richard hogg & dennis waldron - #infogov17 - cognitive unified governance & privacy for gdpr
TRANSCRIPT
Dennis Waldron
Richard Hogg , CITP ERMp
Are you Ready?
May 25, 2018
GDPR – What is it? 4%
Or
€20M Potential Penalty
Per Incident
Global Impact
5 Key General Data Protection Regulation Obligations
Rights of EU Data Subjects
Security of Personal Data
Consent Accountability of Compliance
Data Protection by Design and by Default
Concern Toxicity potential in unstructured data.
Need Approach to ID, tag and delete toxic data.
Solution Storage management tool that allows metadata tagging.
Result 53% of data identified as dormant for > 5 years with a big portion possibly toxic.
Next steps Work with data owners to choose to delete or otherwise address flagged data.
53% of unstructured data flagged
“any information relating to an identified or identifiable natural person” (Art. 2(a))
Direct identifier – E.g. name, passport number, phone number
Indirect identifier – E.g. IBM Global GDPR Evangelist
Personal Data?
*2016 survey of NA Financial Services
GDPR Client Observations
“We understand what
needs to be done and
we’ll make the
necessary incremental
changes.”
A European bank
“Where do we begin, the
regulations are so confusing,
what solutions does IBM
provide?”
Multinational transportation org
Multinational logistics org
“We have heard of GDPR, but
we are going to take a wait and
see approach until an
enforcement action.”
Multinational airline
Multinational pharma org
The Hare The Tortoise The Ostrich
GDPR Takes More Than Just Technology
There are five key areas that need to be addressed
Governance People & Communication
Processes Data Security
• Conduct GDPR risk & privacy assessments across governance, people, processes, data, security
• Develop GDPR Readiness Roadmap
• Identify & Map personal data
Assess
Assessments and roadmap
Identify GDPR impact and plan Technical and
Organisational Measures (TOM)
• Design governance, training, communication, and process standards
• Design privacy, data management and security management standards
Design
Defined implementation
plan
Includes Data Protection controls, processes and
solutions to be implemented
• Develop and embed procedures, processes and tools
• Deliver GDPR training
• Develop & embed standards & policies using Privacy by Design, Security by Design
• Detailed Data Discovery
Transform
Process enhancements
completed
TOMs in place: Personal Data discovery,
classification and governance in place
• Execute all relevant business processes
• Monitor security and privacy using TOMs
• Manage Consent & data subject access rights
Operate
Operational framework in
place
Begin the new GDPR ready way of working
• Monitor, assess, audit, report and evaluate adherence to GDPR standards
Conform
Ongoing monitoring and
reporting
Monitor TOMs execution; deliver compliance
evidence to internal and external stakeholders
Act
ivity
O
utco
me
Phas
e IBM’s Overall GDPR Framework: 5 Phases to Readiness
Program and Data Governance goals • policies • rules • compliance • vendor management • terminology • people
Data Lifecycle identification • classification • masking • archiving
Data Catalog metadata mgmt. • IT objects • impact analysis
Data Subject Services enquiry • correction • erasure • portability •
notification
Data Protection privacy program design • risk assessment • access management
identity governance • monitoring & audit • incident response
Orchestration
Processes
Rules
Consent
Personal Data
structured
unstructured
physical info assets
printed documents
…
Data Subjects
Data Privacy Officer
Data Steward
InfoGov Capabilities Needed for GDPR
IBMCommitmenttoGDPRReadinessStatement TrustinDataDataanditsprotec9onarebecomingincreasinglyimportanttoindividualsandsociety.Enterprisesmustearnthepublic’strustintheirabilitytostewardinforma9on.AsIBM’slonghistoryofsecurityandprivacyleadershipdemonstrates,IBMunderstandsthatprotec9ngprivacyisessen9altogainingtrust.IBMwasoneofthefirstcompaniestoappointaChiefPrivacyOfficer,todevelopandpublishagene9csprivacypolicy,tobecer9fiedundertheAPECCrossBordersPrivacyRulessystem,andtosigntheEUDataProtec9onCodeofConductforCloudServiceProviders.Now,IBMiscon9nuingitslong-standingleadershipintheareaofdataprivacybyrespondingproac9velytotheGeneralDataProtec9onRegula9on(GDPR).IBMCommitstoGDPRReadinessIBMcurrentlycomplieswithprivacylawsaroundtheworld.IBMisalsopreparingtocomplywiththeEuropeanUnion’snewGeneralDataProtec9onRegula9on(GDPR)whichwillgointoeffectinMay2018.IBMhasestablishedaglobalprojecttoprepareforGDPR,bothforourinternalprocessesandforourcommercialofferings.IBMrecognisesthatourcustomerswillrelyonIBM’sofferingsandtechnicalassistancetoachieveGDPRcompliancewithintheirownorganisa9onsandIBMiswell-posi9onedtomeetthiscri9calneed.AspartofitsGDPRproject,IBMisenhancingitsongoingcommitmenttoprivacybydesign.IBMisworkingtoembeddataprotec9onprinciplesevenmoredeeplyintoitsbusinessprocesses,withtheobjec9vethattechnicalandorganisa9onalsecuritymeasureslimit,bydefault,theamountanduseofpersonaldatatowhatisspecificallyrequired.Thisworkwillalsostrengthencontrolsalreadyinplacetolimitaccesstopersonaldata,includingwithrespecttomobileapplica9onsthatrelyonsensibledefaultseWngstopreventpersonaldatafrombeinginadvertentlysharedwithothers.IBMiscommittedtoprovidingourclientsandpartnerswithinnova9vedataprivacy,securityandgovernancesolu9onstoassistthemontheirjourneytoGDPRcompliance.LearnmoreaboutIBM'sownGDPRreadinessjourneyandourGDPRcapabili9esandofferingstosupportyourcompliancejourneyhere.
Most Personal Data not discoverable via Patterns
New IBM GDPR Accelerators Improved insight with the ability to load contracts for Watson to analyze & consider the key language, clauses or paragraphs driving the need for further analysis or change.
Compare & Comply IBM Regulatory Compliance Analytics,
with IBM Watson Digest GDPR and identity Controls & Obligations.
Cognitive Insights
Plug-in Extensive unstructured personal data discovery rules using Both RegEx and Machine Learning.
GDPR Cartridges Structured personal data discovery & classification. Personal data
access & data subject rights audit trails; GDPR reports; GDPR data
risk dashboard.
Data Protection
GDPR Supportive Content taxonomy with Predefined terms, data model elements, Against each Article.
GDPR Industry Model GDPR program preparatory guide,
GDPR incident simulation,& GDPR-enhanced Privacy module.
Incident Response
Discover and register data sources and the Personal Data they contain. Golden record identification with Workflows for all citizen SAR requests.
Subject 360 Access Consent Service available enterprise wide, linking
Data to usage and specific per-citizen consent.
Purposeful Consent By Design
Security
Regulations & Contracts
Personal Data
Find Personal
Data
Unified Catalog
9Billion4%
Ofthe
only
breachedsince2013
wereencrypted3
records
$4MAveragecostofadata
breachin20162
Likelihoodofanorganiza9onhavingadatabreachinthe
next24months1
26%“It’s no longer a matter of if, but when …”
HealthInsurancePortabilityandAccountabilityAct(HIPAA)
EuropeanUnionGeneralDataProtec9on
Regula9on(GDPR)
PaymentCardIndustryDataSecurityStandard(PCI-DSS)
1, 2 Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/ 3 Source: Breach Level Index -- http://breachlevelindex.com/
Data protection and compliance are business imperatives
100DaysOver
Onaveragetodiscoverthebreach
What does information governance mean and why is it critical
Informa(onGovernanceistheprocessbywhichanorganiza>onwillbehaveoracttoensuretheappropriateexecu>onofitsmandate,andtypically,protectandmaximizethebenefitsinherentinitsdataassets
83%oforganiza>onssufferproblemscausedbypoormasterdata,withthetopthreeproblemsbeinginaccuraterepor9ng(81%),argumentsoverwhichdataisappropriate(78%),andbaddecisionsbasedonincorrectdefini9ons(54%)
$3TrillionisthetotalannualimpactofpoordataqualityInforma9onGovernanceOrganiza9onensuressustainablebusinessvalueofdataover9me.Standalonecleanupsnomacerhowheroichavediminishedvaluesover9me.
