GDPR General Data Protection Regulation Olivier Barrot IBM Client Technical Advisor [email protected] @olivierbarrot olivier barrot
GDPRGeneral Data Protection Regulation
Olivier Barrot
IBM Client Technical Advisor
@olivierbarrot
olivier barrot
© 2017 IBM Corporation
• Most significant change in data privacy law
in the past 20 years
• Replaces the 1995 EU Data Directive
• Inspired by Charter of Fundamental Rights
of the European Union - Articles 7 (respect for
private and family life) and 8 (protection of
personal data)
• Aim is to have a harmonized, unified data
protection law framework for all EU countries
• No longer a Directive but a Regulation
• Not a one-time effort but a multi-year journey
with regular assessment checks
GDPR: Introduction
Published June 2016
Applicable May 2018
24 m
on
ths to
pre
pare
We are here
Non-compliance?
© 2017 IBM Corporation
In the Digital Single Market
Facilitate Free Flow of Data
With Emerging Technologies
Modernize the Law
Data Protection Rights of EU Data Subjects
Reinforce & Enhance
GDPR: What you need to know
Extra-territorial, applies to
organisations outside the EU
processing EU data subjects’
personal data with obligations
not just on Controllers but now
also on Processors
Requires the appointment of
mandatory Data Protection
Officers
Defines what constitutes personal,
directly or indirectly identifiable
data, such as online identifiers, IP
addresses and location data
Will fundamentally change the way
organisations must protect, govern
and manage their structured and
unstructured data
© 2017 IBM Corporation
GDPR issues: What we have seen so far
Data retention, storage and security
Designation of main establishment
Vendor management and outsourcing
Processing of personal data in the employment
context and potential member state variations
IT system capabilities, integrity and functionality,
particularly to enable data subject rights
Costs to business of free subject access
requests
Development of digital products and services
Processing of data relating to criminal
offences or convictions
Uncertainty around data transfer mechanisms
Engagement with industry associations
and advocacy
Data protection by design and default
Responding to breaches within time
limits
Designation and tasks of the Data Protection
Officer
Consent and other lawful grounds for
processing
Data transfers to third country authorities (“anti-FISA clause”)
© 2017 IBM Corporation
Evolution of Compliance
GDPR Policy
Procedures and Organisation
Training and Communication
DPO
Board of Directors
GDPR
Compliance
BusinessIT
Department
CMO
DHR CIO
SR
GDPR: Who is concerned?Program Stakeholders
Co
mm
unic
atio
nCo
llab
ora
tio
n
Coordination
LEGAL
CROData Management and
BigData architecture
teams
CIL
CDO
© 2017 IBM Corporation
• Customer’s consent is required when transferring personal data to another country.
• Access to personal data from another country is considered a transfer of personal data
• An EU Model Clause Agreement is generally needed when the transfer is to a non EU/EEA-country (i.e. a third country)
• Transfer of personal data to the US NOT allowed under a Safe Harbor certification ANY LONGER
GDPR: Hosting & Cloud impacts
© 2017 IBM Corporation
Supporting software and assets
Sensitive & Personal Data discovery Data LifeCycle Governance and Protection consent, encryption, masking, deletion, etc.
General Data Protection Regulation
Where are the major risks
What actions to be taken
Where to start
Operational Methodology to compliance
Flash audit to do the GDPR diagnosticBuild the roadmap to compliancePrivacy Impact Assessment (PIA)IT systems transformation
Regulation
2018
GDPR: Why IBM?
An end-to-end value proposition: consulting, technology assets and industrialization
© 2017 IBM Corporation
Major regulatory compliance areas and actions to be prioritized
Need to demonstrate compliance
with the principles relating to the
personal data processing that
pervades the GDPR
Actions: Consider how compliance is
proven, including data protection
privacy impact assessments, codes of
conduct, governance and certification
Processing is only lawful if there is
one of the following: consent,
necessity, legal obligation,
protection, public interest, official
authority or legitimate interest
Actions: Keep data subjects informed;
manage requests in a transparent,
efficient and effective manner; consider
appointing a DPO
Data controllers and processors must
implement technical and organisational
measures that demonstrate compliance
with the GDPR core principles
Actions: Permeate system development,
maintenance and hosting practices with
privacy principles; demonstrate adherence
and data lineage
Provide for enhanced rights for data
subjects in the EU including erasure,
access and portability
Actions: Keep record of structured and
unstructured personal data; enable
execution of citizen rights amongst which to
understand, access, amend, object, and
export personal data
Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting
Action: Implement and demonstrate adequate internal and external IT- and physical defences and restrictions to reduce
data privacy and security risks, including data minimisation, pseudonymisation [GDPR term] and encryption techniques
Design and Default
Rights of EU Data Subjects
Security of Personal
Data
Lawfulness and
