GDPR what you should know and how to minimize impact on your business

GDPRGeneral Data Protection Regulation

Olivier Barrot

IBM Client Technical Advisor

[email protected]

@olivierbarrot

olivier barrot

© 2017 IBM Corporation

• Most significant change in data privacy law

in the past 20 years

• Replaces the 1995 EU Data Directive

• Inspired by Charter of Fundamental Rights

of the European Union - Articles 7 (respect for

private and family life) and 8 (protection of

personal data)

• Aim is to have a harmonized, unified data

protection law framework for all EU countries

• No longer a Directive but a Regulation

• Not a one-time effort but a multi-year journey

with regular assessment checks

GDPR: Introduction

Published June 2016

Applicable May 2018

24 m

on

ths to

pre

pare

We are here

Non-compliance?

© 2017 IBM Corporation

In the Digital Single Market

Facilitate Free Flow of Data

With Emerging Technologies

Modernize the Law

Data Protection Rights of EU Data Subjects

Reinforce & Enhance

GDPR: What you need to know

Extra-territorial, applies to

organisations outside the EU

processing EU data subjects’

personal data with obligations

not just on Controllers but now

also on Processors

Requires the appointment of

mandatory Data Protection

Officers

Defines what constitutes personal,

directly or indirectly identifiable

data, such as online identifiers, IP

addresses and location data

Will fundamentally change the way

organisations must protect, govern

and manage their structured and

unstructured data

© 2017 IBM Corporation

GDPR issues: What we have seen so far

Data retention, storage and security

Designation of main establishment

Vendor management and outsourcing

Processing of personal data in the employment

context and potential member state variations

IT system capabilities, integrity and functionality,

particularly to enable data subject rights

Costs to business of free subject access

requests

Development of digital products and services

Processing of data relating to criminal

offences or convictions

Uncertainty around data transfer mechanisms

Engagement with industry associations

and advocacy

Data protection by design and default

Responding to breaches within time

limits

Designation and tasks of the Data Protection

Officer

Consent and other lawful grounds for

processing

Data transfers to third country authorities (“anti-FISA clause”)

© 2017 IBM Corporation

Evolution of Compliance

GDPR Policy

Procedures and Organisation

Training and Communication

DPO

Board of Directors

GDPR

Compliance

BusinessIT

Department

CMO

DHR CIO

SR

GDPR: Who is concerned?Program Stakeholders

Co

mm

unic

atio

nCo

llab

ora

tio

n

Coordination

LEGAL

CROData Management and

BigData architecture

teams

CIL

CDO

© 2017 IBM Corporation

• Customer’s consent is required when transferring personal data to another country.

• Access to personal data from another country is considered a transfer of personal data

• An EU Model Clause Agreement is generally needed when the transfer is to a non EU/EEA-country (i.e. a third country)

• Transfer of personal data to the US NOT allowed under a Safe Harbor certification ANY LONGER

GDPR: Hosting & Cloud impacts

© 2017 IBM Corporation

Supporting software and assets

Sensitive & Personal Data discovery Data LifeCycle Governance and Protection consent, encryption, masking, deletion, etc.

General Data Protection Regulation

Where are the major risks

What actions to be taken

Where to start

Operational Methodology to compliance

Flash audit to do the GDPR diagnosticBuild the roadmap to compliancePrivacy Impact Assessment (PIA)IT systems transformation

Regulation

2018

GDPR: Why IBM?

An end-to-end value proposition: consulting, technology assets and industrialization

© 2017 IBM Corporation

Major regulatory compliance areas and actions to be prioritized

Need to demonstrate compliance

with the principles relating to the

personal data processing that

pervades the GDPR

Actions: Consider how compliance is

proven, including data protection

privacy impact assessments, codes of

conduct, governance and certification

Processing is only lawful if there is

one of the following: consent,

necessity, legal obligation,

protection, public interest, official

authority or legitimate interest

Actions: Keep data subjects informed;

manage requests in a transparent,

efficient and effective manner; consider

appointing a DPO

Data controllers and processors must

implement technical and organisational

measures that demonstrate compliance

with the GDPR core principles

Actions: Permeate system development,

maintenance and hosting practices with

privacy principles; demonstrate adherence

and data lineage

Provide for enhanced rights for data

subjects in the EU including erasure,

access and portability

Actions: Keep record of structured and

unstructured personal data; enable

execution of citizen rights amongst which to

understand, access, amend, object, and

export personal data

Need to ensure a level of security appropriate to the risk, including 72H high risk breach reporting

Action: Implement and demonstrate adequate internal and external IT- and physical defences and restrictions to reduce

data privacy and security risks, including data minimisation, pseudonymisation [GDPR term] and encryption techniques

Design and Default

Rights of EU Data Subjects

Security of Personal

Data

Lawfulness and

Consent

Accountability of

Compliance

GDPR: IBM’s vision

Lawfulness and Consent

Design

and Default

Rights of EU

Data Subjects

Lawfulness

and Consent

Accountability

of Compliance

Security of Personal Data

© 2017 IBM Corporation

IBM’s five layer model for GDPR

GDPR: IBM’s vision

IBM has clustered GDPR activities across five

layers, thereby covering the whole spectrum of

GDPR:

