gdpr: the catalyst for customer 360
TRANSCRIPT
5 July 2017
The GDPR: The catalyst for
customer 360
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Founder and Executive Chairman,
IT Governance Ltd
Alan Calder Tim Vincent
EMEA Solution Engineer Team
Lead
DataStax
Speakers
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Introduction
• Alan Calder
• Founder, IT Governance Ltd
• The single source for everything to do with IT
governance, cyber risk management and IT
compliance
• IT Governance: An International Guide to Data
Security and ISO27001/ISO27002 (Open
University textbook)
• www.itgovernance.co.uk
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
IT Governance Ltd: GRC One-stop shop
All verticals, all sectors, all organisational sizes
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
We will cover:
• The GDPR’s impact on businesses
• Accountability and governance of data, data storage limitations,
breach notifications, data subject rights, and compliance
requirements
• Unravelling the labyrinthine web of data using DataStax Enterprise
Graph to bring legacy systems together and comply with the GDPR,
building a 360-degree view of a company’s data subjects
• The right to be forgotten and how DataStax Enterprise Graph can
help companies comply with the Regulation’s requirements
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
The GDPR’s impact on businesses
• Differentiating between controllers and processors
– Critical that entities identify, in respect of their processing, whether they are a
controller or a processor:
– ‘Controller' means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of
the processing of personal data.
– ‘Processor' means a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller.
– Processors may only process data in line with a contract from a controller.
• Child’s consent:
– A person under 16 years old may not consent to the processing of personal data
in respect of an information age service.
• Customer service:
– Privacy notices will be more intrusive.
– Additional services and options can’t assume consent.
– Third party processors will have to be clearly identified.
– Big data activities may be restricted.
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Material and territorial scope
• Natural persons have rights
associated with:
– The protection of personal
data.
– The protection of the
processing of personal data.
– The unrestricted movement of
personal data within the EU.
• In material scope:
– Personal data that is
processed wholly or partly by
automated means.
– Personal data that is part of a
filing system, or intended to
be.
– The Regulation applies to
controllers and processors in
the EU, irrespective of where
processing takes place.
Natural person = a living individual
The GDPR also applies to controllers not in the EU
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Entry into force and application
“This Regulation shall be binding in its entirety and directly applicable in all Member States.”
KEY DATES
• On 8 April 2016, the European Council adopted the Regulation.
• On 14 April 2016, the European Parliament adopted the Regulation
• On 4 May 2016, the official text of the Regulation was published in the EU Official
Journal in all the official languages.
• The Regulation entered into force on 24 May 2016, and will apply from 25 May
2018.
• http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Remedies and liabilities
– Data subjects shall have recourse to judicial remedy where:
º In the courts of the Member State where the controller or processor has an establishment.
º In the courts of the Member State where the data subject habitually resides.
– Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor.
– The controller involved in processing shall be liable for damage caused by processing.
Natural persons have rights
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Penalties
– In each case, fines will be effective, proportionate and dissuasive
– Fines administrated will take into account technical and organisational measures implemented.
– €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.
Administrative fines
– €20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
The Rights of data subjects
• “The controller shall take appropriate measures to provide any information
relating to processing to the data subject in a concise, transparent,
intelligible and easily accessible form, using clear and plain language
(Article 11-1).”
• The controller shall facilitate the exercise of data subject rights (Article 11-2).
– Rights to:
º Consent
º Access
º Rectification
º Erasure
º Restriction
º Objection
º Data portability;
º Withdraw consent at any time;
º Lodge a complaint with a supervisory
authority;
º Be informed of the existence of automated
decision-making, including profiling, as well
as the anticipated consequences for the
data subject.
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
The principle of accountability and what it means
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').”
Article 5 – principles relating to the processing of personal data
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Lawfulness (Art 5 – 6)
• Personal data must be secured against accidental loss, destruction
or damage
• Processing must be lawful – which means, inter alia:
– Data subject must give consent for specific purposes
– There are specific circumstances where consent is not required º So that the controller can comply with legal obligations, etc.
• One month to respond to subject access requests – and no
charges
• Controllers and processors clearly distinguished
– Clearly identified obligations
– Controllers responsible for ensuring processors comply with contractual terms
for processing information
– Processors must operate under a legally binding contractº And note issues around extra-territoriality
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Consent (Art. 7-9)
• Consent must be clear and affirmative– Must be able to demonstrate that consent was given
– Silence or inactivity does not constitute consent
– Written consent must be clear, intelligible and easily accessible, or it is not binding
– Consent can be withdrawn any time, and it must be as easy to withdraw consent as to give it
• Special conditions apply for a child (under 16) giving consent
• Explicit consent must be given for processing sensitive personal data– Race, ethnic origin, political beliefs, etc.
– Specific circumstances allow non-consensual processing, e.g. to protect vital interests of the data subject
• Secure against accidental loss, destruction or damage (article 5)
• Consent must be documented.
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Transparency (Art. 12-17)
• Any communications with a data subject must be concise, transparent
and intelligible
• The controller must be transparent in providing information about itself
and the purposes of the processing
• The controller must provide the data subject with information about their
rights
• There are specific provisions (Article 14) covering data not obtained
directly from the data subject
• Data subjects have rights to access, rectification, erasure (‘right to be
forgotten’), to restriction of processing, and data portability
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Privacy by design (Art. 25 et seq. )
• Privacy must now be designed into data processing by default
• Data protection impact assessments are mandatory (Article 35)
– For technologies and processes that are likely to result in a high risk to rights of
data subjects
• Documentary evidence is crucial
• Data audits
– The GDPR applies to existing data, as well as future data
– Privacy may have to be designed retrospectively
– Organisations need to identify what personal data they hold, where and on what
grounds they hold it, and how it is secured in a way that will meet the
requirements of the GDPR
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Data breaches under the GDPR
A 'personal data breach' means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.
Definition
• Notify supervisory authority no
later than 72 hours after
discovery
• Must describe the nature of
the breach
• No requirement to notify if no
risk to rights and freedoms of
natural persons
• Failure to report within 72
hours requires explanation
• Notify the data controller of a
breach without delay
• All data breaches have to be
reported (no exemptions)
• European Data Protection
Board (EDPB) to issue
clarification with regard to
‘undue delay
Controller obligations Processor obligations
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Data Breaches
Obligation for data controller to communicate a personal data breach to data subjects
• Communicate with data subjects without undue delay if the breach
represents a high risk to data subjects' rights
• Communication must be in clear, plain language
• Supervisory authority may compel communication with data subject
• Appropriate technical and organisational measures were taken
• A high risk to the data subjects will not materialise
• Communication with data subjects would involve disproportionate effort
Exemptions
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Security of Processing
– Pseudonymisation and encryption of personal data
– Measures to ensure the ongoing confidentiality, integrity and
availability of systems
– A process for regularly testing, assessing and evaluating the
effectiveness of security measures
It is a requirement for data controllers and data processors to implement a
level of security appropriate to the risk. This includes
Security measures taken need to comply with the concept of privacy by
design.
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Cyber-security assurance
• A GDPR requirement – data controllers must implement “appropriate
technical and organisational measures to ensure and to be able to
demonstrate that the processing is performed in accordance with
this Regulation”.
– Must include appropriate data protection policies
– Local authorities may use adherence to approved codes of conduct or
management system certifications “as an element by which to demonstrate
compliance with their obligations”
– ICO and BSI are both developing new GDPR-focused standards
• ISO 27001 already meets the “appropriate technical and
organisational measures” requirement
• BS 10012 was developed specifically for the GDPR
– It provides assurance to the board that data security is being managed in
accordance with the Regulation
– It helps manage all information assets and all information security within the
organisation – protecting against all threats
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Nine Steps to GDPR compliance in the Local Government
STEP 1: Establish governance framework
• board awareness
• risk register
• accountability framework
• review
STEP 2: Appoint and/or train a DPO/SDPO
STEP 3: Data inventory
• identify processors
• identify unlawfully held data
STEP 4: Conduct data flow audit
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
STEP 5: Compliance gap analysis
1. Ensure Privacy Notice and SAR documents and processes are robust and legal
2. Records of processing
STEP 6: PIA and security gap analysis
STEP 7: Remediate
1. Privacy compliance framework
2. Cyber Essentials/Ten Steps to Cyber Security/ISO 27001
STEP 8: Data breach response process (NB: Test!)
STEP 9: Monitor, audit and continually improve
NB: steps can be tackled in parallel
Nine Steps to GDPR compliance in the Local Government
© DataStax, All Rights Reserved.24
Article 20 - How do you present a Data Subject with a view of the data you hold on them?
Article 17 - Right to Erasure or Right to be Forgotten, how do you locate all data on a Subject?
Do you have a Single View of your Customer?
Data Exists in Silos
© DataStax, All Rights Reserved.25
Mortgage Bank AccountHouse
InsuranceLife Cover
MDM is NOT the Answer
26
MDM
• Provides a single source of customer record, a golden record
• MDM is not a data integration tool https://tinyurl.com/forrester-mdm
• A static customer profile view with structured, limited data
However, to achieve GDPR data subject access and right to erasure in the digital era, you
need a data platform beyond MDM that:
• Integrates MDM and other data sources, including real time customer activity data
• Delivers contextual customer view in real-time
• Operationalizes customer data for instant insights and actions
• Guarantees 100% uptime
• Allows global data access Customer
Master
3rd party data
C360
Reporting
Analytics
Discovery
Not Only a Single Customer View
Now a Customer 360 View
27
Guaranteed
global access
Real-time
customer
information and
responsiveness
Always-on,
undisrupted
customer
experience
A contextual,
connected,
single view of
the customer
© DataStax, All Rights Reserved.28
Now you can so so much more
Real-Time Personalization
View and manage the data access controls for Data Subjects.
Drive engagement by guaranteeing crucial feedback, a tailored experience, and
instantly actionable insight.
C360 Application Characteristics
29
Real-Time DistributedAlways-OnContextual Scalable
DataStax Enterprise
© DataStax, All Rights Reserved.30
Continuously Available
Linearly Scalable
Geographically Distributed
Instantaneously Responsive
Integrated Search & Analytics
Database for Real time C360
Always-On Data Management for C360
31
CX DATA FRAMEWORK
CX Data Platform (DSE)ANALYTICS
APIs
DATA MODEL DATA QUALITY
GOVERNANCE
MATCH & RELATE
SECURITY & ACCESS
Testing MonitorDevelopmentArchitecture
C360 Personalization Recommendation Compliance
DATA INGEST
INDEX & SEARCH
Deployment
DSE Graph Data Model Powers Customer 360
• Massively scalable, distributed graph
database optimized for storing, traversing and
querying complex graph data in real-time
• Uses Gremlin graph traversal language
• Analytics on graph data supported via Spark
• Supports complex text search
32
DSE Graph provides a contextual view of your
customers by revealing the complex relationships
among your customer data across all touchpoints.
Better Banking Experience with Great Customer Data
33
Mobile Web
Mobile Banking
Customer Service
Internal Data(DB2)
External Data
Complaints
Channel
Customer
Relationships
Transactions
Products
Interactions
Credit Reference
Agencies
Social MediaPitchbook
CACI
PSD2
GDPR
MULTINATIONAL
COMPANY IN FINANCIAL
SERVICES
CX DATA FRAMEWORK
CX Data Platform (DSE)ANALYTICS
APIS
DATA MODEL DATA QUALITY
GOVERNANCE
MATCH & RELATE
SECURITY & ACCESS
Testing MonitorDevelopmentArchitecture
C360 Personalization Recommendation Fraud
DATA INGEST
DATA SYNC
Deployment
We are the powerbehind the moment.
© 2017 DataStax, All Rights Reserved. Company Confidential
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Self help materials
A Pocket guide
www.itgovernance.co.uk/shop/P
roduct/eu-gdpr-a-pocket-guide
Implementation manual
www.itgovernance.co.uk/shop/Pr
oduct/eu-general-data-protection-
regulation-gdpr-an-
implementation-and-compliance-
guide
Documentation toolkit
www.itgovernance.co.uk/shop/P
roduct/eu-general-data-
protection-regulation-gdpr-
documentation-toolkit
Compliance gap assessment
tool
www.itgovernance.co.uk/shop/Pr
oduct/eu-gdpr-compliance-gap-
assessment-tool
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
Training
One-Day accredited Foundation course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
Four-Day accredited Practitioner course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
One-Day data protection impact assessment (DPIA) workshop
(classroom)
www.itgovernance.co.uk/shop/Product/data-protection-impact-
assessment-dpia-workshop
TM
www.itgovernance.co.uk
Copyright IT Governance Ltd 2017 – v1.0
GDPR compliance programme support
• Gap analysis
• Unless you have a team in place, external experienced support can be valuable and independent means of assessing the exact standing of your current legal situation, security practices and operating procedures in relation to the DPA or the GDPR.
• Data flow audit
• Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
• Implementing a personal information management system (PIMS)
• Establishing a PIMS as part of your overall business management system will ensure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.
• Implementing an compliant ISMS with ISO 27001
• ISO27001 is an effective foundation in complying with GDPR. It can be daunting, external help can also help establish an ISO 27001 compliant Information Management Security System quickly and without the hassle, no matter where your authority is located.
• Cyber health check
• A cyber Health Check combined with remote vulnerability assessments can be useful in assessing your cyber risk exposure.
www.itgovernance.co.uk/dpa-compliance-consultancy
Questions?