GDPR in Action: translating regulation into a capability based action planIBM’S APPROACH ON GDPR

Bert Vanspauwen

Associate Partner – IBM Security Services

bert.vanspauwen@be.ibm.com

March 16, 2017

2 IBM Security

Purpose and content

• Purpose: Explore approaches on addressing GDPR and provide you IBM’s view

• Content:

GDPR: what does it mean?

How most organizations start

IBM’s approach: a capability driven plan

A few examples from the field

3 IBM Security

GDPR: The tale of the elephant….

GDPR StakeholderGroups

Compliance,Legal and Risk

Information Technology and Security

InformationGovernance

Business Impact including HR, Marketing,

Finance

Business Principals

4 IBM Security

IBMs skin in the game

GDPR Assets & Innovation

Market leading Privacy, Compliance, Security and Data Management solutions aligned to GDPR

Digital experience expertise, cognitive capabilities for– amongst others –Citizen Interaction Centre

Advanced research for anonymization, consent management etc

GDPR delivery capability

A comprehensive approach tailored to your needs

A dedicated GDPR team with consulting and technical expertise from our strong Privacy, Security and Data Analytics practices

Regulatory expertise through Promontory acquisition

Our experience in complex delivery under regulatory scrutiny

Personal to IBM

One of the world’s largest data processors

Engaged and participating at the highest levels in GDPR compliance in the EU and UK

Core member of relevant industry bodies responding to GDPR

5 IBM Security

What our clients are telling us

GDPR is challenging. Clients are particularly worried about:

Interpretation of the regulation, particularly in the areas of profiling and unstructured personal data

Implications of “consent”, increasing risk of losing customers

Increased costs for outsourced data processing due to additional liability cost

There is a wide spread in client preparations for the May-18 deadline:

Some started well over a year ago and have 3 year implementation programs

Many in early stage of assessing GDPR impact: most often initiated by compliance and-or legal departments

Some recognize ‘they need to do something’

A few see no need for action

‘Compliance’ versus ‘business value’:

Insurance companies in particular link GDPR to wider initiatives to enhance customer trust

Most haven’t made their mind up

May 2018

6 IBM Security

Ready for GDPR? Questions to Ask Yourself

• Where do you process personal data? Where do you store personal data? Do

you move personal data outside the EU?

• Do you deploy privacy by design techniques? Have you set up organizational and

technical measures to prevent uncontrolled collection, unauthorized access and

retrieval of personal data?

• Do you have a data classification program to produce a copy on record of

personal data?

• Do you have a response process to address requests by individuals? Are you

able to provide evidence that you deleted personal data as requested?

• Do you have a data governance program in place? Have you set up

organizational measures (access limitation, processes, governance, collection

minimization)

• Do you actively monitor external news on data breaches? Do you have a

remediation process to address data breaches? Do you have an established

ERS?

Do you collect personal data?

Do you move personal data outside the EU?

Have you set up organizational and technical measures to prevent uncontrolled collection, unauthorized access and retrieval of personal data?

Do you have a data classification program?

Do you collect sensitive personal data?

Do you have a data governance program in place?

Do you have a response process to address requests by individuals?

Are you able to produce a copy on record of personal data on request?

Do you have a designated responsible for privacy in your organization?

Where do you store personal data?

Do you have a remediation process to address data breaches? Do you have an established ERS?

Do you actively monitor external news on data breaches?

Do you deploy privacy by design techniques?

7 IBM Security

How our clients typically start

Legal

AssessCapabilities

Program Setup

Program Execution and Implementation

Understanding the Requirements with a Legal Team• Translation of Legal Requirements into Policies• Setting up organizational controls (people and processes)

Getting Ready• Assess and compare current capabilities

Legal to Business process• Data Protection Program• Define projects to implement capabilities

Implement Data Protection Program• Run Data Protection Program• Evaluate and feed back to business and

legal

GDPR?

Where are we?

Data Protection goes live!

What does it mean for the

business?

8 IBM Security

Our ‘elephant’: IBM’s GDPR Capability Model

IDENTIFYpersonal data

SecurityIntelligence

AwarenessGap Analysis

Identification of

Personal Data

PREVENTprivacy violations

Identity&AccessManagement

Database Security

Privacy byDesign

Data Masking &Encryption

MANAGEpersonal data

DETECT & RESPONDdata breach handling

Emergency

Response Services

Monitoring &

Detection RemediationIncident

Response

Entitlements

Management

Third-PartyManagement

DataGovernance

Information

Requests Consent

9 IBM Security

PHASE: 1. DIAGNOSE (assess)

DOMAIN:

GDPR

GOVERNANCE

2. DEFINE (plan)

3. DESIGN

4. DEVELOP

5. DELIVER (execute)

6. DEMONSTRATE (report,

monitor, audit, evaluate)

