Understanding my data and getting value from it Creating Value With GDPR: Practical Steps 20 th February 2017 Gregory Campbell Governance, Regulatory and Legal Consultant, IBM Analytics gcampbell@uk.ibm.com Sol Barron Information Governance Specialist, IBM Analytics sol.barron@uk.ibm.com Simon Knezevic GDPR Lead Distribution Sector, IBM GBS simon.knezevic@uk.ibm.com 2017 IBM UK & Ireland
Notice Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. References to GDPR are references to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 2017 IBM UK & Ireland 2
Understanding My Data Data Mapping and Data Discovery 2017 IBM UK & Ireland 3
Understanding My Data Data Mapping and Data Discovery ORGANISATIONAL and TECHNICAL MEASURES 2017 IBM UK & Ireland 4
Understanding My Data Data Mapping and Data Discovery PROACTIVE vs REACTIVE 2017 IBM UK & Ireland 5
Understanding My Data Data Mapping and Data Discovery PROACTIVE vs REACTIVE 2017 IBM UK & Ireland 6
Understanding My Data Data Mapping and Data Discovery PROACTIVE and REACTIVE 2017 IBM UK & Ireland 7
Understanding My Data Data Mapping and Data Discovery VALUE 2017 IBM UK & Ireland 8
Understanding My Data Data Mapping and Data Discovery DATA MAPPING VALUE DATA DISCOVERY 2017 IBM UK & Ireland 9
Understanding My Data Data Mapping and Data Discovery Basic Concepts DATA MAPPING Top Down process cataloguing the locations in your organisation where (personal) data and processes exist, together with e.g. their usage and purposes 2017 IBM UK & Ireland 10
Understanding My Data Data Mapping and Data Discovery Basic Concepts Bottom up process, commonly supported by tools, to discover and classify the content of data stores DATA DISCOVERY 2017 IBM UK & Ireland 11
What is Data Mapping? GDPR Context DATA MAPPING Recital 82 of Regulation (EU) 2016/679 Article 30 of Regulation (EU) 2016/679 2017 IBM UK & Ireland 12
G D P R A R T I C L E 3 0 Records of Processing Activities What is Data Mapping? GDPR Context controller who why what where when processor way who why where written sme way regulator 2017 IBM UK & Ireland 13 Article 30 of Regulation (EU) 2016/679
What is Data Mapping? The Challenges Interpreting, following and actioning Article 30 Leveraging the application of data mapping beyond Article 30 Building on existing data mapping activities to align with GDPR Continuing obligation, not a one-time process 2017 IBM UK & Ireland 14
What is Data Discovery? How does it relate to and help Data Mapping? Methodical and/or targeted review of data stores across the information landscape Generally a tools based approach to understand contents but can involve manual activity Discovery and classification of personal data is an implicit and pervasive requirement of the GDPR 2017 IBM UK & Ireland 15
Data Mapping and Data Discovery GDPR outcomes and beyond Support demonstration of records of processing activities to regulators Enabler towards master data management (single view of the individual) projects Foundational steps towards conforming with the wider GDPR and beyond GDPR... 2017 IBM UK & Ireland 16
Understand My Data Protect, govern and know your data you can t protect and govern what you don t know Finding Personal Data within the petabytes of information across an enterprise is a technical and organisational challenge The proliferation of unstructured data makes this even harder Tools need to be an essential element of your discovery projects 2017 IBM UK & Ireland 17
So What Do You Do? PREPARE 2017 IBM UK & Ireland 18
StoredIQ Understanding Unstructured Data Fast discovery of unstructured data across the enterprise scaling from Terabytes to multiple Petabytes Where the data is What the data is How big the data is What the data is called Who created the data Deep knowledge of the data, many layers of attributes 2017 IBM UK & Ireland 19
StoredIQ Deeper Analysis Open each text file, index its content: Words, Phrases, Names Patterns National Insurance numbers, credit cards, IDs, etc. Classifies content based on userdefinable taxonomy Auto-Classification: No coding required, uses Natural Language Processing Provides additional overlay/filter analysis capability 2017 IBM UK & Ireland 20
Cataloguing and making Data Mapping and Data Discovery results useable Results of data mapping and data discovery must be documented. It is necessary to understand: The regulations applying to the data The purpose Type of data Ownership and stewardship Retention rules Ease of access, control, maintainability and auditability of this information is necessary to ensure your catalogue remains accurate Clipboard and spreadsheet approaches fall short 2017 IBM UK & Ireland 21
Atlas for Data Mapping Helps you improve information economics and reduce risk by enabling defensible disposal of data debris Primary features include: A citation database of relevant legislation, regulation and policy An organizational, multi-jurisdictional retention file plan for all information types with crossreference back to the corresponding citation A catalogue of data sources (processes, data repositories, applications, etc.) Maps all information types to the data sources which utilize them as well as the business units and individuals who own the information The who, why, what, where, when and way in which you handle your (personal) data 2017 IBM UK & Ireland 22
Understand My Data Data Mapping and Data Discovery Approach 2017 IBM UK & Ireland 23
Phased Implementation Approach Crawl Start Small Start Quickly Walk Expand Introduce Tooling Jog Governance and Integration Run Continuing Accountability Confirm data mapping and data discovery focus based business use of personal data and risk based priority Extend focus of data mapping and discovery beyond initial focus areas Implement and refine data governance process to incorporate personal data Full information governance implemented across enterprise to ensure data is controlled and processes in place Conduct data mapping exercise and maintain an inventory / catalogue manually in spreadsheets or stand alone tools Utilise centralised tool based catalogue with audit control and accessibility Integrate discovery and catalogue tools to ensure discovery to simplified and ongoing maintenance of personal data catalogue Incorporate master data management for digital personal data enabling control and audit and embed in as part of information governance Validation of personal data is conducted by business, system owners and administrators and manually captured Conduct tool based data discovery to assess structured and unstructured data sources for potential personal data 2017 IBM UK & Ireland 24
2017 IBM UK & Ireland 25