Data Governance Compliance for GDPR - dama-ny.com · •Multiple jurisdictions –EU, Canada,...

Monday, June 18, 2018 Information Asset Confidential

1

Data Governance Compliance for GDPR

Sunil Soares

Founder & Managing Partner

[email protected]

www.information-asset.com

(201) 693-2216


2

• Boutique consulting firm focused on Data

Governance

• End-to-end services for the Data

Governance Lifecycle including Consulting,

Training, Tool Evaluation and Product

Implementation

• More than 50 Data Governance projects

since inception

Information Asset


3

Founder Profile – Sunil Soares

Sunil SoaresFounder & Managing Partner

Sunil Soares is the Founder & Managing Partner of Information

Asset, a consulting firm that specializes in helping organizations

build out their data governance programs. Prior to this role, Sunil

was the Director of Information Governance at IBM.

• Sunil’s first book The IBM Data Governance Unified Process detailed the fourteen

steps to implement a data governance program.

• Sunil’s second book Selling Information Governance to the Business: Best Practices by

Industry and Job Function has separate chapters for banking, insurance, healthcare,

manufacturing, retail, travel and transportation, government, oil and gas,

telecommunications, and utilities.

• Sunil’s third book Big Data Governance: An Emerging Imperative deals with the

governance of big data.

• Sunil’s fourth book IBM InfoSphere: A Platform for Big Data Governance and Process

Data Governance deals with the governance of Big Data.

• Sunil’s fifth book is on Data Governance Tools.

• Sunil’s sixth book is The Chief Data Officer Handbook for Data Governance.

• Sunil’s seventh book is Data Governance Compliance for BCBS 239 and DFAST.


4


5


6


7


8

1. GDPR Overview


9

About the EU General Protection Regulation

• The EU published the General Data Protection Regulation (GDPR) in May 2016

• After a two-year transition period, the GDPR will go into effect on May 25, 2018

• The GDPR applies to the processing of personal data of all data subjects, including customers, employees, and prospects

• Non-compliance with the GDPR may result in huge fines, which can be the higher of €20M or four percent of the organization’s worldwide revenues


10

Global Data Privacy is Multi-Dimensional

• Multiple subject areas – Customer, Employee, Citizen,

Vendor…

• Emerging data types

– Internet of Things, Biometrics…

• Multiple jurisdictions

– EU, Canada, Australia, U.S….

• Rapidly changing regulations

– GDPR, CASL, HIPAA…


11

A 16 Step Data Governance Plan for GDPR Compliance

1. Develop Policies, Standards & Controls

2. Create Data Taxonomy

3. Confirm Data Owners

4. Identify Critical Datasets & Critical Data Elements

5. Establish Data Collection Standards

6. Define Acceptable Use Standards

7. Establish Data Masking Standards

8. Conduct Data Protection Impact Assessments

9. Conduct Vendor Risk Assessments

10. Improve Data Quality

11. Stitch Data Lineage

12. Govern Analytical Models

13. Manage End User Computing

14. Govern the Lifecycle of Information

15. Set up Data Sharing Agreements

16. Enforce Compliance with Controls


12

Step 1: Develop Policies, Standards and Controls

Data GovernanceMetadata

Management

Data Security

Monday, June 18, 2018 Information Asset Confidential 13

Data Securities Policies, Standards and Controls

Data Security Policy

Data Security Standards

Data Security Processes

Data Security Controls

Support Primary Security Objectives of Organization

Data Breach Notification

Notification to Data Subject, Notification to Authorities

Notify data subjects of a data breach; Notify supervisory

authority within 72 hours of becoming aware of data breach

Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California

California Law, Division 3, Part 4, Title 1.8 Personal Data, 1798.29

Notification of a personal data breach to the Supervisory Authority

General Data Protection Regulation (GDPR) –Article 33

Communication of a personal data breach to the data subject

General Data Protection Regulation (GDPR) –Article 34

Reg

ula

tio

ns


14

Step 2: Create Data Taxonomy

• Collaborate with data architecture to classify data into

categories and sub-categories

– Customer, employee, prospect, vendor, franchisee

• Example for employees:

Employee

Salary & Benefits

Identity ContactsHealth infor-

mation

Social media

Employee Perfor-mance


15

Step 3: Confirm Data Owners – Acceptable Use

• Cross functional leadership team

• Champions data governance strategy

• Sets direction and objectives

• Final Approver on “Approved Use” of data

Ensures adoption

Champions compliance

Establish accountability and ownership

Defines, executes and monitors governance

processes and metrics

Integrates acceptable use rules

Ensures adherence of data domains across the

enterprise

Data Stewards

Data Governance Leader

• Head of HR • Data Officer

Data Steward

Forums

Operational

Advisory

Council

Tactical

Board

Strategic

Managing Data Stewards

Legal, Risk, Compliance, Privacy, HR, and

Info Security advisors

Business SME’s

Technical SME’s

• General Counsel

• Executive Data Owners

• CISO

• Marketing Officer

• Privacy Officer


16

Step 4: Identify Critical Datasets & Critical Data Elements

• GDPR Article 4 defines ‘personal data’ as any information relating to an identified or identifiable natural person… by reference to an identifier such as name, identification number, location data, an online identifier…

• GDPR Article 9 restricts the processing of data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership…

• Data Governance must work with Legal and Privacy to define ‘personal data’ for the GDPR

• Example: an item code ‘Halal’ may be covered by Article 9 because it may point to a data subject’s religion


17

Step 5 & 6 Data Collection & Acceptable Standards

• GDPR Article 6 – Lawfulness of Processing

• GDPR Article 7 – Conditions for Consent

• Data Governance must establish controls so that Legal

and Privacy sign off on data collection for any new

project during the design phase

• Example: creating an Enterprise Consent Repository

with MDM


18

Step 7: Establish Data Masking Standards

• GDPR Recital 26 & Article 11 state that the principles of data protection should not apply to anonymous information

• GDPR Article 32 deals with the security of personal data

• Example: anonymizing salary benefits data for data science and analytics

19Monday, June 18, 2018 Information Asset Confidential

8. Data Protection Impact Assessments

(GDPR Article 35)• May be required in cases such as where there are new data

types or special categories of data such as race or ethnic origin

• Establish controls to determine whether an assessment is

required when collecting or using new types of data or starting

a new project

9. Vendor Risk Assessments

(GDPR Article 28 - Processor)• Data governance must ensure that legal and compliance sign-

off on Vendor Risk Assessments prior to sharing any personal

data with vendors

• If the vendor shares any personal data with downstream

processors, then legal and compliance need to sign-off on

vendor risk assessments with the downstream processors as

well

Steps 8 & 9: Risk Assessments

















20

2


OneTrust GDPR Questionnaire

21

2


OneTrust GDPR Risk Reporting

22

2


OneTrust Custom Questionnaire for CASL

23

2



24

2




Data Quality (GDPR Article 16 – Right to

rectification)

• FTC FIPPS requires that Information collectors

should ensure that the data they collect is accurate

and secure

• Create data standards, data quality

dashboards or glossaries

• Remediate Data Issues

Step 10: Data Quality

2


















26

Step 11 : Stitch Data Lineage

• GDPR Article 30 requires organizations to maintain a record of processing activities

• This record must include – a description of the categories and the categories of recipients of personal

data, including those in third countries or international organizations; – transfers of personal data to a third country or an international

organization

• The recordkeeping requirements also extend to so-called processors who process data on behalf of an organization

• Critical Step →Mapping of personal data elements to applications


27

Step 12 : Govern Analytical Models

• GDPR Article 22 deals with Automated individual decision-making

• Under many privacy laws, Automated Processing is required to be disclosed and results are

subject to data subject access

• “Disparate Treatment” versus “Disparate Impact”

