eu general data protection regulation - ibm · · 2017-02-10eu general data protection regulation...
TRANSCRIPT
© 2017 IBM Corporation
EU General Data Protection Regulation
Steve Norledge, UKI GDPR Leader
Sol Barron, Information Governance Specialist
February 2017
Getting Started with GDPR
© 2017 IBM Corporation2
GDPR significantly extends EU member-state data privacy regulation
• Inform / access / rectify / erase / object
• Give or withdraw specific data usage consent
• Insight in automatic decision making
• Transfer personal data to another provider (portability)
• Data controller and data
processors liable for breaches
• Data controllers legally bound
to validate data processor´s
compliance
• Data Protection Officer
obligatory
• Stringent data security &
breach management
• Conditions for cross-border
data transfer altered
• All direct and indirect
identifiers
• Behavioural-, derived- and
self-identified data
• Unstructured data
• Format and technology
agnostic
• Fines up to 4% of annual
turnover or €20 million
• Data Privacy Authorities
empowered
• Increased activist and court
activity
• Increased risk and cost of
reputational damage
EU Citizen Rights
enhanced, harmonised
and extended globally
Organisational
Impact
Broadened scope
‘Personal Data’
Increased cost
of non-compliance
© 2017 IBM Corporation3
Subject
Access
Request
Breach
Notification
I want you to correct my data and
then I want to take my data to a new
provider
I want to develop a new
process using personal data.
Am I allowed to gather,
augment and analyse all this
personal data?
Tell me if my personal data
has been breached. Was it
encrypted?
What information do
you hold on me and
what do you use it for?
“ Make it easy for me to manage
how I consent to share different
types of personal data with you
“
“
“
“
Data
Transfer
Erasure
Access
Management
Consent
Management
Privacy
Impact
Assessment
Rectification
& Data
Portability
Do I have the right data
access privileges to allow
access to the data I need to
run my new process?
“I want to transfer or process
this data in a different country“
I want to be forgotten by you“
Focused on the citizen...
© 2017 IBM Corporation4
GDPR governance, covering amongst others legal assessment,
third party management and risk and compliance; DPO role
Governance
People and Communications, covering employee awareness and
training, and internal and external communication
Communications & People
Data, covering personal data life cycle management and citizen
interaction
Data
Processes, covering the GDPR readiness of HR, CRM and other
business processes
Process
Security, covering cyber security technologies to protect critical
personal data and capabilities that enable timely breach notification
Security
...IBM’s five layer model for GDPR
© 2017 IBM Corporation5
IBM supports your GDPR timeline until 2018 and beyond…
GDPR Timeline
2H 2016 2017 1H 2018
Legal review
Identify gaps
Impact analysis
Many firms are currently
working through the legal
interpretation. IBM can support
the gap- and impact analysis.
IBM can speed up your deployment programme at a reduced
cost by bringing GDPR solutions, tools and accelerators
across the full spectrum of your needs.
IBM can provide the capabilities to
help you deliver and demonstrate
your GDPR capability.
Governance
People & Communications
Process
Data
Security
Test & Assure
Demonstrate compliance(ongoing)
Deploy to production
Now
Diagnose Define, Design and build Deliver and Demonstrate
May 2018
© 2017 IBM Corporation7
What Does GDPR Ask of You?
The GDPR is all about acting responsibly with personal information, in its
widest sense
Therefore, in broad terms compliance with GDPR will require you to
Understand Your Data, in order to
Protect Your Data and
Govern Your Data
Wherever it is (databases, file shares, email systems, storage boxes)
In whatever format it is (structured, unstructured, audio, etc.)
© 2017 IBM Corporation8
IBM Case Manager
IBM Solution Framework
Dynamic Policy
Management:
Define what, why,
how long
Data
Infrastructure:
Control use,
align cost to
value
Implementation
Services:
Distribute policies
to data sources
Data Management
Email Servers
User Devices & File
SharesECM & Collaboration
ArchivePlatform
Master Data
Cloud & Social
Databases &Data Warehouse
HadoopPlatform
Lawfulness and Consent
Design
and Default
Rights of EU
Data Subjects
Lawfulness
and Consent
Accountability
of Compliance
Security of Personal Data
P o l i c i e s R u l e s A u d i t
P r o c e s s e s A n a l y s e s
Security
& C
om
plia
nce M
onito
ring
InfoSphereIBM Atlas
Optim
© 2017 IBM Corporation9
StoredIQ – Understanding Your Unstructured Data
• Fast discovery of unstructured data across the enterprise scaling to ‘00s Terabytes and Petabytes
o Where the data is
o What the data is
o How big the data is
o What the data is called
o Who created the data
o Deep knowledge of the data, many layers of attributes
© 2017 IBM Corporation10
StoredIQ – Deeper Analysis
• Open each text file
• Index its content:
• Words, Phrases, Names
• Patterns
• National Insurance numbers, credit cards, IDs, etc.
• Auto-Classification
• Classifies content based on user-definable taxonomy
• No coding required, uses Natural Language Processing
• Provides additional overlay/filter analysis capability
© 2017 IBM Corporation11
Atlas Policy Suite provides broad support for regulatory and legal
compliance
The IBM Atlas Policy Management Suite is a pivotal component of the IBM Information Lifecycle
Governance (ILG) solution portfolio
Helps organizations improve information economics and reduce risk by enabling defensible disposal of
data debris.
Aligns information cost to value through value-based archiving and tiering
Reduces information risk by instrumenting privacy, electronic discovery (eDiscovery), and regulatory
policy across the data environment
Primary features include:
Incorporates a citation database of relevant legislation, regulation and policy
Maintains an organizational, multi-jurisdictional retention file plan for all information types with
cross-reference back to the corresponding citation
Provides a catalogue of data sources (processes, data repositories, applications, etc.)
Maps all information types to the data sources which utilize them as well as the business units
and individuals who own the information