gdpr in action: translating regulation into a capability based...
TRANSCRIPT
GDPR in Action: translating regulation into a capability based action planIBM’S APPROACH ON GDPR
Bert Vanspauwen
Associate Partner – IBM Security Services
March 16, 2017
2 IBM Security
Purpose and content
• Purpose: Explore approaches on addressing GDPR and provide you IBM’s view
• Content:
GDPR: what does it mean?
How most organizations start
IBM’s approach: a capability driven plan
A few examples from the field
3 IBM Security
GDPR: The tale of the elephant….
GDPR StakeholderGroups
Compliance,Legal and Risk
Information Technology and Security
InformationGovernance
Business Impact including HR, Marketing,
Finance
Business Principals
4 IBM Security
IBMs skin in the game
GDPR Assets & Innovation
Market leading Privacy, Compliance, Security and Data Management solutions aligned to GDPR
Digital experience expertise, cognitive capabilities for– amongst others –Citizen Interaction Centre
Advanced research for anonymization, consent management etc
GDPR delivery capability
A comprehensive approach tailored to your needs
A dedicated GDPR team with consulting and technical expertise from our strong Privacy, Security and Data Analytics practices
Regulatory expertise through Promontory acquisition
Our experience in complex delivery under regulatory scrutiny
Personal to IBM
One of the world’s largest data processors
Engaged and participating at the highest levels in GDPR compliance in the EU and UK
Core member of relevant industry bodies responding to GDPR
5 IBM Security
What our clients are telling us
GDPR is challenging. Clients are particularly worried about:
Interpretation of the regulation, particularly in the areas of profiling and unstructured personal data
Implications of “consent”, increasing risk of losing customers
Increased costs for outsourced data processing due to additional liability cost
There is a wide spread in client preparations for the May-18 deadline:
Some started well over a year ago and have 3 year implementation programs
Many in early stage of assessing GDPR impact: most often initiated by compliance and-or legal departments
Some recognize ‘they need to do something’
A few see no need for action
‘Compliance’ versus ‘business value’:
Insurance companies in particular link GDPR to wider initiatives to enhance customer trust
Most haven’t made their mind up
May 2018
6 IBM Security
Ready for GDPR? Questions to Ask Yourself
• Where do you process personal data? Where do you store personal data? Do
you move personal data outside the EU?
• Do you deploy privacy by design techniques? Have you set up organizational and
technical measures to prevent uncontrolled collection, unauthorized access and
retrieval of personal data?
• Do you have a data classification program to produce a copy on record of
personal data?
• Do you have a response process to address requests by individuals? Are you
able to provide evidence that you deleted personal data as requested?
• Do you have a data governance program in place? Have you set up
organizational measures (access limitation, processes, governance, collection
minimization)
• Do you actively monitor external news on data breaches? Do you have a
remediation process to address data breaches? Do you have an established
ERS?
Do you collect personal data?
Do you move personal data outside the EU?
Have you set up organizational and technical measures to prevent uncontrolled collection, unauthorized access and retrieval of personal data?
Do you have a data classification program?
Do you collect sensitive personal data?
Do you have a data governance program in place?
Do you have a response process to address requests by individuals?
Are you able to produce a copy on record of personal data on request?
Do you have a designated responsible for privacy in your organization?
Where do you store personal data?
Do you have a remediation process to address data breaches? Do you have an established ERS?
Do you actively monitor external news on data breaches?
Do you deploy privacy by design techniques?
7 IBM Security
How our clients typically start
Legal
AssessCapabilities
Program Setup
Program Execution and Implementation
Understanding the Requirements with a Legal Team• Translation of Legal Requirements into Policies• Setting up organizational controls (people and processes)
Getting Ready• Assess and compare current capabilities
Legal to Business process• Data Protection Program• Define projects to implement capabilities
Implement Data Protection Program• Run Data Protection Program• Evaluate and feed back to business and
legal
GDPR?
Where are we?
Data Protection goes live!
What does it mean for the
business?