• Example :

– predictive models may highlight that employees who live closer to work may stay longer in

their jobs but the models may discriminate against minority candidates in certain zip

codes


28

Step 13: Manage End User Computing

• User Computing (EUC) applications are outside the control

of the IT department

• EUCs include Microsoft Excel spreadsheets, Microsoft Access

databases and SharePoint repositories

• EUCs may contain personal data that is still subject to GDPR

compliance including data masking requirements

• Example: reclaiming control over user managed personal data

with self –service tools


29

Step 14: Govern the Lifecycle of Information

• GDPR Article 17 deals with Right to Erasure or the

‘Right to be Forgotten’

• Manage information throughout its lifecycle (ILM), from

creation through disposal, including compliance with

legal, regulatory, and privacy requirements

• Manage retention schedules

• Example: How do you forget a data subject if you do

not know where their information resides in the first

place?


Create Data Sharing Agreements

(GDPR Article 28 – Processor, GDPR Article 46 –

Transfers subject to appropriate safeguards)

“Data contracts” between divisions of the same company,

legal entities or platform/application stakeholders

• Can be associated with “model contracts”,

“intercompany data transfer agreements”, “Data User

Agreements” to comply EU Data Protection

Directive / GDPR, or HIPAA

Step 15: Data Sharing Agreements


















• Documents what data is being shared and how the

data can be used:

─ List of attributes being shared

─ Acceptable use standards for data being

shared

─ Responsibility for data quality

─ Restrictions on how data may be shared with

downstream consumers, or bring re-identified

or combined with other data sets

─ Data Movement Agreement are more

technically focused

─ Ties physical data elements to a consuming

system

─ One or more DMA can be tied to a DSA

Step 15: Data Sharing Agreements (cont’d)


















32

Step 16: Enforce Compliance with GDPR Controls

GDPR

Article

(Sample)

GDPR Description GDPR Controls

Article 6 Lawfulness of processing • Sign-offs by legal and compliance during the design phase of

any new project that requires the processing of personal data

Article 7 Conditions for consent • Obtain informed consent of data subjects

Article 9 Processing of special

categories of personal data,

such as race and ethnic

origin

• Identification of special data categories as CDEs

• Sign-off by legal and compliance on usage of special

categories of data during the design phase of a project

Article 11 Processing which does not

require identification

• Data masking

Article 30 Records of processing

activities

• Data lineage for sensitive data within the enterprise and

extending to processors and sub-processors


33

2. Employee Data Privacy Deep Dive


34

Employee Data Privacy Deep Dive

Emergence of Big Data Analytics on Employee Data

Laws and Regulations Impact Ability to Collect and Use Information

Unique Privacy and Protection Challenges for Employee Data

Managing Through Data Governance


35

Employers have a lot of Information

It’s Growing, and is Easier to Obtain

Changing PolicyBYOD, Telecommuting, Social Media for work…

Business Data

HR Data

Benefits Data

Compliance Data

Email & Chat

Physical Access / Real Estate

Information Security

Web Logs

Personal Data

Social Media

Wearables

GPS Location

Cafeteria transactions

And there’s more…

Technology

So many, many more…


36

There is Value in Mining Employee Data

And Not Just for HR and Talent

Who are my top talent?

What indicates if candidate will be successfulat my company?

Will employees having Fitbits reduce my health care costs?

What life events should trigger compliance reporting

What work spaces lead to most successful

collaboration?

Who is most likely to exfiltrateconfidential information?

Can we catch fraud before it occurs?

Cyber Security

?

Which employees maybe at risk for leaving the company?

HR & TALENT


37

Companies are Investing in Analytics

Participants reported

that creating or

maturing their people analytics function

is a strategic priority

Since 2014, the

Increase in the

number of employers using wearable technology as part of their HR

strategies

43%

The proportion of CRE organizations that

expect to be “data driven”

will double to form 2014 to 2017

$CYBER

SECURITY86%

30%

of organizations had

endured at least one insider attack in

the previous year

56%

OTHER FUNCTIONS

4.6% Increase nationwide from 2015 to 2016 in

“Statistician” roles

Citations: Trends in People Analytics, PWC, 2015; 2015 survey by HR technology consulting firm Sierra-Cedar Inc.; Forrester study on behalf of JLL, June 2014; Annual cybercrime survey jointly conducted by CSO Magazine, the U.S. Secret

Service, PricewaterhouseCoopers, and the Software Engineering Institute CERT program; Bureau of Labor Statistics for “Statist icians” (SOC 15-2041), August 2016


38

What Legal Guardrails are There?

Anti-Discrimination lawsproducts that flag health or mental illness or perceived health or

mental illness issues

Workplace MonitoringThree sets of laws - privacy, secrecy of correspondence,

employment laws

EU Data PrivacyThe use of big data/predictive analytics is highly restricted

under EU Member State law

Was it compatible with original purpose?

Private Activities / Concerted Activities Using information collected from outside the workplace (such

as on social media)

Restrictions imposed by the NLRB relating to concerted

activity

Social Media PasswordsIn the US, Employers may not request or obtain employee’s

passwords to social media sites

Least Intrusive MethodMust demonstrate that collection and use is the least privacy

intrusive method of accomplishing purpose

Right to AccessEmployees have the right to access personal information that is

held about them

Even predictive model outcomes


39

Fair Information Principals

Virtually every privacy law in the world is based

on the Fair Information Principles

Any program needs to take these into

consideration

✓Notice

✓Choice

✓Use Limitation

✓Access / Correction

✓Integrity / Accuracy / Quality

✓Minimization / Retention

✓Security

✓Monitoring and Enforcement


40

Ethical Considerations

Is this the type of organization we want to be?

Is this activity consistent with our core values as a company?

How would our employees feel if they learned about this activity?

How would our customers feel if they learned about this activity?

Would we be comfortable if this were on the front page of the newspaper?


41

Just “Mask” the Data … But How?

Data Masking

Hiding original data with random

characters or data. Two approaches to

data masking:

• Mask sensitive data elements

• Mask the identifiers

De-identification

Severing of a data set from the identifiers

but may include preserving identifying

information which could be re-linked in

certain situations

Anonymization

Removing or scrambling all

“identifiers” – where a person can never

be re-identified

If it can re-identified, then it may not

meet regulatory requirements

What are the identifiers?

Sensitive data is often needed for

analysis (comp., date of birth, etc.)

Can’t be combined with other data sets

– even if not sensitive


42

What are the Employee Identifiers ?

< Page Left Intentionally Blank Prior To Session for Exercise >


43

What are Employee Identifiers ?

Name (first, middle, last)

SSN/ TIN(other government ID’s)

Home Street Address

Home/Cell Phone Number

Personal Email address

Employee #

“Work” Address

Business email address

Business (Internal) Phone Number

Seat #

Business/Job Title

“Cost Center”

Manager &…

Location &…

Worker Type &…

… others…?

(Largely Unique)

IP addresses

(Intended 1:1)

System ID

.

. . .

.

.

.

.

.

.

.

.

.

.

.

.

Typical Identifiers Business Identifiers


44

What are Employee Identifiers

Typical Identifiers

(Intended 1:1)

Name (first, middle, last)

SSN/ TIN(other government ID’s)

Home Street Address

Home/Cell Phone Number

Personal Email address

IP addresses

Business Identifiers

(Intended 1:1) (Largely Unique) (Data Combinations)

Manager &…

Location &…

Worker Type &…

… others…?

Business/Job Title

“Cost Center”

Employee #

Business (Internal) Phone Number

“Work” Address

Seat #

Business email address

System ID


45

One Size Does Not Fit All Business Needs

Requires an understanding of your data and the public “decoder ring” (eg Employee Directory)

Combining data sets can make data more identifiable

May need to take a different approach for a “special” populations

Full identification may not be reasonably achieved - risk based approach based upon other security protocols

May change to focus on dissemination versus access

Technology is emerging that can help


46

Managing Through Data Governance

Goal of Privacy

for Supporting Employee “Big Data” Efforts

Data Governance

Provides a mechanism to document, govern and

monitor:

• Legal/ Regulatory requirements

✓ Notice

✓ Consent

✓ Use Limitation

✓ Access & Correction

• Ethical Considerations

Provide clear direction to people using the data!

• Enable businesses to gather high quality

insights

• Ensure compliance with privacy laws

• Limit the invasion of privacy (or the

perception of invasion of privacy)

• Protect the data


47

Suggested Next Steps Towards GDPR Compliance

• Define ‘personal data’ for GDPR with respect to

your organization

• Map personal data elements to applications

• Above all, drive alignment between Legal,

Compliance, Privacy and Enterprise Data

Management to re-use existing data governance

program to support GDPR compliance


48

3. Reference Architecture


49

No Single Vendor Supports all of GDPR Compliance


















50

Data Governance Policies, Standards, Controls, Regulations, Citations, Jurisdictions & Business Terms

Jurisdiction

Regulation

Standard

Control

Business Term

Citation

Policy


51

Data Lineage includes data sharing agreements and data lineage out of Workday


Identify Critical Data ElementsTerm Detail Page


53

Profile Details in Data Catalog


54

IT Creates Security Policies

Pessimistic

Access by Tag

Policy.

Enables

access with

Tag Policy.


55

IT Discovers Hidden Sensitive Data

Explicit and

Derived

lineage

Show all data

sets that have

sensitive data


56

IT Protects Sensitive Data: Waterline Data

Tag based

access

controls

Masking & filtering

by Waterline

discovered tags


57

4. Data Sovereignty


58

Fair Information Practice Principles (FIPPs)

Principal Guideline

1. Collection Limitation Principle There should be limits to the collection of personal data, and any such

data should be obtained by lawful and fair means and, where appropriate,

with knowledge or consent of the data subject.

2. Data Quality Principle Personal data should be relevant to the purposes of which they are to be

used and, to the extent necessary for those purposes, should be accurate,

complete and kept up-to-date.

3. Purpose Specification Principle The purposes for which the personal data are collected should be

specified not later than at the time of data collection, and the subsequent

use limited to the fulfillment of those purposes or such others as are not

incompatible with the purposes and as are specified on each occasion of

change of purpose.

4. Use Limitation Principle Personal data should not be disclosed, made available, or otherwise used

for purposes other than those specified, except with the consent of the

data subject or by authority of law.

The eight fair information principles (From the OECD Guidelines on the Protection of

Privacy) are listed below:


59

Fair Information Practice Principles (FIPPs)

Principle Guideline

5. Security Safeguards

Principle

Personal data should be protected by reasonable security safeguards against such

risk as loss or unauthorized access, destruction, use, modification, or disclosure

of data.

6. Openness Principle There should be a general policy of openness about developments, practices, and

policies respect to personal data. Means should be readily available of

establishing the existence and nature of personal data, and the main purpose of

their use, as well as the identity and usual residence of data.

7. Individual

Participation Principle

An Individual should have the right:

• To obtain from a data controller, or otherwise, confirmation of whether or not the data

controller has data relating to him:

• To have communicated to him, data relating to him within a reasonable time; at a charge, if

any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to

him.

• To be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be

able to challenge such denial ; and

• To challenge data relating to him and , if the challenge is successful, to have the data erased,

rectified, completed or amended.

8. Accounting Principle A data controller should be accountable for complying with measures that give

effect to the principles stated above.