• GDPR governance, covering amongst others

legal assessment, third party management and

risk and compliance

• People and Communications, covering

employee awareness and training, and internal

and external communication

• Processes, covering the GDPR readiness of

HR, CRM and other business processes

• Data, covering personal data life cycle

management and citizen interaction

• Security, covering breach prevention and

management and other digital security measures

Bu

siness IT

© 2017 IBM Corporation

Business Capability Reference Architecture

Governance

People &

Communications

Data

Security

Processes

Roles &

Responsibility

Management

Training &

Certification

Communication

Management

Monitor

Communication

s

Individual PD

Records

Maintenance

“Privacy by

Design”

Development

Rules ExecutionWorkflow

Management

Catalogue Lifecycle

Management

Archiving

(Minimisation)

Data Disposal

(Minimisation)

Data Lifecycle

Monitoring

(Minimisation)

Policies &

Measures

Management

Regulations &

Requirements

Management

DP GovernanceThird Parties

Management

Reqs & Controls

Monitoring

Compliance

Demonstration

DP Strategy &

Risks

Assessment

Access Control

Breach

Prevention &

Management

Security

Monitoring

Vulnerabilities

Assessment&

Mitigation

Citizen Interaction Center

Forensics

Automated

Decision making

Information

PD Rights

execution

Information &

Notice Delivery

Complaints

Registration

Citizen

Identification

Data Management

PD Taxonomy

Consent

Management

Breach

Notification

PD Purpose

Register

Metadata

Identification

Metadata

ClassificationData Lineage

Individual PD

Identification

Individual PD

ClassificationData

Desensitizing

(Minimisation)

Data

Management

Assurance

Data Quality

Data Dictionary

Data Processing

Monitoring

Rules Definition

Notice

Management

PD Record

Processing

Data Source

Discovery

Data Masking

(Minimisation)

Business

focusIT focus

Security

focus

GDPR: IBM’s vision

© 2017 IBM Corporation

Data

Catalogue Lifecycle

Management

Citizen Interaction CenterData Management

IBM software components and services mapping

Governance

People &

Communications

Security

Processes

Roles &

Responsibility

Management

Training &

Certification

Communication

Management

Monitor

Communication

s

Individual PD

Records

Maintenance

“Privacy by

Design”

Development

Rules ExecutionWorkflow

Management

Archiving

(Minimisation)

Data Disposal

(Minimisation)

Data Lifecycle

Monitoring

(Minimisation)

Policies &

Measures

Management

DP GovernanceThird Parties

Management

Reqs & Controls

Monitoring

Compliance

Demonstration

Access Control

Breach

Prevention &

Management

Security

MonitoringForensics

Automated

Decision making

Information

PD Rights

execution

Consent

Management

Breach

Notification

PD TaxonomyPD Purpose

Register

Metadata

Identification

Metadata

ClassificationData Lineage

Individual PD

Identification

Individual PD

ClassificationData

Desensitizing

(Minimisation)

Data Quality

Data Dictionary

Data Processing

Monitoring

Rules Definition

Notice

Management

PD Record

Processing

Data Source

Discovery

Data Masking

(Minimisation)

IBM Software components Expertise / Consulting

Optim

IER

Research

Asset

Resilient

Change Mgt / Process reengineering / Training

Consulting

Vulnerabilities

Assessment&

Mitigation

Data

Management

AssuranceConsulting

Consultin

g

DP Strategy &

Risks

Assessment

Regulations &

Requirements

Management

Consulting

Information

Analyzer

Guardium

DE

Case

Manager

Information &

Notice Delivery

Complaints

Registration

Citizen

Identification

Devt

Expertise

Case

Manager

Consulting

Information Analyzer

StoredIQ

Guardium DP

Information

Governance

Catalog

Program Mgt

+ Consulting Open PagesRC Analytics

Optim

Guardium DP

Identity Gov.

Intel.

Sec. Access Mgr

QRadarGuardium

VA+DP

QRadar

i2

GDPR Operational implementation

© 2017 IBM Corporation

IBM Case Manager

GDPR: IBM SW Solutions Framework

IBM Technology overview

Dynamic Policy Management:

Define what, why, how long

Data Infrastructure:

Control use, align cost to

value

ImplementationServices:

Distribute policies to data sources

Data Management

Email Servers

User Devices & File

SharesECM & Collaboration

ArchivePlatform

Master Data

Cloud & Social

Databases &Data Warehouse

HadoopPlatform

Lawfulness and Consent

Design

and Default

Rights of EU

Data Subjects

Lawfulness

and Consent

Accountability

of Compliance

Security of Personal Data

P o l i c i e s R u l e s A u d i tP r o c e s s e s An a l y s e s

Security

& C

om

plia

nce M

onito

ring

InfoSphereIBM Atlas

Optim

© 2017 IBM Corporation

Business Processes

Accountability

Data Security and Protection

Privacy by Design / Privacy by Default

IT Operational Security

Rights of Restitution / Transfer / Rectification

Archival / Deletion / Quarantine

Files encryption

Anonymization / Data Masking

Operational Data Protection

Users and administrators Activity monitoring

Policies, Rules and Definitions

GDPR Trajectory

Consent

Explicit Consent Management / RTBF

Incidents Management / Data breach

Applications

StoredIQ

QRadar

Atlas

Guardium VA

Optim DP

Guardium DP

Guardium DE

StoredIQ Optim

StoredIQ Legal

Case Manager

QRadar

Guardium DP

Resilient

Identity Gov.

& Intelligence

Atlas

Appscan

Personal Data inventory

Unstructured data Exploration

GDPR

Assessment(Gap Analysis)

Design

and Default

Rights of EU

Data Subjects

Lawfulness

and Consent

Accountability

of Compliance

Security of Personal Data

Minimization of personal data used and stored by applications

Infrastructure and Devices

Guardium VA

Bigfix / MaaS360

Structured data Exploration Guardium DP

Info Analyzer

GDPR Operational implementationMajor IT workstreams and IBM solutions

Data Repositories

Review of Design principles

© 2017 IBM Corporation

Sensitive

data

Governance Layer

• Metadata & Policy Mgmt

• Compliance Mgmt

Data Management Layer

• Info Lifecycle Mgmt

Compliance & Security Layer

• Security & Privacy

• Info Gov Utility Services

• Subject Rights Mgmt

Users

Activity

Identity & Access

Mgmt

Incidents

correlation &

identificationCISO, DPO, CPO

Group Compliance

Legal

Security Incidents

Mgmt &

Reporting

DBA

DB & File Activity

Monitoring

Data & Policy

Governance

Retention &

Disposal

Data

Discovery &

Classification

Masking &

Encryption

VunerabilitiesDatabases, Apps,

Infrastructure

Dynamic

blocking

GDPR in practiceData Governance & Security tooling contribution to Compliance by capability

© 2017 IBM Corporation

Compliance & Security Layer

• Security & Privacy

• Info Gov Utility Services

• Subject Rights Mgmt

Data Management Layer

• Info Lifecycle Mgmt

Governance Layer

• Metadata & Policy Mgmt

• Compliance Mgmt

Sensitive

data

CISO, DPO, CPO

Group Compliance

Legal

Users

Activity

VunerabilitiesDatabases, Apps,

Infrastructure

Dynamic

blocking

Data & Policy

Governance

Masking &

EncryptionRetention &

Disposal

DB & File Activity

Monitoring

Data

Discovery &

Classification

Identity & Access

Mgmt

Incidents

correlation &

identification

Security Incidents

Mgmt &

Reporting

Information

Governance

Catalog

Atlas

DBA

AppScan

BigFix/

MaaS360

Identity

Governance

Intelligence

Information

Analyzer

GDPR in practiceData Governance & Security tooling contribution to Compliance by capability

© 2017 IBM Corporation

IBM help clients to define their roadmap for compliance

and support support the implementation program until 2018 and beyond…

16

GDPR Timeline

2H 2016 2017 1H 2018

Legal review

Identify gaps

Impact analysis

Many firms are currently

working through the legal

interpretation. IBM can support

the gap- and impact analysis.

IBM can speed up your deployment programme at a reduced

cost by bringing GDPR solutions, tools and accelerators

across the full spectrum of your needs.

IBM can provide the capabilities to

deliver and demonstrate your

GDPR compliance.

Governance

People & Communications

Process

Data

Security

Test & Assure

Demonstrate compliance(ongoing)

Deploy to production

Now

Diagnose Define, Design and build Deliver and Demonstrate

May 2018

GDPR: IBM’s Proposal

© 2017 IBM Corporation

Characteristics of the implementation approach

Understand your dataPrioritize Optimize as you go

Define the data privacy relevant data as

part of the implementation

Key questions to be answered are:-• What data do we have?

• Where does it reside?

• Do we need to data for service delivery or do

we need consent?

• How do we use the date?

• Did we already obtain consent to use the

data?

• What data retention and access rules apply?

Apply Data Governance principles by defining

data owners and governance processes, BUT

only for DP relevant data

Align to MDM for client implementations where

possible

Implement controls in order of

GDPR risk assessment

Create inventory on the revelant data sets in

the organization and prioritize

Implement following the priorities high =>

medium => low

Use an agile approach to allow for changes in

prioritizations

Focus on compliance risk not on

completeness or perfection

Develop a solid foundation for optimization

after May 2018

Add technical capabilities (e.g. new connector

types and processing power) in the

architecture as you go

Build your maintenance organization while

implementing; transfer knowledge and skills

from IBM to the AXA organization

Re-use components to the max

GDPR: IBM’s Proposal

© 2017 IBM Corporation

References and Contacts

• GDPR Regulation

– https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

– https://www.ibm.com/analytics/us/en/technology/general-data-protection-regulation

– http://ec.europa.eu/justice/data-protection/reform/index_en.htm

• IBM France GDPR Proof Of Technology

– http://www-05.ibm.com/fr/events/tec/new/MCHR-AHKCEJ.html

• IBM Technical Expert Council France

– @ibmtecf

– https://www.linkedin.com/groups/8457887