Consent
Accountability of
Compliance
GDPR: IBM’s vision
Lawfulness and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of Personal Data
© 2017 IBM Corporation
IBM’s five layer model for GDPR
GDPR: IBM’s vision
IBM has clustered GDPR activities across five
layers, thereby covering the whole spectrum of
GDPR:
• GDPR governance, covering amongst others
legal assessment, third party management and
risk and compliance
• People and Communications, covering
employee awareness and training, and internal
and external communication
• Processes, covering the GDPR readiness of
HR, CRM and other business processes
• Data, covering personal data life cycle
management and citizen interaction
• Security, covering breach prevention and
management and other digital security measures
Bu
siness IT
© 2017 IBM Corporation
Business Capability Reference Architecture
Governance
People &
Communications
Data
Security
Processes
Roles &
Responsibility
Management
Training &
Certification
Communication
Management
Monitor
Communication
s
Individual PD
Records
Maintenance
“Privacy by
Design”
Development
Rules ExecutionWorkflow
Management
Catalogue Lifecycle
Management
Archiving
(Minimisation)
Data Disposal
(Minimisation)
Data Lifecycle
Monitoring
(Minimisation)
Policies &
Measures
Management
Regulations &
Requirements
Management
DP GovernanceThird Parties
Management
Reqs & Controls
Monitoring
Compliance
Demonstration
DP Strategy &
Risks
Assessment
Access Control
Breach
Prevention &
Management
Security
Monitoring
Vulnerabilities
Assessment&
Mitigation
Citizen Interaction Center
Forensics
Automated
Decision making
Information
PD Rights
execution
Information &
Notice Delivery
Complaints
Registration
Citizen
Identification
Data Management
PD Taxonomy
Consent
Management
Breach
Notification
PD Purpose
Register
Metadata
Identification
Metadata
ClassificationData Lineage
Individual PD
Identification
Individual PD
ClassificationData
Desensitizing
(Minimisation)
Data
Management
Assurance
Data Quality
Data Dictionary
Data Processing
Monitoring
Rules Definition
Notice
Management
PD Record
Processing
Data Source
Discovery
Data Masking
(Minimisation)
Business
focusIT focus
Security
focus
GDPR: IBM’s vision
© 2017 IBM Corporation
Data
Catalogue Lifecycle
Management
Citizen Interaction CenterData Management
IBM software components and services mapping
Governance
People &
Communications
Security
Processes
Roles &
Responsibility
Management
Training &
Certification
Communication
Management
Monitor
Communication
s
Individual PD
Records
Maintenance
“Privacy by
Design”
Development
Rules ExecutionWorkflow
Management
Archiving
(Minimisation)
Data Disposal
(Minimisation)
Data Lifecycle
Monitoring
(Minimisation)
Policies &
Measures
Management
DP GovernanceThird Parties
Management
Reqs & Controls
Monitoring
Compliance
Demonstration
Access Control
Breach
Prevention &
Management
Security
MonitoringForensics
Automated
Decision making
Information
PD Rights
execution
Consent
Management
Breach
Notification
PD TaxonomyPD Purpose
Register
Metadata
Identification
Metadata
ClassificationData Lineage
Individual PD
Identification
Individual PD
ClassificationData
Desensitizing
(Minimisation)
Data Quality
Data Dictionary
Data Processing
Monitoring
Rules Definition
Notice
Management
PD Record
Processing
Data Source
Discovery
Data Masking
(Minimisation)
IBM Software components Expertise / Consulting
Optim
IER
Research
Asset
Resilient
Change Mgt / Process reengineering / Training
Consulting
Vulnerabilities
Assessment&
Mitigation
Data
Management
AssuranceConsulting
Consultin
g
DP Strategy &
Risks
Assessment
Regulations &
Requirements
Management
Consulting
Information
Analyzer
Guardium
DE
Case
Manager
Information &
Notice Delivery
Complaints
Registration
Citizen
Identification
Devt
Expertise
Case
Manager
Consulting
Information Analyzer
StoredIQ
Guardium DP
Information
Governance
Catalog
Program Mgt
+ Consulting Open PagesRC Analytics
Optim
Guardium DP
Identity Gov.
Intel.
Sec. Access Mgr
QRadarGuardium
VA+DP
QRadar
i2
GDPR Operational implementation
© 2017 IBM Corporation
IBM Case Manager
GDPR: IBM SW Solutions Framework
IBM Technology overview
Dynamic Policy Management:
Define what, why, how long
Data Infrastructure:
Control use, align cost to
value
ImplementationServices:
Distribute policies to data sources
Data Management
Email Servers
User Devices & File
SharesECM & Collaboration
ArchivePlatform
Master Data
Cloud & Social
Databases &Data Warehouse
HadoopPlatform
Lawfulness and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of Personal Data
P o l i c i e s R u l e s A u d i tP r o c e s s e s An a l y s e s
Security
& C
om
plia
nce M
onito
ring
InfoSphereIBM Atlas
Optim
© 2017 IBM Corporation
Business Processes
Accountability
Data Security and Protection
Privacy by Design / Privacy by Default
IT Operational Security
Rights of Restitution / Transfer / Rectification
Archival / Deletion / Quarantine
Files encryption
Anonymization / Data Masking
Operational Data Protection
Users and administrators Activity monitoring
Policies, Rules and Definitions
GDPR Trajectory
Consent
Explicit Consent Management / RTBF
Incidents Management / Data breach
Applications
StoredIQ
QRadar
Atlas
Guardium VA
Optim DP
Guardium DP
Guardium DE
StoredIQ Optim
StoredIQ Legal
Case Manager
QRadar
Guardium DP
Resilient
Identity Gov.
& Intelligence
Atlas
Appscan
Personal Data inventory
Unstructured data Exploration
GDPR
Assessment(Gap Analysis)
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of Personal Data
Minimization of personal data used and stored by applications
Infrastructure and Devices
Guardium VA
Bigfix / MaaS360
Structured data Exploration Guardium DP
Info Analyzer
GDPR Operational implementationMajor IT workstreams and IBM solutions
Data Repositories
Review of Design principles
© 2017 IBM Corporation
Sensitive
data
Governance Layer
• Metadata & Policy Mgmt
• Compliance Mgmt
Data Management Layer
• Info Lifecycle Mgmt
Compliance & Security Layer
• Security & Privacy
• Info Gov Utility Services
• Subject Rights Mgmt
Users
Activity
Identity & Access
Mgmt
Incidents
correlation &
identificationCISO, DPO, CPO
Group Compliance
Legal
Security Incidents
Mgmt &
Reporting
DBA
DB & File Activity
Monitoring
Data & Policy
Governance
Retention &
Disposal
Data
Discovery &
Classification
Masking &
Encryption
VunerabilitiesDatabases, Apps,
Infrastructure
Dynamic
blocking
GDPR in practiceData Governance & Security tooling contribution to Compliance by capability
© 2017 IBM Corporation
Compliance & Security Layer
• Security & Privacy
• Info Gov Utility Services
• Subject Rights Mgmt
Data Management Layer
• Info Lifecycle Mgmt
Governance Layer
• Metadata & Policy Mgmt
• Compliance Mgmt
Sensitive
data
CISO, DPO, CPO
Group Compliance
Legal
Users
Activity
VunerabilitiesDatabases, Apps,
Infrastructure
Dynamic
blocking
Data & Policy
Governance
Masking &
EncryptionRetention &
Disposal
DB & File Activity
Monitoring
Data
Discovery &
Classification
Identity & Access
Mgmt
Incidents
correlation &
identification
Security Incidents
Mgmt &
Reporting
Information
Governance
Catalog
Atlas
DBA
AppScan
BigFix/
MaaS360
Identity
Governance
Intelligence
Information
Analyzer
GDPR in practiceData Governance & Security tooling contribution to Compliance by capability
© 2017 IBM Corporation
IBM help clients to define their roadmap for compliance
and support support the implementation program until 2018 and beyond…
16
GDPR Timeline
2H 2016 2017 1H 2018
Legal review
Identify gaps
Impact analysis
Many firms are currently
working through the legal
interpretation. IBM can support
the gap- and impact analysis.
IBM can speed up your deployment programme at a reduced
cost by bringing GDPR solutions, tools and accelerators
across the full spectrum of your needs.
IBM can provide the capabilities to
deliver and demonstrate your
GDPR compliance.
Governance
People & Communications
Process
Data
Security
Test & Assure
Demonstrate compliance(ongoing)
Deploy to production
Now
Diagnose Define, Design and build Deliver and Demonstrate
May 2018
GDPR: IBM’s Proposal
© 2017 IBM Corporation
Characteristics of the implementation approach
Understand your dataPrioritize Optimize as you go
Define the data privacy relevant data as
part of the implementation
Key questions to be answered are:-• What data do we have?
• Where does it reside?
• Do we need to data for service delivery or do
we need consent?
• How do we use the date?
• Did we already obtain consent to use the
data?
• What data retention and access rules apply?
Apply Data Governance principles by defining
data owners and governance processes, BUT
only for DP relevant data
Align to MDM for client implementations where
possible
Implement controls in order of
GDPR risk assessment
Create inventory on the revelant data sets in
the organization and prioritize
Implement following the priorities high =>
medium => low
Use an agile approach to allow for changes in
prioritizations
Focus on compliance risk not on
completeness or perfection
Develop a solid foundation for optimization
after May 2018
Add technical capabilities (e.g. new connector
types and processing power) in the
architecture as you go
Build your maintenance organization while
implementing; transfer knowledge and skills
from IBM to the AXA organization
Re-use components to the max
GDPR: IBM’s Proposal
© 2017 IBM Corporation
References and Contacts
• GDPR Regulation
– https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
– https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation
– http://ec.europa.eu/justice/data-protection/reform/index_en.htm
• IBM France GDPR Proof Of Technology
– http://www-05.ibm.com/fr/events/tec/new/MCHR-AHKCEJ.html
• IBM Technical Expert Council France
– @ibmtecf
– https://www.linkedin.com/groups/8457887