60

PRC Cyber Security Law

• China In November 2016, the People’s Republic of China

passed the Cybersecurity Law, which takes effect in June

2017. The law has been formulated to ensure network

security, preserve cyberspace sovereignty and national

security, and to protect the lawful rights and interests of

citizens, legal persons, and other organizations. Companies

operating in China must store any “personal information and

other important data” gathered in-country on servers

physically located within mainland China and must employ

only technology deemed “secure.”13 Data should not be

stored outside the PRC. Any data that needs to be transferred

for any business purposes will require governmental

permission. Failure to comply with the PRC Cybersecurity

Law may result in fines for companies and personally

responsible individuals, as well as revoked business licenses,

website shutdowns, and other civil and criminal punishments.

Organizations should continue to keep an eye out for

additional guidance published by Chinese authorities to

alleviate the existing uncertainty.

•

Map taken from https://www.cnil.fr/en/data-protection-around-the-world


61

Russian Federation Data Localization Law

• Russian Federation In September 2015, Russia’s Data

Protection Authority, Roskomnadzor, implemented Federal

Law 242-FZ (Law 242), a personal data localization law that

covers data operators of Russian companies and foreign

companies with a presence in Russia that collect personal

data about Russian citizens. These operators must initially

“record, systematize, accumulate, store, amend, update,

retrieve, and extract” data using databases physically located

in Russia. Personal data of Russian nationals can still be

transferred to foreign databases, but only after having first

been processed in Russia and subject to compliance with

Russian crossborder transfer rules. Although penalties for

noncompliance have not been finalized, they most likely will

range from potential fines to, in extreme cases,

Roskomnadzor’s recommendation to block access to a

foreign company’s online services (e.g., Roskomnadzor’s

proposed block of LinkedIn® as a result of that company’s

failure to transfer Russian user data to data servers physically

located in Russia) Map taken from https://www.cnil.fr/en/data-protection-around-the-world


62

Australia’s Privacy Act

Australia’s Privacy Act of 1988 regulates the

handling of personal information about individuals.

There are 13 Australian Privacy Principles (APPs),

which regulate the collection, use, storage, and

disclosure of “personal information” as well as

ensure that individuals can access and correct their

information. In 2012, Australia introduced the

Privacy Amendment (Enhancing Privacy Protection)

Act, which gives power to the Office of the

Australian Information Commissioner (OAIC), an

independent statutory agency, to monitor

compliance with privacy policies and the handling of

personal information.

Map taken from https://www.cnil.fr/en/data-protection-around-the-world


63

Singapore’s Personal Data Protection Act

Singapore’s Personal Data Protection Act 2012 was

assented to by the President, Tony Tan Keng Yam,

on November 20, 2012. The act was created to aid in

the governance of the collection, use, and disclosure

of personal data by organizations as well as to

establish a Do Not Call Register. The purpose of the

act, while providing governance, also recognizes the

rights of individuals to protect their personal data

and the need of organizations to collect, use, or

disclose personal data for appropriate practices. The

act is administered by the Personal Data Protection

Commission, which also promotes awareness across

the country for data protection, serves as an advisor,

and represents the government internationally on

data protection matters.22 Section 26 of Part VI of

the Personal Data Protection Act states that

organizations shall not transfer any personal data to

a country or territory outside Singapore unless the

commission allows an exemption. Map taken from https://www.cnil.fr/en/data-protection-around-the-world


64

Enforce Compliance for Data Sovereignty

Regulation

Example Description Controls

Australia

Privacy Act,

Principle 8

Cross-border disclosure

of personal information

Sign-offs by legal and compliance during the design phase

of any new project that requires the processing of

personal data

Singapore

PDPA, Second

Schedule

Conditions for consent Collection, processing, keeping, use, and disclosure of

personal data

Obtain informed consent of data subjects

HIPAA Privacy

Rule’s

deidentification

standard

Processing which does

not require identification

Data masking

Data Governance Compliance for GDPR - dama-ny.com · •Multiple jurisdictions –EU, Canada,...

Documents

Transcript of Data Governance Compliance for GDPR - dama-ny.com · •Multiple jurisdictions –EU, Canada,...