AStrongDGFunc(onIsEssen(alToDeliveringReliableAndUsableBusinessInforma(on
35%ofcustomerinforma>oninenterprisesystemsmaybeinaccurate,andupto30%duplicatedduetolackofproperdatagovernancepoliciesandprocedures
Source: IBM Institute for Business Value 2015 Analytics research survey. Administered by the Economist Intelligence Unit.
© 2015 IBM Institute for Business Value. www.ibm.biz/2015analytics
• Uniformcommunica9ons• Commonunderstanding• Rapidcrossbusiness
Implementa9on• Singledefini9on• Qualitydata• Crossbusinessdatausage• EfficientInvestments
ProcessPeoplePoliciesTools
WithDataGovernance
• Complex• Silodriven• Slowtomarket• Inconsistentdefini9on• Poordataaccuracy• LOBfocuseddata• Re-solveproblemsforeach
LOB
WithoutDataGovernance
30-40%oftheITbudgetisallocatedtoexecu9onofdatatransforma9onprogramswithinITledFinancialServicescompanies
GSIBswillincreasespendonnewdataandanaly9csini9a9vesby10%in2017
§ How to easily find relevant information ~ books, authors ?
§ How to go about archiving important content – Micro Film?
§ How to go about Life Cycle Management of books ?
§ How to restrict access to important content (Policy Mgmt.) ?
CAT
ALO
G
AR
CH
IVE
DIS
POSE
A
CC
ESS
Library Analogy
GOVERNANCE FOR COMPLIANCE
Discover, classify and manage information in ways that meet the
obligations enforced by both regulatory and corporate mandates
Regulations (e.g. GDPR) Privacy & Protection
eDiscovery Records & Retention
Archiving Audit Readiness
GOVERNANCE FOR INSIGHTS Provide safe access to trusted, high
quality, fit-for-purpose data while facilitating effective collaboration
among team members
Self-Service Access to Data & Analytics
Governed Enterprise Information Repositories (such as Data Lakes)
Use Cases Driving a Unified Governance Strategy
High Quality, Timely information for All
Empowered Data Scientists Uncovering Unique Insights
Empowered Organization
Better Business Outcomes
• Leverage the value of your data unlocking insight driving competitive advantage every single time you access data.
• Capitalize on the data and derive revenue based on solid information governance foundation making data simplified and actionable.
Make Data Make Money
GOVERNANCE FOR COMPLIANCE
Helps ensure data privacy and facilitate compliance with regulations such as the GDPR
50% faster creation of test datasets helps to accelerate development cycles
Cuts storage costs by significantly reducing the size of test datasets
View case study: Link
Eases compliance with data-retention regulations
94.2% reduction in amount of data unnecessarily stored cuts costs and risk
Takes the headache out of audits by providing a clear track record and reporting
View case study: Link
GOVERNANCE FOR INSIGHTS
Enables a smoother user experience for shoppers across channels and brands
10 times faster response times for the 1-800-Flowers.com mobile app
Improves the quality of customer data and enables deeper insight
View case study: Link
Empowers IT and business users to collaborate in establishing and using common terminology
Supports business intelligence and confident decision-making
Accelerates analytics for faster insight
View video: Link
What our customers are saying
Strategic vision for metadata to support regulatory issues
• NT Metadata Registry • Benefits • Approach • Timeline
• Metadata Strategy • Data Models, Standards, & Policies • NT ISO Initiative
EXECUTIVE SUMMARY
NT METADATA REGISTRY BENEFITS What’s in it for me? • Increased understanding of NT’s data. • Create a searchable catalog of Northern Trust’s data assets. • Provide transparency into the location, definition and usage of
NT’s data assets. • Promote the standardization of NT’s data designs, shared
definition and asset reuse. Why do we care? • Increase collaboration. • Expose data lineage through all layers (e.g. CCAR, EDP, AML) • Reduce project delivery time and scope creep. • Reduce Risk • Reduce Development Time What I need your help on? • Granting connections to system catalog(s) and to reverse engineer
physical schema for IIS lineage • We are not looking at the transactional data
• SME help for SOR, BPM, inflow and outflows
High Level Design
NT METADATA REGISTRY - APPROACH
NT METADATA FOUNDATION & STRATEGY
NT METADATA REGISTRY
Metadata Registry o Central location in an organization where metadata definitions are
stored. Metadata Management o End to end process and governance framework for the creation,
controlling, enhancing, attributing, defining and management of structured and unstructured data.