8 IBM Security
Our ‘elephant’: IBM’s GDPR Capability Model
IDENTIFYpersonal data
SecurityIntelligence
AwarenessGap Analysis
Identification of
Personal Data
PREVENTprivacy violations
Identity&AccessManagement
Database Security
Privacy byDesign
Data Masking &Encryption
MANAGEpersonal data
DETECT & RESPONDdata breach handling
Emergency
Response Services
Monitoring &
Detection RemediationIncident
Response
Entitlements
Management
Third-PartyManagement
DataGovernance
Information
Requests Consent
9 IBM Security
PHASE: 1. DIAGNOSE (assess)
DOMAIN:
GDPR
GOVERNANCE
2. DEFINE (plan)
3. DESIGN
4. DEVELOP
5. DELIVER (execute)
6. DEMONSTRATE (report,
monitor, audit, evaluate)
GDPR
GOVERNANCE
GDPR
GOVERNANCE
GDPR
GOVERNANCE
GDPR
GOVERNANCE
PEOPLE & COM-
MUNICATION
PEOPLE & COM-
MUNICATION
PROCESSESPROCESSES
DATADATA
DATADATA
SECURITY
6 Conduct Data Assessment 11 Update Personal Data Register
12 Embed Privacy-By-Design and Default Principles
19 Embed Data Privacy rules in Data Management
14 Design PD Life Cycle Management rules, processes and
tools
13 Design PD monitoring and pseudonymization rules and tools
15 Embed DP policies and rules in Security Management
17 Embed Data Privacy rules into processes
18 Develop Personal Data Management Flows and
Interaction
10 Update process rules
9 Train and certify staff
8 Manage Third-Party Personal Data usage
24 Manage and monitor Data Privacy security
23 Manage and monitor Personal Data during Life Cycle
22 Manage and monitor Data Privacy Breaches
20 Deliver and monitor Privacy Impact Assessments
21 Manage Consents, Requests and Compliants
16 Develop and deliver Notices
26 Monitor, audit and evaluate
5 Assign Data Privacy roles and responsibilities
3 Update Data Privacy Policy
2 Update Data Privacy strategy and governance
7 Update Data Privacy Policy details
4 Assess, track and enforce regulations and requirements
25 Demonstrate to stakeholders
1 Conduct Impact Assessment
1 Conduct Impact Assessment
1 Conduct Impact Assessment
1 Conduct Impact Assessment
1 Conduct Impact Assessment
Supported by a GDPR Activity Checklist
• The IBM GDPR Activity Checklist is a comprehensive view of activities to
support GDPR readiness across five domains from diagnostic to
implementation
• It serves as a checklist, describing:
• Purpose and scope
• Activities
• Roles
• Supportive (IBM) Solutions, Assets and Job-Aids
11 IBM Security
PR
EVEN
TID
ENTI
FYD
ETEC
T &
R
ESP
ON
DM
AN
AG
E
Evaluate Future Looking Items
Evaluate Future Looking Items
Evaluate Future Looking Items
Operating
Model
Organization
Design
Weekly Project Status
Continuous Training & Awareness Program
New Trends & Technologies
Kick-Off &
Gap Analysis WS
SOC 24/7
Privacy Impact
Assessments
Continuous Improvement of Compliance
Management System
Evaluate Future Looking Items
Data
Classification
WS
Data Discovery
2016 2017 2018
Process
Design
Audit Support
Third Parties
SoD & Policy Enforcement
Communication
Plan
Embedding Privacy by Design
Project Mobilization & Identification of Personal Data
Set up Data Protection Governance
Establishing Data Breach Protection & Monitoring
Access Rights
Mode & Mapping
Awareness
Training
Develop
Privacy
Controls
Deployment of
Controls
Compliance
Check
Testing &
Revalidation
New Trends & Technologies
Data Protection
Integration in SOCResilient Platform SIEM Integration
Incident Response
Process Def
GDPR Enforcement
May 2018
New Trends & Technologies
12 IBM Security
From ‘elephant’ to action: The IBM 6 phase approach to GDPR Readiness
Diagnose Define Design Develop Deliver Demonstrate
Understanding the risk
Strategy definedDesign for
Capabilities Completed
Process & systems update
Transition to BAU
Compliance evidence
Will bring insight to the impact of GDPR and a high level plan to meet the requirements
Will define the DP strategy based on a risk assessment and an intial view on what personal data is stored
Will bring detailed view on DP controls, processes and solutions to be implemented.
Implement processes and solutions
Operationalization of the requirements
Evaluate and improve the processes against performance, costs and new / changed GDPR requirements
READINESS ASSESSMENT CAPABILITIES IMPLEMENTATION
13 IBM Security
Sample 1: discover and classify personal data
14 IBM Security
Action
Data about your information
Take action (move, copy, delete, etc.)
Use a combination of rules and machine learning to identify and classify content
Filter2
Phase 3: Manage deep inquiries through full-text and metadata indexing
Full Text
Volume
Phase 2: Filter based on metadata
Filter1
Metadata
Sample 1: discover and classify personal dataData Discovery and Information Catalogue Population
Phase 1: Identify Data Sources
Sources
Relevance
Phase 4: Investigate relevant data and compile evidence
Classification
15 IBM Security
Sample 2: consent management today
Take it or leave it
No flexibility
Rarely read
Unintelligible to most
Informed Consent??
Not Really
16 IBM Security
Sample 2: consent management tomorrow?
17 IBM Security
Sample 2: services & data registration for consent management
IBM CONFIDENTIAL
18 IBM Security
Starting point: Where are you and where do you want to go?
00,5
11,5
22,5
33,5
44,5
GDPRGovernance:…
GDPRGovernance:…
GDPRGovernance:…
P&C: Roles &responsibilities
P&C: Training andawareness
P&C: NoticeManagement
Processes:controls (TOM)
Processes: CitizenRequests
Processes: NoticeManagement
Data Classification/ Metadata
Data Governance
Data Life CycleManagement
Data Infrastructure
Security: Access &Identity…
Security:Desensitization
Security: BreachManagement
GDPR Maturity Assessment
• Do you know:• How the new GDPR requirements affect your
organization?• Your strategic goals regarding data privacy? • Your current and required GDPR capabilities?
(‘your GDPR maturity?)• Other major initiatives impacting GDPR
enablement? • Roles and responsibilities in your organization
around data privacy and security?• Lines of Business and business processes
affected?• Definitions, location and accessibility of
personal data?• Personal data flows within and back and forth
to third parties?• Your internal stakeholders for GDPR readiness?• Your overall priorities, approach and timing to
become GDPR ready?
19 IBM Security
20 IBM Security
Further information
Security Services GDPR Leader: Bert VanspauwenAssociate Partner+32-499 56 760 2 (Mobile)[email protected]
Security Services GDPR Expert: Christiane PetersSecurity Architect+32-471 60 72 13 (Mobile)[email protected]
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU