretheEmergingBestPractices?


•  Eitherinvestinmodelingcontrols,functionsanddatarelationships

•  Or,investinKnowledgeGraphsorsemanticontologies(e.g.,FIBO,RDF,commercialmodels)

ReusableSimpleEnterpriseModels

AutomatedHarvesting

•  Adaptorstobuildinventoriesofdataandmeta-dataacrossecosystemofbusinessapps

•  Inferenceenginesandmachinelearningclassificationmodelsthatmapdatafrombusinessappstosemanticmodels

HowMuchInvestmentisRequired?


HowMuchInvestmentisRequired?


WhatAretheKeyChallenges?


1.  IdentifyinglistofDataProcessors,andrenegotiatingliabilityandinsuranceclausesrelatedtomanagementofcustomerinformation

2.  Modelingofbusinessfunctions,dataclassesandrequiredcontrols

3.  Comprehensiveidentificationofin-scopesystems

4.  Implementationofadequatetechnicaldataprotectioncontrolswithinin-scopesystems–especiallyforCustomerRighttoForget

APathForward


Data Governance Policy Management

Policy Requirements

Policy Controls

Required Evidence

Control Rating Self Assessment

Action / Remediation

Plan

Enterprise Data Management Model

Data Controls

Required Evidence

Control Rating Self Assessment

Action / Remediation

Plan

Enterprise Function Model

Business Information Model

Critical Data Elements

Business Rules

Identification of Golden Source

Data Quality Monitoring

Data Lineage Management

Data Issues Management

Mappings to Business

Applications

TheAdaptiveData“BankinaBox”Meta-Model

Adaptive“BankinaBox”


•  DataGovernanceinaBox,fortheBankingindustry

•  ComeswithDataManagementpoliciespre-definedforthemostsignificantregulations

•  ComeswithdefinitionsofBankingbusinessfunctions,informationanddatamodels,andinsightandknowledgeofwhichfunctionscreateandconsumedata

•  Comeswithpre-defineddescriptionsofCriticalDataElementsforregulatoryfunctions,aswellasthecorebusinessandtechnicalrulesrequiredtoattesttotheirquality

Thankyou.JeffGoins

[email protected]

ConfidentialandRestricted.Adaptive,Inc.2018

Adaptive - What Are Companies Doing About GDPR...What Are Companies Doing About GDPR? Is Your Company Ready? DAMA Day - June 21, 2018 1 Confidential and Restricted. Adaptive, Inc.

Documents