Design Metadata o Information about the structure, description, relationship and
administration of assets. Operational Metadata o Point of view metadata on runtime variables, statistical processes,
matrix operations that explain how data was created and/or transformed.
METADATA LIFECYCLE
DATA MODELS, STANDARDS, & POLICIES Rolled out in Q1- 2017
NT ISO Model Management Process The process for creating, maintaining, and publish a complete and consistent “single version of the truth” for the NT ISO data model Standards & Policies Library A repository for data policies and standards across all pillars of enterprise data services Enterprise Data Services VISA An EPMO vehicle to govern and provide clear requirements to project teams to achieve data standards and existing processes
• Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
None of the statements contained herein constitutes legal advice – it is process advice only.
Disclaimer
Appendix
WHAT IS ENTERPRISE DATA ARCHITECTURE AND WHAT IS THE VALUE? The purpose of Enterprise Data Architecture is to define data tools strategy, modeling standards, and conceptual/logical models for Northern Trust enterprise data.
ü U9lizesenterprisetoolsthatsupporttrusted,relevant,andgovernedinforma9on
ü EnablesNorthernTrusttomeetorexceedclientandregulatorexpecta>onsandobliga>onsthroughdatalineagevisualiza9onfromsourcetoconsump9on
ü ReusesarchitecturaldesignpaQernsandu9lizesacentralizedmetadatarepositoryandinforma9ongovernancecataloguetoreducedevelopment>me
ü Providesstandardinforma>onmodelsthatenhancemessagingformatsanddrivedownrisk
ü Buildsaculturewithintheorganiza9ontotreatdataasaNorthernTrustasset
ü Capitalizesoncurrentdesignpacernstospeeddevelopmentanddataconsump9on
What it is
The value
Theprocessesandprac9cesthatleverageinforma9onassets,rules,policies,standards,models,andtoolstosupportmetadatamanagementandinforma9onarchitecture,forsuccessfulintegra9onandwithenterpriseprograms.
DATA TOOLS REFERENCE ARCHITECTURE DataToolsReferenceArchitecture
Operational
DataSources
ServicesTier
FlatFiles
Oracle
ClientTierWebClients
DesktopClients
EngineTier
XML
DB2
DataStage
QualityStage
Connectors
Packs
ServiceAgents
QualityStageServices
InformationAnalyzerServices
InformationServicesDirectorServices
DataStageServices
WorkbenchServices
ConnectorAccessServices
CommonServices
MetadataExchange
MetadataServices
DataManagement\Design
ERStudioDataArchitectRationalArchitect
RepositoryTier
IARepository
MetadataRepository
EngineTier
DataStage
QualityStageInformationAnalyzer
InformationServicesDirector
MetadataWorkbench
RepositoryTier
MDMAERepository
MDMAE
MDMServices
MDMCE
MDMServices
MDMRDM
MDMServices
MDMCERepository MDMRDMRepository
MSSQL
NoSQL
Hadoop
Blueprint Blueworks
ERStudioRepository
DataArchitectRepositoryRARepository Blueprint
RepositoryBlueworksRepository
Composite
Hive
NTRSApplication
SQL,TSQL,BTEQ,JCL
LoadUtilities,StoredProcedures,Functions
Iteraplan
IteraplanRepository
Composite
Messages
Sybase
DATA TOOLS CONCEPTUAL ARCHITECTURE DataToolsConceptualArchitecture
DataModeling
Logical/PhysicalModelingTool
OperationalRepository
DataIntegration
DataGovernance
DataProfiling
DataRules
ReferenceRepository
DataLineage
BusinessGlossary
InformationModeling
InformationModelingTool
OperationalRepository
AssetManagement
AssetManagement
Tool
OperationalRepository
SDLC
VersionControlRepository
Discovery
AnalysisRepository
DataManagement
SemiRelational
Non-Relational
Relational
Business\ProcessModeling
BPMTool
OperationalRepository
BI
AnalyticsTool
OperationalRepository
KnowledgeCenter
ThinClients
ThickClients
ETL/ELT
DataReplication
DataServices
OperationalRepository
Virtualization/Federation
Publish
Exchange
Store
Browse
Implemented
Capable
2017 Implementation