This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Best known as the world’s foremost authority on metadata management and the father of the Managed Metadata Environment, he is an internationally recognized expert in the fields of data governance, big data, data warehousing, master data management and data management. In 2004 David Marco was named the “Melvil Dewey of Metadata” by Crain’s Chicago Business as he was selected to their very prestigious “Top 40 Under 40” list. David Marco has authored several books including the widely acclaimed “Universal Metadata Models” (Wiley, 2004) and the classic “Building and Managing the Metadata Repository: A Full Life-Cycle Guide” (Wiley, 2000).
❑ President of Data Management University (DataManagementU.com)
❑ Author of several best-selling information technology books, including the top 2 sellers in metadata management history
❑ 2016 Data Management Channel Expert for Business Analytics Collaborative
❑ 2008 DAMA Data Management Hall of Fame (Professional Achievement Award)
❑ 2007 DePaul University named him one of their “Top 14 Alumni Under 40”
❑ Selected to the prestigious 2004 Crain’s Chicago Business “Top 40 Under 40”
❑ Presented hundreds of keynotes/seminars across four continents
❑ Published hundreds of IT articles some of which were translated into Mandarin, Russian, Italian, Portuguese and others
❑ Taught at the University of Chicago and DePaul University
❑ Earned an MBA and holds CDMP, CDP, CCP and CBIP certifications
❑ General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy
❑ Fines can be as high as 5% of gross revenues
❑ Ask Google about the fine they received 1/21/2019
❑ France’s data protection regulator, CNIL (Commission Nationale de l'Informatique et des Libertés), has issued a €50 million fine ($56.8 million USD) fine to Google for failing to comply with GDPR (1/21/2019)
❑ It’s only a matter of time before we have a United States GDPR equivalent
➢ Guidelines in financial services requiring that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship
❑ Anti-Money Laundering (AML)
➢ Bank regulations and anti-money laundering regulations
➢ In the 10 years since 2008, over $26B in fines have been levied by government bodies with over 91% coming from the United States government*
❑ California Consumer Privacy Act (CCPA) is a California state statute intended to enhance privacy rights and consumer protection for residents of the state➢ Business criteria:
▪ Annual gross revenues over $25,000,000; or
▪ Possesses the personal information of 50,000 or more consumers, households, or devices; or
▪ More than half of your company’s annual revenue comes from selling consumers’ personal information
➢ Fines▪ CCPA fines are applied per violation
▪ Maximum fine of $7,500 for an intentional violation
▪ No cap on the fines that can be given to an organization
❑ Nigerian Data Protection Regulation (NDPR), May 2020 from the National Information Technology Development Agency➢ Section 37 of the Constitution of the Federal Republic of Nigeria 19999, as amended, provides that “The privacy
of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
➢ Similar to United States Federal Trade Commission's fair information practice principles (FIPPs)
➢ Requires public institutions to have a Data Protection Officer (DPO)
❑ Nevada's Data Breach Notification Law (CHAPTER 603A)
❑ Oregon Consumer Identity Theft Protection Act (codified as ORS § 654A.600 to 654A.628)
❑ The notice should identify any available consumer rights, including: ➢ any choice respecting the use of the data;
➢ whether the consumer has been given a right of access to the data;
➢ the ability of the consumer to contest inaccuracies;
➢ the availability of redress for violations of the practice code;
➢ and how such rights can be exercised.
❑ Notice in the context of the internet➢ Can be accomplished by the posting of an information practice disclosure describing an
entity's information practices on a company's site on the Web
➢ Such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer
➢ Notice needs to be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge
Choice / Consent: In an on-line information-gathering sense, Choice / Consent means giving consumers options to control how their data is used
❑ Choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are:➢ Opt-in: requires that consumers affirmatively give permission for their information to be
used for other purposes▪ Without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer
assumes that it cannot use the information for any other purpose
➢ Opt-out: requires consumers to affirmatively decline permission for other uses▪ Without the consumer taking these affirmative steps in an 'opt-out' system, the information
gatherer assumes that it can use the consumer's information for other purposes
❑ Each of these systems can be designed to allow an individual consumer to tailor the information gatherer's use of the information to fit their preferences by checking boxes to grant or deny permission for specific purposes rather than using a simple "all or nothing" method
Access / Participation: Refers to an individual's ability both to access data about him or herself (i.e. to view the data in an entity's files) and to contest that data's accuracy and completeness
❑ Data accuracy and completeness are both essential
❑ Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients
Integrity / Security: Data needs to be accurate and secure
❑ To assure data integrity, collectors must take reasonable steps, such as:
➢ using only reputable sources of data and cross-referencing data against multiple sources,
➢ providing consumer access to data,
➢ destroying untimely data or converting it to anonymous form
❑ Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data
❑ Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes
❑ Technical measures to prevent unauthorized access include:
➢ encryption in the transmission and storage of data
➢ limits on access through use of passwords
➢ storage of data on secure servers or computers that are inaccessible by modem
❑ There are many regulations that an organization needs to adhere to
❑ A big challenge is that it is difficult to create an overarching data strategy that allows a company to adhere to the current regulations AND can grow to meet future regulations and changes to existingregulations
❑ Building a Regulatory Subjects spreadsheet is a key artifact of the Data Governance Guide
❑ The Regulatory Subjects spreadsheet will be the driver of many of your organizations data policies