GDPR

GOVERNANCE

GDPR

GOVERNANCE

GDPR

GOVERNANCE

GDPR

GOVERNANCE

PEOPLE & COM-

MUNICATION

PEOPLE & COM-

MUNICATION

PROCESSESPROCESSES

DATADATA

DATADATA

SECURITY

6 Conduct Data Assessment 11 Update Personal Data Register

12 Embed Privacy-By-Design and Default Principles

19 Embed Data Privacy rules in Data Management

14 Design PD Life Cycle Management rules, processes and

tools

13 Design PD monitoring and pseudonymization rules and tools

15 Embed DP policies and rules in Security Management

17 Embed Data Privacy rules into processes

18 Develop Personal Data Management Flows and

Interaction

10 Update process rules

9 Train and certify staff

8 Manage Third-Party Personal Data usage

24 Manage and monitor Data Privacy security

23 Manage and monitor Personal Data during Life Cycle

22 Manage and monitor Data Privacy Breaches

20 Deliver and monitor Privacy Impact Assessments

21 Manage Consents, Requests and Compliants

16 Develop and deliver Notices

26 Monitor, audit and evaluate

5 Assign Data Privacy roles and responsibilities

3 Update Data Privacy Policy

2 Update Data Privacy strategy and governance

7 Update Data Privacy Policy details

4 Assess, track and enforce regulations and requirements

25 Demonstrate to stakeholders

1 Conduct Impact Assessment

1 Conduct Impact Assessment

1 Conduct Impact Assessment

1 Conduct Impact Assessment

1 Conduct Impact Assessment

Supported by a GDPR Activity Checklist

• The IBM GDPR Activity Checklist is a comprehensive view of activities to

support GDPR readiness across five domains from diagnostic to

implementation

• It serves as a checklist, describing:

• Purpose and scope

• Activities

• Roles

• Supportive (IBM) Solutions, Assets and Job-Aids

11 IBM Security

PR

EVEN

TID

ENTI

FYD

ETEC

T &

R

ESP

ON

DM

AN

AG

E

Evaluate Future Looking Items

Evaluate Future Looking Items

Evaluate Future Looking Items

Operating

Model

Organization

Design

Weekly Project Status

Continuous Training & Awareness Program

New Trends & Technologies

Kick-Off &

Gap Analysis WS

SOC 24/7

Privacy Impact

Assessments

Continuous Improvement of Compliance

Management System

Evaluate Future Looking Items

Data

Classification

WS

Data Discovery

2016 2017 2018

Process

Design

Audit Support

Third Parties

SoD & Policy Enforcement

Communication

Plan

Embedding Privacy by Design

Project Mobilization & Identification of Personal Data

Set up Data Protection Governance

Establishing Data Breach Protection & Monitoring

Access Rights

Mode & Mapping

Awareness

Training

Develop

Privacy

Controls

Deployment of

Controls

Compliance

Check

Testing &

Revalidation

New Trends & Technologies

Data Protection

Integration in SOCResilient Platform SIEM Integration

Incident Response

Process Def

GDPR Enforcement

May 2018

New Trends & Technologies

12 IBM Security

From ‘elephant’ to action: The IBM 6 phase approach to GDPR Readiness

Diagnose Define Design Develop Deliver Demonstrate

Understanding the risk

Strategy definedDesign for

Capabilities Completed

Process & systems update

Transition to BAU

Compliance evidence

Will bring insight to the impact of GDPR and a high level plan to meet the requirements

Will define the DP strategy based on a risk assessment and an intial view on what personal data is stored

Will bring detailed view on DP controls, processes and solutions to be implemented.

Implement processes and solutions

Operationalization of the requirements

Evaluate and improve the processes against performance, costs and new / changed GDPR requirements

READINESS ASSESSMENT CAPABILITIES IMPLEMENTATION

13 IBM Security

Sample 1: discover and classify personal data

14 IBM Security

Action

Data about your information

Take action (move, copy, delete, etc.)

Use a combination of rules and machine learning to identify and classify content

Filter2

Phase 3: Manage deep inquiries through full-text and metadata indexing

Full Text

Volume

Phase 2: Filter based on metadata

Filter1

Metadata

Sample 1: discover and classify personal dataData Discovery and Information Catalogue Population

Phase 1: Identify Data Sources

Sources

Relevance

Phase 4: Investigate relevant data and compile evidence

Classification

15 IBM Security

Sample 2: consent management today

Take it or leave it

No flexibility

Rarely read

Unintelligible to most

Informed Consent??

Not Really

16 IBM Security

Sample 2: consent management tomorrow?

17 IBM Security

Sample 2: services & data registration for consent management

IBM CONFIDENTIAL

18 IBM Security

Starting point: Where are you and where do you want to go?

00,5

11,5

22,5

33,5

44,5

GDPRGovernance:…

GDPRGovernance:…

GDPRGovernance:…

P&C: Roles &responsibilities

P&C: Training andawareness

P&C: NoticeManagement

Processes:controls (TOM)

Processes: CitizenRequests

Processes: NoticeManagement

Data Classification/ Metadata

Data Governance

Data Life CycleManagement

Data Infrastructure

Security: Access &Identity…

Security:Desensitization

Security: BreachManagement

GDPR Maturity Assessment

• Do you know:• How the new GDPR requirements affect your

organization?• Your strategic goals regarding data privacy? • Your current and required GDPR capabilities?

(‘your GDPR maturity?)• Other major initiatives impacting GDPR

enablement? • Roles and responsibilities in your organization

around data privacy and security?• Lines of Business and business processes

affected?• Definitions, location and accessibility of

personal data?• Personal data flows within and back and forth

to third parties?• Your internal stakeholders for GDPR readiness?• Your overall priorities, approach and timing to

become GDPR ready?

19 IBM Security

20 IBM Security

Further information

Security Services GDPR Leader: Bert VanspauwenAssociate Partner+32-499 56 760 2 (Mobile)Bert.Vanspauwen@be.ibm.com

Security Services GDPR Expert: Christiane PetersSecurity Architect+32-471 60 72 13 (Mobile)cpeters@be.ibm.com

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU